{"id":1141,"date":"2012-02-08T09:35:01","date_gmt":"2012-02-08T17:35:01","guid":{"rendered":"http:\/\/wp.colliertech.org\/cj\/?p=1141"},"modified":"2012-02-08T13:58:38","modified_gmt":"2012-02-08T21:58:38","slug":"selinux-on-wheezy","status":"publish","type":"post","link":"https:\/\/wp.c9h.org\/cj\/?p=1141","title":{"rendered":"SELinux on Wheezy"},"content":{"rendered":"<p>So, Collier Technologies LLC needs to pass annual audits to operate a certification authority recognized by the SoS.  To this end, I&#8217;m working with the fine <a href=\"http:\/\/www.nsa.gov\/research\/selinux\/\">group<\/a> of developers who maintain <a href=\"http:\/\/selinuxproject.org\/page\/Main_Page\">SELinux<\/a>.  It seems that the configuration of Xorg that I&#8217;m using while typing this here blog post does not have a policy set up for it in the Debian packages.  Or if it does, I don&#8217;t know enough about it to figure it out.<\/p>\n<p>I&#8217;ve been keeping logs and publishing them here:<\/p>\n<p><a href=\"http:\/\/www.colliertech.org\/federal\/nsa\/\">http:\/\/www.colliertech.org\/federal\/nsa\/<\/a><\/p>\n<p>I&#8217;ll update this post as progress is made.<\/p>\n<p>[edit 20120608T1042]<\/p>\n<p>It looks like loading all .pp files (except alsa) makes X run:<\/p>\n<pre>\r\ncjac@foxtrot:\/usr\/share\/selinux\/default$ time sudo \\\r\nsemodule -i `ls *.pp | grep -v -e 'base.pp' -e 'alsa.pp'`\r\n\r\nreal\t0m24.148s\r\nuser\t0m23.249s\r\nsys\t0m0.628s\r\n<\/pre>\n<p>I had to boot into single user mode and load the policies before switching to runlevel 2.  To get the kernel args added to the grub command line, I modified \/etc\/default\/grub to include this line:<\/p>\n<pre>\r\ncjac@foxtrot:\/usr\/share\/selinux\/default$ grep -i selinux \/etc\/default\/grub\r\nGRUB_CMDLINE_LINUX=\" selinux=1 security=selinux\"\r\n<\/pre>\n<p>Next steps:<\/p>\n<ul>\n<li><a style=\"text-decoration: line-through;\" href=\"#20120208T1346\">get the policies loaded at boot time<\/a><\/li>\n<li>get <a href=\"http:\/\/oss.tresys.com\/projects\/setools\">seinfo<\/a> working<\/li>\n<\/ul>\n<p>[edit 20120208T1305]<\/p>\n<p>It looks like the seinfo package has not been updated in the last 18 months.<\/p>\n<pre>\r\ncjac@foxtrot:\/usr\/src\/git\/debian\/setools$ grep url .git\/config \r\n\turl = git:\/\/git.debian.org\/git\/users\/srivasta\/debian\/setools.git\r\ncjac@foxtrot:\/usr\/src\/git\/debian\/setools$ git log | head -4\r\ncommit 22a5d3e451d8a1e60a3c746466c865e63089a92a\r\nMerge: fa238f0 149e283\r\nAuthor: Manoj Srivastava <srivasta@debian.org>\r\nDate:   Tue Jul 20 23:10:06 2010 -0700\r\n<\/pre>\n<p><a name=\"20120208T1346\">[edit 20120208T1346]<\/a><\/p>\n<p>Stephen tells me that the modules are persistent across re-boots.<\/p>\n<pre>\r\n&gt; What's the best way to do this at boot?\r\n\r\nYou just do it once and it remains until\/unless you remove it with\r\nsemodule -r.  No need to do it on each boot.  Normally it is done when\r\nyou install the policy package, but since your policy package apparently\r\ndidn't install all modules, I'm suggesting that you do so manually.  \r\n<\/pre>\n\n<div class=\"twitter-share\"><a href=\"https:\/\/twitter.com\/intent\/tweet?via=cjamescollier\" class=\"twitter-share-button\">Tweet<\/a><\/div>\n","protected":false},"excerpt":{"rendered":"<p>So, Collier Technologies LLC needs to pass annual audits to operate a certification authority recognized by the SoS. To this end, I&#8217;m working with the fine group of developers who maintain SELinux. It seems that the configuration of Xorg that I&#8217;m using while typing this here blog post does not have a policy set up [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[234,60,17,221,147,79,185,232,101,233,235,133],"tags":[],"class_list":["post-1141","post","type-post","status-publish","format-standard","hentry","category-19-34-rcw","category-colliertech","category-debian","category-f5-networks","category-feds","category-free-software","category-investment","category-nsa","category-security","category-selinux","category-wheezy","category-xorg"],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/p1YDIB-ip","jetpack_sharing_enabled":true,"jetpack_likes_enabled":true,"_links":{"self":[{"href":"https:\/\/wp.c9h.org\/cj\/index.php?rest_route=\/wp\/v2\/posts\/1141","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wp.c9h.org\/cj\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/wp.c9h.org\/cj\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/wp.c9h.org\/cj\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/wp.c9h.org\/cj\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1141"}],"version-history":[{"count":8,"href":"https:\/\/wp.c9h.org\/cj\/index.php?rest_route=\/wp\/v2\/posts\/1141\/revisions"}],"predecessor-version":[{"id":1143,"href":"https:\/\/wp.c9h.org\/cj\/index.php?rest_route=\/wp\/v2\/posts\/1141\/revisions\/1143"}],"wp:attachment":[{"href":"https:\/\/wp.c9h.org\/cj\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1141"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/wp.c9h.org\/cj\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1141"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/wp.c9h.org\/cj\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1141"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}