Update: "Testing stuff with QEMU"-articles published so far:
Here's a quick HOWTO to get you started with the QEMU emulator, the Debian installer (etch beta 3), and SELinux. If you execute the following steps you'll be left with an SELinux-enabled Debian unstable QEMU image, but not with a complete working and perfectly configured SELinux system. A more detailed article about SELinux will probably follow...
Basic Debian unstable install in QEMU:
apt-get install qemu
qemu-img create -f qcow /path/to/debian.img 5000M
qemu -hda /path/to/debian.img -boot d -cdrom debian-testing-i386-binary-1.iso
/etc/apt/sources.listif needed, and then dist-upgrade to the latest stuff:
apt-get update && apt-get dist-upgrade
halt" in the emulated Debian, wait for the shutdown to complete, press CTRL+ALT+2 to switch to the QEMU console, and type "
Creating a QEMU overlay image:
QEMU has a nice feature called overlay images which allows you to "clone" an image, where the new (overlay) image will only store the "diffs" to the original one, thus saving lots of space. This also allows you to remove the overlay image at any time and restart from the original image (which is nice for testing stuff which may break).
qemu-img create -b /path/to/debian.img -f qcow /path/to/debian_selinux_overlay.img
qemu -hda /path/to/debian_selinux_overlay.img
Basic SELinux setup:
Luckily the Debian kernels are xattr-enabled by default so we don't have to do anything at all here.
apt-get install checkpolicy policycoreutils selinux-policy-refpolicy-src
setfilesutility is in the wrong place, see #384850), but there's a simple workaround:
ln -s /sbin/setfiles /usr/sbin/setfiles
ln -s /etc/selinux/refpolicy/src /etc/selinux/targeted
selinux=1to enable SELinux in the kernel (press "e" to edit the boot options).
sestatus", which should print some information on the running SELinux system. If it says "SELinux status: disabled" something went wrong.
Congratulations! You now have a QEMU image with minimal SELinux support and you can start playing with it, tweaking the policy, finding and reporting bugs, reading tons of documentation on how SELinux actually works etc. etc.
As SELinux is (half?) a release-goal for Debian etch, it would be nice if many people could test it before the release, and this is one method to do so without breaking your production systems.
Update 2006-08-28: You don't really need
user_xattr support for SELinux, only xattr support (for security.selinux xattrs) for the filesystem you use, which is available per default in Debian kernels (thanks Russell Coker).