Testing stuff with QEMU - Part 1: SELinux support in Debian unstable [Update]

Update: "Testing stuff with QEMU"-articles published so far:

Here's a quick HOWTO to get you started with the QEMU emulator, the Debian installer (etch beta 3), and SELinux. If you execute the following steps you'll be left with an SELinux-enabled Debian unstable QEMU image, but not with a complete working and perfectly configured SELinux system. A more detailed article about SELinux will probably follow...

Basic Debian unstable install in QEMU:

  1. Install QEMU:
    apt-get install qemu
  2. Download the latest Debian etch installer ISO image (etch beta 3, currently):
  3. Create a QEMU image which will hold the Debian installation:
    qemu-img create -f qcow /path/to/debian.img 5000M
  4. Boot directly from the ISO image and install Debian into the QEMU image (I won't go into the details of the installation itself; Wolfang Lonien has nice HOWTOs for that: part 1, part 2, video):
    qemu -hda /path/to/debian.img -boot d -cdrom debian-testing-i386-binary-1.iso
  5. After the installation is done, configure the system, tweak /etc/apt/sources.list if needed, and then dist-upgrade to the latest stuff:
    apt-get update && apt-get dist-upgrade
  6. That's about it for the basic Debian install, you can now shutdown the OS and QEMU (type "halt" in the emulated Debian, wait for the shutdown to complete, press CTRL+ALT+2 to switch to the QEMU console, and type "quit").

Creating a QEMU overlay image:

QEMU has a nice feature called overlay images which allows you to "clone" an image, where the new (overlay) image will only store the "diffs" to the original one, thus saving lots of space. This also allows you to remove the overlay image at any time and restart from the original image (which is nice for testing stuff which may break).

  1. Create an overlay image based on the previously installed Debian image:
    qemu-img create -b /path/to/debian.img -f qcow /path/to/debian_selinux_overlay.img
  2. Now boot into the new overlay image:
    qemu -hda /path/to/debian_selinux_overlay.img

Basic SELinux setup:

SELinux / sestatus screenshot

  1. SELinux wants to label all the files on your system (all inodes actually), so your filesystem(s) need the so-called extended attributes (xattr) and "security labels" (both are kernel options) which most modern file systems now support. For ext3 (for example) you need these config options:
    Luckily the Debian kernels are xattr-enabled by default so we don't have to do anything at all here.

  2. Install the basic SELinux packages and the source package of the SELinux reference policy:
    apt-get install checkpolicy policycoreutils selinux-policy-refpolicy-src
  3. I noticed a bug in the current Debian packages (the setfiles utility is in the wrong place, see #384850), but there's a simple workaround:
    ln -s /sbin/setfiles /usr/sbin/setfiles
  4. Now we can (re-)label the file system:
    cd /etc/selinux/refpolicy/src/policy
    make relabel
    This will build the reference policy from source and relabel your file system (this will take a while).
    There might be some warnings (and maybe you'll notice further bugs), but they seem not to be critical.
  5. We can now (almost) enable SELinux, but before we can reboot we need to work around another bug (#384852), otherwise SELinux will not be enabled when we reboot:
    ln -s /etc/selinux/refpolicy/src /etc/selinux/targeted
  6. Now reboot the emulated Debian system, and at the GRUB console add the kernel option selinux=1 to enable SELinux in the kernel (press "e" to edit the boot options).
  7. You'll get tons of SELinux log messages while the system boots, that's normal at this point, don't worry.
    Then you can type "sestatus", which should print some information on the running SELinux system. If it says "SELinux status: disabled" something went wrong.

Congratulations! You now have a QEMU image with minimal SELinux support and you can start playing with it, tweaking the policy, finding and reporting bugs, reading tons of documentation on how SELinux actually works etc. etc.

As SELinux is (half?) a release-goal for Debian etch, it would be nice if many people could test it before the release, and this is one method to do so without breaking your production systems.

Update 2006-08-28: You don't really need user_xattr support for SELinux, only xattr support (for security.selinux xattrs) for the filesystem you use, which is available per default in Debian kernels (thanks Russell Coker).

HOWTO: Install Windows XP in Debian using QEMU

This is more or less a reminder for me, most of you will probably already know how to do it...

  1. Install QEMU:
    apt-get install qemu
  2. Create a (resizable) image which will hold Windows XP. The installer chokes if the image is smaller than 1.2 GB or so, but that's not too much of a problem; the "qcow" image format will only take up as much space as is really needed, so the image will be very small in the beginning (not 1.2 GB big!).
    qemu-img create -f qcow /path/to/xp.cow 1300M
  3. Insert the install CD, and install Windows in the QEMU image:
    qemu -hda /path/to/xp.cow -boot d -cdrom /dev/cdrom -m 384 -localtime
  4. Wait.
  5. After the install has finished, shut down the QEMU/Windows; from now on you can boot it (without having to insert the CD anymore) with:
    qemu -hda /path/to/xp.cow -boot c -m 384 -localtime -k de -usb

Type "qemu -h" for more options.

No Time, Nexuiz, Rcov, Democracy Player

democracyplayer screenshot

No. Time. To. Blog. But these few lines I wanted to post nevertheless: there's some neat new packages in Debian since today: Nexuiz (nice ego shooter), rcov (code coverage for Ruby), and Democracy Player (RSS video downloader/viewer for videoblogs, packaged by yours truly, as promised).

That's all.

Stuff V

  • I have started looking into SELinux on Debian recently. SELinux provides mandatory access control for Linux, which gives you great control over which process may do what with which files, other processes, network connections etc. I've still got a lot to learn and read (more posts will probably follow), but if you're inclined to try it yourself here are a few tips:
    • First, read the SELinux and especially the SELinuxSetup pages in the Debian wiki. Also checkout the SELinuxStatus page.
    • There are currently a few bugs I noticed, which cause some trouble: bug #369852 prevents a correct install of the selinux-policy-default package, but the work-around mentioned in the bug report works fine. I reported bug #372543 yesterday, but there's an easy work-around for that, too.
    • I had to change "SELINUX=enforcing" to "SELINUX=permissive" in /etc/selinux/config (at least for now), otherwise my system won't boot up anymore because of SELinux denied permissions (I think). I'm pretty sure this is either a bug or me doing something wrong, but I haven't figured out yet what that is.
  • Robert Nunnally (a.k.a Gurdonark) has created a photo collage video (YouTube, requires Flash) for Marco Raaphorst's "Blowing Snow" song. He used some of the Creative Commons licensed photos from my photoblog for the video.
  • Wow! Today the number of people subscribed to my music podcast (via RSS) exceeded 200 for the first time! Thanks everyone for listening!
  • GNU/Hurd 1.0.0 has been released. Finally! And they've built it on top of an interesting "middleware"...

OS Install Experiences - Part 4: Ubuntu

Note: This article is part of my OS Install Experiences series.

Next OS — the recently released Debian-derived distribution Ubuntu 6.06 (Dapper Drake).


  1. First, I downloaded a Ubuntu 6.06 CD image, burned it on a CD, and booted from that.
  2. The first installer screen allows you to choose between a normal install, "safe graphics mode", "check CD for defects", "memory test", and "boot from first hard disk". If you hit enter and wait a few minutes, you're dropped right into a fully working GNOME session (think Live-CD). No user-iteraction is required at all...
  3. If you like you can use the system for normal tasks already (web browsing, whatever). If you want to install Ubuntu, you click the "Install" icon on the desktop...
  4. After choosing the language, timezone (by clicking on your country on a nice graphical world map!), and keyboard layout, the installation begins.
  5. You must enter your user password (no root password, in Ubuntu you have to use sudo for everything which requires root permissions), user account name, and (ugh!) you must enter a full name (same annoying behaviour as with PC-BSD).
  6. The partitioning tool is graphical and quite easy to use. It takes ages to scan the disk(s) and partitions though (yes, I have quite a lot of them, but still)...
  7. That's mostly it, the installation of the packages starts now, and after it's finished, a window pops up asking you whether you want to reboot or continue using the Live CD for a little longer.
  8. What's noticeable is that I was not asked where or how I want to install a bootloader, Ubuntu simply scans the disks, tries to detect the OSes and writes itself into the MBR. Which sucks quite a bit, especially for more complicated setups like I'm using here. For example, it didn't detect the PC-BSD installation, so I can no longer boot that for now (need to fix GRUB manually).
  9. That's it, after a reboot you're dropped into GNOME and the installation is done. Pretty impressive how easy such Linux installations have gotten recently...


Continue reading here...

Syndicate content