-Run apt-get install selinux-basics selinux-policy-refpolicy-targeted1.
-Edit /boot/grub/menu.lst and add selinux=1 to your kernel command line (by adding it to the #kopt= line and then running update-grub). If you are using lilo, you must instead make similar changes to /etc/lilo.conf and run lilo.
-Fix dependencies listed. Below are the highlights. For a complete list please visit, http://wiki.debian.org/SELinux/Setup#package-specific):
- In /etc/pam.d/login uncomment the session required pam_selinux.so multiple" line. Do the same for /etc/pam.d/ssh
- In /etc/default/rcS set FSCKFIX=yes and add EDITMOTD=no. [Only important for 'strict' policy:] In /etc/init.d/bootmisc.sh search for "Update motd" and comment the two lines below that line. Then run rm /var/run/motd. Replace the symlink /etc/motd with a static "message of the day" file instead.
- Add no_static_dev="1" to /etc/udev/udev.conf to prevent udev from providing the /dev/.static directory.
- The cron package includes a daily cronjob to backup some system files, including /etc/shadow. For security reasons, you don't want cron to be able to read this file, so edit /etc/cron.daily/standard and disable the part making a backup of /etc/shadow and /etc/gshadow ( bug #333837).
- "locate" is part of fileutils, and a useful tool for finding files on your system. To work it however needs to scan your whole filesystem for files - which would require rather extensive SELinux permissions and might be considered an "information leak". Currently there is no SELinux policy for regular locate to work flawlessly, so it is recommended to disable it on SELinux boxes. To do this, insert an exit 0 as the second line of /etc/cron.daily/find.
- Check that the /selinux directory exists and if not, create it with mkdir /selinux.
- Run touch /.autorelabel and reboot
- Run touch /.autorelabel and reboot again
- Run check-selinux-installation
No comments:
Post a Comment