Colossus Work Report #2: installing SELinux on Debian
In this article we will set up main SELinux tools and find out that it is better to use libvirt with virsh for easier VM manipulation.
Setting up ssh on qemu virtual machine
To be able to use ssh with qemu we should launch it with:
qemu-system-x86_64 -hdb debian_sid.qcow -m 1024 -display gtk -enable-kvm -netdev user,id=network0,net=10.0.0.0/24,host=10.0.0.1,hostfwd=tcp::7777-:22 -device virtio-net,netdev=network0And to connect via ssh isntall openssh-server on a guest and allow root ssh access:
apt install openssh-serverand change PermitRootLogin in /etc/ssh/sshd_config to yes.
To connect use:
ssh root@localhost -p7777More preparations
We can permanently add /sbin to our PATH variable. In order to do it, add to /etc/login.defs:
ALWAYS_SET_PATH yesUpgrade our system:
apt update && apt upgradeLet’s install git:
apt install gitInstalling SELinux
Firstly, we should install selinux tools:
apt install setools selinux-utils selinux-policy-src secilc policycoreutils selinux-basicsAfter that, we should clone the up-to-date SELinux Reference Policy:
git clone https://github.com/SELinuxProject/refpolicyIn this policy we should change some parameters. In build.conf:
TYPE = mcs
NAME = refpolicy_mcs
DISTRO = debian
SYSTEMD = y
UBAC = nIn /etc/selinux/config
SELINUXTYPE=refpolicy_mcsAnd we can compile the policy:
make clean && make conf && make install && make loadand activate it:
selinux-activateNow, we should add our users to unconfined_u SELinux user:
semanage login -m -s unconfined_u __default__
semanage login -m -s unconfined_u rootWe can see the result of the previous action:
cat /etc/selinux/*/seusersWe also need to set some SELinux booleans:
setsebool -P allow_execmem on
setsebool -P ssh_sysadm_login onAnd we can reboot, after reboot we will have SELinux running in permissive mode. We will have a lot of denials, so, before continuing experimenting we should make a back up of our image. For now, we can use rsync, but to use incremental back ups I will use libvirt.