2420
Comment: fixed some links, removed "obsolete" stuff, added note about audit support.
|
2504
added note that 2.6.13/experimental has audit enabled.
|
Deletions are marked like this. | Additions are marked like this. |
Line 11: | Line 11: |
Actually you will most likely want to build your own kernel, since the Debian kernels do not include "audit" support, which is essential for writing and debugging ["SELinux"] policies. | Actually you will most likely want to build your own kernel, since the Debian kernels do not include "audit" support, which is essential for writing and debugging ["SELinux"] policies. ''Apparently kernel 2.6.13 from experimental has audit enabled, so grab this one.'' |
SELinux
Introduction
["SELinux"] was initially a project to port the work developing a mandatory access control architecture done by the National Security Agency (NSA) and the Secure Computing Corporation (SCC) on the Mach and Fluke OS's to Linux.
The NSA ["SELinux"] website can be found [http://www.nsa.gov/selinux/index.cfm here] and a paper on why mandatory access controls are a good and likely a necessary thing can be found [http://www.nsa.gov/selinux/papers/inevit-abs.cfm here].
Debian SELinux support
The Debian packaged Linux kernels have had ["SELinux"] support compiled in, but disabled by default, since version 2.6.9. In order to activate ["SELinux"] the parameter selinux=1 must be passed to the kernel when booting. Alternatively, you can compile your own kernel with ["SELinux"] enabled by default.
Actually you will most likely want to build your own kernel, since the Debian kernels do not include "audit" support, which is essential for writing and debugging ["SELinux"] policies. Apparently kernel 2.6.13 from experimental has audit enabled, so grab this one.
In addition to kernel modifications, several user-space application need to be modified to support ["SELinux"] properly. Not all of these are are in the mainstream Debian repository yet, so you might have to download some packages from [http://www.golden-gryphon.com/software/security/selinux.xhtml Manoj Srivastavas "SELinux" site] and/or [http://www.coker.com.au/selinux/ Russell Cokers "SELinux" site] where more ["SELinux"] documentation and links can also be found.
The repository for SELinux addon packages is "deb http://people.debian.org/~srivasta/ packages/"
Please note that ["SELinux"] is a Linux-specific feature and Debian packages shouldn't assume it is present (unless they're Linux-specific packages for some reason). Remember to check wether this is a Linux platform by using dpkg-architecture variables in debian/rules, and conditionalise the libselinux Build-Dependency using [] tags. Something like [!kfreebsd-i386 !hurd-i386] should be fine.
For more details on the status of getting ["SELinux"] enabled Debian packages into the mainline repository, see ["SELinuxStatus"] and ["SELinuxTODO"].
Debian SELinux links
[http://www.coker.com.au/selinux/ Russell Cokers "SELinux" site]
[http://www.golden-gryphon.com/software/security/selinux.xhtml Manoj Srivastavas "SELinux" site]