Recently in my (physical) mailbox: SELinux by Example by Frank Mayer, Karl MacMillan, David Caplan. The most recent and up-to-date book about SELinux I know about, written by some of the most involved and knowledgeable people in the field.
From what I've read until now it seems to be a really in-depth and easy to understand introduction, and what's more important, it covers the practical aspects of how you use, configure, and administer SELinux in real deployed systems.
This should make an interesting read...
After you have installed a minimum SELinux setup in QEMU, you might want to tweak and edit the policy to fit your needs.
Help->Software Updates->Find and install...
Search for new features to install, then
New remote site
http://www.tresys.com/files/eclipse-update/" as URL, click
Of course, you can also easily use your favourite text-editor to edit the plain policy files (if you use the te.vim file from Thomas Bleher you get syntax highlighting, at least for *.te files). After placing the file in the
~/.vim/syntax directory, add this to your
if has("autocmd") filetype plugin on augroup te autocmd BufRead,BufNewFile *.te set filetype=te augroup END endif
Update: "Testing stuff with QEMU"-articles published so far:
Here's a quick HOWTO to get you started with the QEMU emulator, the Debian installer (etch beta 3), and SELinux. If you execute the following steps you'll be left with an SELinux-enabled Debian unstable QEMU image, but not with a complete working and perfectly configured SELinux system. A more detailed article about SELinux will probably follow...
Basic Debian unstable install in QEMU:
apt-get install qemu
qemu-img create -f qcow /path/to/debian.img 5000M
qemu -hda /path/to/debian.img -boot d -cdrom debian-testing-i386-binary-1.iso
/etc/apt/sources.listif needed, and then dist-upgrade to the latest stuff:
apt-get update && apt-get dist-upgrade
halt" in the emulated Debian, wait for the shutdown to complete, press CTRL+ALT+2 to switch to the QEMU console, and type "
Creating a QEMU overlay image:
QEMU has a nice feature called overlay images which allows you to "clone" an image, where the new (overlay) image will only store the "diffs" to the original one, thus saving lots of space. This also allows you to remove the overlay image at any time and restart from the original image (which is nice for testing stuff which may break).
qemu-img create -b /path/to/debian.img -f qcow /path/to/debian_selinux_overlay.img
qemu -hda /path/to/debian_selinux_overlay.img
Basic SELinux setup:
Luckily the Debian kernels are xattr-enabled by default so we don't have to do anything at all here.
apt-get install checkpolicy policycoreutils selinux-policy-refpolicy-src
setfilesutility is in the wrong place, see #384850), but there's a simple workaround:
ln -s /sbin/setfiles /usr/sbin/setfiles
ln -s /etc/selinux/refpolicy/src /etc/selinux/targeted
selinux=1to enable SELinux in the kernel (press "e" to edit the boot options).
sestatus", which should print some information on the running SELinux system. If it says "SELinux status: disabled" something went wrong.
Congratulations! You now have a QEMU image with minimal SELinux support and you can start playing with it, tweaking the policy, finding and reporting bugs, reading tons of documentation on how SELinux actually works etc. etc.
As SELinux is (half?) a release-goal for Debian etch, it would be nice if many people could test it before the release, and this is one method to do so without breaking your production systems.
Update 2006-08-28: You don't really need
user_xattr support for SELinux, only xattr support (for security.selinux xattrs) for the filesystem you use, which is available per default in Debian kernels (thanks Russell Coker).
In his latest blog post Bruce Schneier explains why data mining for terrorist patterns is pretty much useless and unsuccessful, while still killing our privacy.
In the words of Schneier:
We're not trading privacy for security; we're giving up privacy and getting no security in return.
I couldn't agree more.