Update: "Testing stuff with QEMU"-articles published so far:
Here's a quick HOWTO to get you started with the QEMU emulator, the Debian installer (etch beta 3), and SELinux. If you execute the following steps you'll be left with an SELinux-enabled Debian unstable QEMU image, but not with a complete working and perfectly configured SELinux system. A more detailed article about SELinux will probably follow...
Basic Debian unstable install in QEMU:
apt-get install qemu
qemu-img create -f qcow /path/to/debian.img 5000M
qemu -hda /path/to/debian.img -boot d -cdrom debian-testing-i386-binary-1.iso
/etc/apt/sources.listif needed, and then dist-upgrade to the latest stuff:
apt-get update && apt-get dist-upgrade
halt" in the emulated Debian, wait for the shutdown to complete, press CTRL+ALT+2 to switch to the QEMU console, and type "
Creating a QEMU overlay image:
QEMU has a nice feature called overlay images which allows you to "clone" an image, where the new (overlay) image will only store the "diffs" to the original one, thus saving lots of space. This also allows you to remove the overlay image at any time and restart from the original image (which is nice for testing stuff which may break).
qemu-img create -b /path/to/debian.img -f qcow /path/to/debian_selinux_overlay.img
qemu -hda /path/to/debian_selinux_overlay.img
Basic SELinux setup:
Luckily the Debian kernels are xattr-enabled by default so we don't have to do anything at all here.
apt-get install checkpolicy policycoreutils selinux-policy-refpolicy-src
setfilesutility is in the wrong place, see #384850), but there's a simple workaround:
ln -s /sbin/setfiles /usr/sbin/setfiles
ln -s /etc/selinux/refpolicy/src /etc/selinux/targeted
selinux=1to enable SELinux in the kernel (press "e" to edit the boot options).
sestatus", which should print some information on the running SELinux system. If it says "SELinux status: disabled" something went wrong.
Congratulations! You now have a QEMU image with minimal SELinux support and you can start playing with it, tweaking the policy, finding and reporting bugs, reading tons of documentation on how SELinux actually works etc. etc.
As SELinux is (half?) a release-goal for Debian etch, it would be nice if many people could test it before the release, and this is one method to do so without breaking your production systems.
Update 2006-08-28: You don't really need
user_xattr support for SELinux, only xattr support (for security.selinux xattrs) for the filesystem you use, which is available per default in Debian kernels (thanks Russell Coker).
This is more or less a reminder for me, most of you will probably already know how to do it...
apt-get install qemu
qemu-img create -f qcow /path/to/xp.cow 1300M
qemu -hda /path/to/xp.cow -boot d -cdrom /dev/cdrom -m 384 -localtime
qemu -hda /path/to/xp.cow -boot c -m 384 -localtime -k de -usb
Type "qemu -h" for more options.
No. Time. To. Blog. But these few lines I wanted to post nevertheless: there's some neat new packages in Debian since today: Nexuiz (nice ego shooter), rcov (code coverage for Ruby), and Democracy Player (RSS video downloader/viewer for videoblogs, packaged by yours truly, as promised).
SELINUX=enforcing" to "
/etc/selinux/config(at least for now), otherwise my system won't boot up anymore because of SELinux denied permissions (I think). I'm pretty sure this is either a bug or me doing something wrong, but I haven't figured out yet what that is.
Note: This article is part of my OS Install Experiences series.