ArchLinux, SELinux, and You: A Trip Down the Rabbit Hole

That is a damned secure castle.

THIS GUIDE IS A DRAFT

For right now, the steps are going through validation. I'm sure that it's pretty solid, but this more of a preview on what to expect. I'm currently having problems with the selinux-systemd package which I'm working on as we speak. I don't think it's a major problem and I'm 90% sure it's due to something I've tweaked on my development sandbox, but it's still a warning: THIS IS A DRAFT!

Introduction

This guide started out with the ArchWiki SELinux page and ended up being a bit more involved.  I'm not going to explain how to set up your machine to access the AUR, but I ended up using Yaourt (an AUR helper) to do this guide.

A Forwarning

In this guide, I will use a few colorful boxes to show warnings and simple BASH code. Anything complex gets its own section of fancifully colored GeSHi code to help with readability.

Also, this is an install guide. It's pretty long, and I figured that this should clear up some of the bigger issues with installing it. I will be working on the configuration part of this guide, but it's approaching 3,000 words and I want to at least get something out the door.

Warnings

Warnings will be dispersed throughout with the consequences of not reading everything or if some command decides to eat itself. They'll look like the following:

WARNING

Just like the ArchWiki article for SELinux, this procedure can turn your machine into a box of frustration. Also a good example of when to slow down and read.

Code

Basic commands will look like this:

CODE

1
2
3
#!/usr/bin/python2
from awesome import arch
print arch.cool()
#!/usr/bin/python2
from awesome import arch
print arch.cool()

Initial Setup

There are a ton of SELinux packages available. If you were to execute yaourt -Ss selinux, you would see approximately 30 packages. Many of these we are going to install. Some of these we will ignore due to the fact that there are multiple versions of the same package.

The first package we are going to install is selinux-pam. This package will replace the entire authentication subsystem with its SELinux-enabled version.

WARNING

If this goes horribly wrong (or just fails), this could leave your system in a very, very bad place. This would probably be a good time to verify that you've got a backup install CD ready in the event of the ArchLinux apocalypse.

Also, this package is selinux-pam which should remind you not to run this install as any user other than root! That's right, a security guy telling you to either (1) login as root, or (2) su into root. PAM (short for pluggable authentication modules) is the brains behind authentication on Linux so if it goes belly up, so does your system.

To install selinux-pam, execute the following command(s):

CODE

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
root@localhost ~ # yaourt -S selinux-pam
( Unsupported package: Potentially dangerous ! )
==> Edit PKGBUILD ? [Y/n] ("A" to abort)
==> ------------------------------------
==> n
 
==> selinux-pam dependencies:
 - selinux-pambase (building from AUR)
 - selinux-usr-libselinux (building from AUR)
 
==> selinux-pam conflicts:
 - pam-1.1.6-1
 
==> Continue building selinux-pam ? [Y/n]
==> -------------------------------------------
==> y
root@localhost ~ # yaourt -S selinux-pam
( Unsupported package: Potentially dangerous ! )
==> Edit PKGBUILD ? [Y/n] ("A" to abort)
==> ------------------------------------
==> n

==> selinux-pam dependencies:
 - selinux-pambase (building from AUR)
 - selinux-usr-libselinux (building from AUR)

==> selinux-pam conflicts:
 - pam-1.1.6-1

==> Continue building selinux-pam ? [Y/n]
==> -------------------------------------------
==> y

This will lead you down the less traveled path. You'll have to answer a few more sets of questions but if you keep this in mind you will have no issues (yet): DON'T CHANGE ANYTHING! The defaults are perfect in this case and do not need to be tweaked. Just answer yes to the "building" and "install" questions and we'll continue onward:

CODE

1
2
3
4
==> Continue installing selinux-pam ? [Y/n]
==> [v]iew package contents [c]heck package with namcap
==> ---------------------------------------------------
==> y
==> Continue installing selinux-pam ? [Y/n]
==> [v]iew package contents [c]heck package with namcap
==> ---------------------------------------------------
==> y

You will also end up installing selinux-pambase, selinux-usr-libselinux, selinux-usr-libsepol from the AUR.

You will see a warning imploring you to not run yaourt as root. Ignore it. In this instance, not running as root could have dire consequences. Also, it will confront you with a question saying that package selinux-xxxxx is in conflict with xxxxx. Don't worry about this, you're replacing the xxxxx with the SELinux-enabled version so say "yes".

After a few minutes of compiling and quote a few "y" and "n" answers, you should have selinux-pam installed successfully on the system.

The Core Utilities

Without this package, you cannot install the kernel. This is something that I realized after trying to jump right into compiling the linux-selinux package. The next step is to actually install the selinux-coreutils package to prepare for the linux-selinux package.

Now, exit out of the root account. I'm assuming that you're somewhat security conscious and have sudo setup. If not: stop what you're doing and set that stuff up. I'll wait.

Okay, as a regular user that can use sudo, enter yaourt -S selinux-coreutils and press Enter.

TO INSTALL

1
yaourt -S selinux-coreutils
yaourt -S selinux-coreutils

Once this is completed, we shall move on to the new SELinux-enabled kernel.

The Kernel

Why now you ask? I say why not. Also, we've settled all of the dependencies needed to compile this kernel.

Let's get this thing going with a simple command that may take a long amount of time. But before we do:

WARNING

If you don't have at least 1.5GiB of /tmp space available, there is a significant chance that this compile will fail. This means that if you tried to run this guide on a crappy Core2Duo system with a 1 GiB /tmp folder, you would have to do this very time consuming process again which will make you want to throw your computer at someone.

If you don't have enough space in RAM, edit the /etc/yaourtrc file and file the line beginning with #TMPDIR, uncomment it, and change it to a place on your hard drive with enough space to let the code compile. Trust me, I learned this the hard way.

Okay, as a regular user that can use sudo, enter yaourt -S linux-selinux and press Enter.

CODE RUN AS A REGULAR USER

1
$ yaourt -S linux-selinux
$ yaourt -S linux-selinux

Again, we're only going to go with the defaults on this one. There's no real reason to tinker with anything here, and those who know that they need something special already starting ignoring parts of this guide.

This is the long step. Grab a cup of coffee (or a rum and Coke if you're so inclined) and wait.

Once it's completed, you will be greeted with the following:

TO INSTALL THE KERNEL

1
2
3
4
5
6
==> Continue installing linux-selinux ? [Y/n]
==> [v]iew package contents [c]heck package with namcap
==> ---------------------------------------------------
==> y
 
[sudo] password for jweatherly: ********
==> Continue installing linux-selinux ? [Y/n]
==> [v]iew package contents [c]heck package with namcap
==> ---------------------------------------------------
==> y

[sudo] password for jweatherly: ********

After a few seconds, you should have a new kernel installed! This is a good thing, but we're not quite there yet. The new kernel needs to be put into your /boot/grub/grub.cfg file (if you're using grub2).

WARNING

Remember to change the following code to reflect your actual setup!

GRUB2-BIOS UPDATE PROCEDURE

1
2
3
4
5
$ sudo -i
# cd /boot/grub
# grub-mkconfig > grub.cfg
# grub-install /dev/sda
# reboot
$ sudo -i
# cd /boot/grub
# grub-mkconfig > grub.cfg
# grub-install /dev/sda
# reboot

Other SELinux Packages

There are quite a few packages left to install from the AUR. We will need all of them so that our system can actually utilize SELinux properly. However, we can install a majority of these in one fell swoop. There are a few "bumps" that need to be addressed before the swooping, though.

First, however, we need to install the selinux-usr-libsemanage package. I know of at least one package that depends upon it being there---I'm looking at you selinux-shadow---so let's get that one out of the way.

INSTALL SEMANAGE LIBRARY

1
$ yaourt -S selinux-usr-libsemanage
$ yaourt -S selinux-usr-libsemanage

Next, let's tackle the selinux-usr-policycoreutils. This package needs to be massaged a bit to get it to install.

INSTALL POLICYCOREUTILS

1
2
3
4
5
$ yaourt -S selinux-usr-policycoreutils
( Unsupported package: Potentially dangerous ! )
==> Edit PKGBUILD ? [Y/n] ("A" to abort)
==> ------------------------------------
==> Y
$ yaourt -S selinux-usr-policycoreutils
( Unsupported package: Potentially dangerous ! )
==> Edit PKGBUILD ? [Y/n] ("A" to abort)
==> ------------------------------------
==> Y

In the PKGBUILD file, look for the line that starts with build() beneath the section that starts with sha256sums. We will be adding two lines to that function.

EDIT PKGBUILD

1
2
3
4
5
6
7
8
9
10
build() {
  cd "${srcdir}/${_origname}-${pkgver}"
  sed -i -e "s/-Werror -Wall -W/-Werror -Wall -W -O2/" "setfiles/Makefile"
  sed -i -e "s/-Werror -Wall -W/-Werror -Wall -W -O2/" "sestatus/Makefile"
  sed -i -e "s/shell python -c/shell python2 -c/" "semanage/Makefile"
  sed -i -e "s/shell python -c/shell python2 -c/" "sandbox/Makefile"
 
        patch -Np1 -i ../${_origname}-seunshare.diff
  make
}
build() {
  cd "${srcdir}/${_origname}-${pkgver}"
  sed -i -e "s/-Werror -Wall -W/-Werror -Wall -W -O2/" "setfiles/Makefile"
  sed -i -e "s/-Werror -Wall -W/-Werror -Wall -W -O2/" "sestatus/Makefile"
  sed -i -e "s/shell python -c/shell python2 -c/" "semanage/Makefile"
  sed -i -e "s/shell python -c/shell python2 -c/" "sandbox/Makefile"

        patch -Np1 -i ../${_origname}-seunshare.diff
  make
}

WARNING

If you get the following error, you didn't change the part you were supposed to or you simply ignored the previous code section.

1
2
3
4
5
6
7
8
9
10
In file included from /usr/include/fts.h:35:0,
                 from restore.h:6,
                 from setfiles.c:1:
/usr/include/features.h:330:4: error: #warning _FORTIFY_SOURCE requires compiling with optimization (-O) [-Werror=cpp]
 #  warning _FORTIFY_SOURCE requires compiling with optimization (-O)
    ^
cc1: all warnings being treated as errors
make[1]: *** [setfiles.o] Error 1
make[1]: Leaving directory `/home/temp/yaourt-tmp-jweatherly/aur-selinux-usr-policycoreutils/src/policycoreutils-2.1.13/setfiles'
make: *** [all] Error 1
In file included from /usr/include/fts.h:35:0,
                 from restore.h:6,
                 from setfiles.c:1:
/usr/include/features.h:330:4: error: #warning _FORTIFY_SOURCE requires compiling with optimization (-O) [-Werror=cpp]
 #  warning _FORTIFY_SOURCE requires compiling with optimization (-O)
    ^
cc1: all warnings being treated as errors
make[1]: *** [setfiles.o] Error 1
make[1]: Leaving directory `/home/temp/yaourt-tmp-jweatherly/aur-selinux-usr-policycoreutils/src/policycoreutils-2.1.13/setfiles'
make: *** [all] Error 1

The packages that we will install next: selinux-cronie, selinux-findutils, selinux-flex, selinux-logrotate, selinux-openssh, selinux-psmisc, and selinux-refpolicy. We'll install these in chunks using the yaourt command:

A LONG YAOURT COMMAND

1
2
3
4
5
6
7
$ yaourt -S selinux-cronie \
selinux-findutils \
selinux-flex \
selinux-logrotate \
selinux-openssh \
selinux-psmisc \
selinux-refpolicy
$ yaourt -S selinux-cronie \
selinux-findutils \
selinux-flex \
selinux-logrotate \
selinux-openssh \
selinux-psmisc \
selinux-refpolicy

This will involve quite a bit of not changing and installing as these packages are installing. It won't take as long as the kernel compile, but it will take a few minutes.

SWIG and the Package selinux-setools

This will be the difficult part. There are multiple changes to the PKGBUILD file that need to be applied before you can even think about it compiling successfully.

Before those changes, we need to deal with the SWIG package.

Installing SWIG

First, you'll need to download the SWIG package from Arch Rollback Machine. All you'll need to so is look for the swig-2.0.4-3 package and download it.

Secondly, in the directory you downloaded the swig package to, install the package via pacman -U swig-2.0.4-3-x86_64.pkg.tar.xz.

WARNING

Remember, your package may have a different name. For example, the 32-bit x86 package name is swig-2.0.4-3-i686.pkg.tar.xz.

selinux-setools

Let's deal with a problem-child package: selinux-setools. The package requires a few major changes (which we will take care of by editing the PKGBUILD file) and installing an older version of SWIG.

The first package we're going to install is java-environment using the pacman -S java-environment command via sudo. Afterwards, logout of your account and log back into your user account. This is needed to set the JAVA_HOME environment variable.

To install, lets start with the simple command yaourt -S selinux-setools.

SELINUX-TOOLS FIRST RUN

1
2
3
4
5
$ yaourt -S selinux-setools
( Unsupported package: Potentially dangerous ! )
==> Edit PKGBUILD ? [Y/n] ("A" to abort)
==> ------------------------------------
==> y
$ yaourt -S selinux-setools
( Unsupported package: Potentially dangerous ! )
==> Edit PKGBUILD ? [Y/n] ("A" to abort)
==> ------------------------------------
==> y

Around line 14, there is the line that starts with optdepends. We need to remove the parts that say :needed to build graphical tools on that line and the two below it (basically for glib2, gtk2, and bwidget). So, make that portion of the file look like this:

PKGBUILD

1
2
3
optdepends=('glib2'
'gtk2>=2.8'
'bwidget>=1.8')
optdepends=('glib2'
'gtk2>=2.8'
'bwidget>=1.8')

We will have to fix one of the Makefile in this package due to it looking for a file that it doesn't actually provide. This will cause it to error out and fail every time.

In the PKGBUILD file, we will need to edit the build() function to make the appropriate change. Around line 37, make the build() function look like this:

MORE PKGBUILD

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
build() {
  cd "${srcdir}/${_origname}-${pkgver}"
 
  # Python 2 fix
  export PYTHON=/usr/bin/python2
 
  # Apply Fedora patches
  autoreconf -vfi # This is needed to generate Makefile.in for one of the patches
  patch -Np1 -i "${srcdir}/0001-add-setools-seinfo-and-sesearch-python-bindings.patch"
  patch -Np1 -i "${srcdir}/0002-setools-should-exit-with-an-error-status-if-it-gets-.patch"
  patch -Np1 -i "${srcdir}/0003-Since-we-do-not-ship-neverallow-rules-all-always-fai.patch"
  patch -Np1 -i "${srcdir}/0004-Fix-man-pages-and-getoptions.patch"
  patch -Np1 -i "${srcdir}/0005-Fix-sepol-calls-to-work-with-latest-libsepol.patch"
  patch -Np1 -i "${srcdir}/0006-Changes-to-support-named-file_trans-rules.patch"
  patch -Np1 -i "${srcdir}/0007-Remove-unused-variables.patch"
  patch -Np1 -i "${srcdir}/0008-Fix-output-to-match-policy-lines.patch"
 
  # Fix expected version of SWIG
  sed -i -e "s|AC_PROG_SWIG(1.3.28)|AC_PROG_SWIG(2.0.0)|g" configure.ac
  autoreconf -i -s
  #Arch uses rather nonstandard directory for policy sources
  ./configure \
    --enable-swig-java \
    --with-java-prefix="$JAVA_HOME" \
    --with-default-policy=/etc/selinux/refpolicy/src/policy \
    --disable-bwidget-check \
    --prefix=/usr
 
  # Fix the SWIGTYPE_p_init.java issue by removing it
  sed -i -e "0,/SWIGTYPE_p_int\.java/{/SWIGTYPE_p_int\.java/d}" libqpol/swig/java/Makefile
 
  # Make the package
  make
}
build() {
  cd "${srcdir}/${_origname}-${pkgver}"

  # Python 2 fix
  export PYTHON=/usr/bin/python2

  # Apply Fedora patches
  autoreconf -vfi # This is needed to generate Makefile.in for one of the patches
  patch -Np1 -i "${srcdir}/0001-add-setools-seinfo-and-sesearch-python-bindings.patch"
  patch -Np1 -i "${srcdir}/0002-setools-should-exit-with-an-error-status-if-it-gets-.patch"
  patch -Np1 -i "${srcdir}/0003-Since-we-do-not-ship-neverallow-rules-all-always-fai.patch"
  patch -Np1 -i "${srcdir}/0004-Fix-man-pages-and-getoptions.patch"
  patch -Np1 -i "${srcdir}/0005-Fix-sepol-calls-to-work-with-latest-libsepol.patch"
  patch -Np1 -i "${srcdir}/0006-Changes-to-support-named-file_trans-rules.patch"
  patch -Np1 -i "${srcdir}/0007-Remove-unused-variables.patch"
  patch -Np1 -i "${srcdir}/0008-Fix-output-to-match-policy-lines.patch"

  # Fix expected version of SWIG
  sed -i -e "s|AC_PROG_SWIG(1.3.28)|AC_PROG_SWIG(2.0.0)|g" configure.ac
  autoreconf -i -s
  #Arch uses rather nonstandard directory for policy sources
  ./configure \
    --enable-swig-java \
    --with-java-prefix="$JAVA_HOME" \
    --with-default-policy=/etc/selinux/refpolicy/src/policy \
    --disable-bwidget-check \
    --prefix=/usr

  # Fix the SWIGTYPE_p_init.java issue by removing it
  sed -i -e "0,/SWIGTYPE_p_int\.java/{/SWIGTYPE_p_int\.java/d}" libqpol/swig/java/Makefile

  # Make the package
  make
}

Now, save and let's proceed. You'll have to tell yaourt that we don't need to edit the PKGBUILD file again.

LET'S GET IT DONE

1
2
3
4
5
6
7
8
==> Continue building selinux-setools ? [Y/n]
==> ------------------------------------------
==> y
 
==> Continue installing selinux-setools ? [Y/n]
==> [v]iew package contents [c]heck package with namcap
==> ---------------------------------------------------
==> y
==> Continue building selinux-setools ? [Y/n]
==> ------------------------------------------
==> y

==> Continue installing selinux-setools ? [Y/n]
==> [v]iew package contents [c]heck package with namcap
==> ---------------------------------------------------
==> y

After a few minutes, you will have selinux-setools installed on your machine.

The Rest of the Packages

First, backup your /etc/sudoers file. The selinux-sudo package is like honeybadger and doesn't give a crap about what's in it now.

Now, we need to install the rest of the SELinux packages. The rest include: selinux-shadow, selinux-sudo, selinux-systemd, selinux-usr-checkpolicy, and selinux-util-linux. Just run the following command and answer the prompts appropriately:

THE REST OF THE STORY

1
2
3
4
5
$ yaourt -S selinux-shadow \
selinux-sudo \
selinux-systemd \
selinux-usr-checkpolicy \
selinux-util-linux
$ yaourt -S selinux-shadow \
selinux-sudo \
selinux-systemd \
selinux-usr-checkpolicy \
selinux-util-linux

Finally, we will install the audit package. This is so we can see the output of SELinux and where it's getting angry at everything. Your AVC denials will show up in /var/log/audit which will help troubleshoot issues pertaining to misconfigured contexts.

INSTALL AUDIT

1
pacman -S audit
pacman -S audit

A Final Word

This guide is really on how to install it. I will work on how to get everything configured and up and running in the next blog article. If you need a general idea on how to configure anything I would hit up the Arch Wiki for SELinux which should give you a good idea on how to set various things.

Loading Disqus Comments ...
Just another blag.

Recent Posts

©2007-2012 Jason Weatherly
Powered by WordPress, Endless & Sneek