There also has been an interest in creating an SELinux UML, since it allows for rapid testing of policies, and packages, and to observe the reaction of the machine to threats and other stimuli. However, it has been tedious, traditionally, to create a UML that can be run in enforcing mode. A recipe for doing so has been created, and is kept up to date with new kernel versions, and newer versions of patches for SELinux and UML. Effort is underway to create a more flexible, automated, and configurable tool to help generate the root file systems that can be used for UML instances, or for stand alone installations.
User Land Packages
In addition to the core SELinux code, certain SELinux-patched user-space packages are required to use SELinux. While these packages were initially provided as a convenience by the NSA, but it has now delegated maintenance of these patches back to the community. A reference set of SELinux user-land patches is available in the public Fedora CVS tree. Red Hat's Fedora distributions have fully embraced SELinux, and have been keeping the patches updated with new versions of these user-land patches.
So this mini project is an effort to bring Debian's SELinux patched packages back in sync with the latest upstream and the latest SELinux patches, and to make it easier for Debian developers to access SELinux patches. What one can find here is the original fedora patches, as well as patches massaged for Debian's version. In order to facilitate SELinux related work, and a separate repository where Debian work on these user-land packages and the corresponding SELinux branches shall be tracked. The information, and archive registration information, as below:
~% tla register-archive \ http://arch.debian.org/arch/private/srivasta/archive-2005-selinux
As these packages come along, I shall attempt to create an apt-able repository for them on people.debian.org. To use, just put the following in /etc/apt/sources.list, and run aptitude update. The archive is also signed, and the public key for the Release.gpg file can be downloaded from here.
DPKG
Dpkg is the primary package management system for Debian systems. It handles the installation and removal of packages on a Debian system. Since it is used for initial installation of packages, special care must be taken to ensure that the components file system objects end up in the appropriate domain, rather than in the sysadmin_t domain, which would normally be the case for things created by the systems administrator.
As of version 1.13.10, SELinux support is compiled in into dpkg (statically compiled). The upstream repository for dpkg is browseable. As part of the SELinux effort, a set of branches have been tagged off from upstream, and are available here.
Repository links
dpkg--stable
The stable upstream DPKG branch, meant for Sarge.
dpkg--devel
The upstream development branch for dpkg. This is meant for Etch -- and since Etch can promote libselinux1 to an essential priority, this branch of dpkg could be linked against libselinux1.
dpkg--selinux-old
Russell Coker's modifications to dpkg, which introduce {pre,post}{inst,rm}.d/ directories to label installed package files correctly, using setfiles. Unfortunately, these changes were deemed too far reaching, and really suboptimal, by dpkg authors, since they were not comfortable introducing the general purpose hook directories, which could lead to non-deterministic behaviour, and could be open to all kinds of abuse.
dpkg--selinux
A new modification of dpkg, using SELinux library calls (matchpathcon and setfilecon) to set the security context of component files just after unpacking. This approach may be more acceptable, since it does not create a whole set of directories that are open to potential abuse, and fits in with the chown/chmod calls that dpkg already makes.
Please note that while dpkg--selinux-old branch is tagged off the dpkg--stable branch, the dpkg--selinux branch is tagged off the dpkg--devel branch.
Bug numbers
None Needed.
SSH
Ssh (Secure Shell) is a program for logging into a remote machine and for executing commands on a remote machine. This is an implementation of the IETF secsh working group's specification of the Secure Shell protocol. Since it logs in to a system in lieu of a user, it needs to be modified to set the security context of the process. The Fedora core patch can be found on the fedora core cvs repository.
The public repository of the Debian development is not available directly, since it is hosted as a CVS repository on chiark, that does not offer public pserver access. However, a full repository tarball is available, updated daily.
As of 4.1p1-4, openssh in Debian is compiled with SELinux support, so no patchs are needed.