Testing stuff with QEMU - Part 1: SELinux support in Debian unstable [Update]

Update: "Testing stuff with QEMU"-articles published so far:

Here's a quick HOWTO to get you started with the QEMU emulator, the Debian installer (etch beta 3), and SELinux. If you execute the following steps you'll be left with an SELinux-enabled Debian unstable QEMU image, but not with a complete working and perfectly configured SELinux system. A more detailed article about SELinux will probably follow...

Basic Debian unstable install in QEMU:

  1. Install QEMU:
    apt-get install qemu
  2. Download the latest Debian etch installer ISO image (etch beta 3, currently):
    wget http://cdimage.debian.org/cdimage/etch_di_beta3/i386/iso-cd/debian-testing-i386-binary-1.iso
  3. Create a QEMU image which will hold the Debian installation:
    qemu-img create -f qcow /path/to/debian.img 5000M
  4. Boot directly from the ISO image and install Debian into the QEMU image (I won't go into the details of the installation itself; Wolfang Lonien has nice HOWTOs for that: part 1, part 2, video):
    qemu -hda /path/to/debian.img -boot d -cdrom debian-testing-i386-binary-1.iso
  5. After the installation is done, configure the system, tweak /etc/apt/sources.list if needed, and then dist-upgrade to the latest stuff:
    apt-get update && apt-get dist-upgrade
  6. That's about it for the basic Debian install, you can now shutdown the OS and QEMU (type "halt" in the emulated Debian, wait for the shutdown to complete, press CTRL+ALT+2 to switch to the QEMU console, and type "quit").

Creating a QEMU overlay image:

QEMU has a nice feature called overlay images which allows you to "clone" an image, where the new (overlay) image will only store the "diffs" to the original one, thus saving lots of space. This also allows you to remove the overlay image at any time and restart from the original image (which is nice for testing stuff which may break).

  1. Create an overlay image based on the previously installed Debian image:
    qemu-img create -b /path/to/debian.img -f qcow /path/to/debian_selinux_overlay.img
  2. Now boot into the new overlay image:
    qemu -hda /path/to/debian_selinux_overlay.img

Basic SELinux setup:

SELinux / sestatus screenshot

  1. SELinux wants to label all the files on your system (all inodes actually), so your filesystem(s) need the so-called extended attributes (xattr) and "security labels" (both are kernel options) which most modern file systems now support. For ext3 (for example) you need these config options:
    CONFIG_EXT3_FS=y
    CONFIG_EXT3_FS_XATTR=y
    CONFIG_EXT3_FS_SECURITY=y
    Luckily the Debian kernels are xattr-enabled by default so we don't have to do anything at all here.

  2. Install the basic SELinux packages and the source package of the SELinux reference policy:
    apt-get install checkpolicy policycoreutils selinux-policy-refpolicy-src
  3. I noticed a bug in the current Debian packages (the setfiles utility is in the wrong place, see #384850), but there's a simple workaround:
    ln -s /sbin/setfiles /usr/sbin/setfiles
  4. Now we can (re-)label the file system:
    cd /etc/selinux/refpolicy/src/policy
    make relabel
    This will build the reference policy from source and relabel your file system (this will take a while).
    There might be some warnings (and maybe you'll notice further bugs), but they seem not to be critical.
  5. We can now (almost) enable SELinux, but before we can reboot we need to work around another bug (#384852), otherwise SELinux will not be enabled when we reboot:
    ln -s /etc/selinux/refpolicy/src /etc/selinux/targeted
  6. Now reboot the emulated Debian system, and at the GRUB console add the kernel option selinux=1 to enable SELinux in the kernel (press "e" to edit the boot options).
  7. You'll get tons of SELinux log messages while the system boots, that's normal at this point, don't worry.
    Then you can type "sestatus", which should print some information on the running SELinux system. If it says "SELinux status: disabled" something went wrong.

Congratulations! You now have a QEMU image with minimal SELinux support and you can start playing with it, tweaking the policy, finding and reporting bugs, reading tons of documentation on how SELinux actually works etc. etc.

As SELinux is (half?) a release-goal for Debian etch, it would be nice if many people could test it before the release, and this is one method to do so without breaking your production systems.

Update 2006-08-28: You don't really need user_xattr support for SELinux, only xattr support (for security.selinux xattrs) for the filesystem you use, which is available per default in Debian kernels (thanks Russell Coker).

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

I think you're missing a step

I've followed the instructions up to "Basic SELinux setup:" step 4

Installing selinux-policy-refpolicy-src doesn't appear to create
/etc/selinux/refpolicy/src/policy

I had to:
tar xzf /usr/src/selinux-policy-refpolicy-src.tar.gz
cd selinux-policy-refpolicy-src
make install-src

Thanks for the guide anyhow :)

SELinux in Debian unstable

Yes, the SELinux setup changed substantially in the last few days in unstable, the HOWTO will no longer work flawlessly.

I'm currently trying to get the SELinuxSetup page in the Debian wiki updated, after that I'll probably post an update in my blog...

Cheers, Uwe.

why the user_xattr option?

Normally SE Linux doesn't need any special mount option. user_xattr is for applications that want to create xattrs named "user.something" and doesn't apply to "security.selinux".

Unless QEMU does something different in this regard then you should not need this.

Of course xattrs are usually a good thing and I can't think of any harm in having them enabled. But I am not aware of it being required for SE Linux.

user_xattr

Thanks, fixed. Is the current version correct now? I.e. you need xattr + security labels support in the kernel, but not uxer_xattr?

Uwe.

Add new comment Testing stuff with QEMU - Part 1: SELinux suppo

Thanks for the article, I'm testing this right now.
By the way, is it ok if I translate this into spanish, for a debian user web (http://www.esdebian.org)? I think some people can be interested in testing this too, and it would be easier for them to follow the instructions in spanish.
I'll wait for your answer ;)

Spanish translation

Sure, feel free to translate and re-post it anywhere (as long as you honor the Creative Commons license the content is released under)...

Uwe.

Nice introduction

I will probably follow along next week when I have more time.

If you're ever tempted brief introductions like this would be very welcome on debian-administration.org ..

debian-administration.org

Yeah, I was thinking about that, but that's what I (mainly) use my blog for... But all my blog content is Creative Commons licensed, so feel free to re-post all or parts of it on debian-administration.org as you see fit...

Cheers, Uwe.