root/trunk/RHEL5.2/INSTALL

Installing Certifiable Linux Integration Platform
=================================================

=== Installing the RHEL 5.2 Base System ===

To begin installation of the Certified Linux Integration Platform, first obtain installation discs for Red Hat Enterprise Linux 5.2, Server.

Next, obtain the kickstart file (clip.ks) from http://oss.tresys.com/projects/clip/wiki/DownloadRelease#RHEL5.2. This file supplies Red Hat's installer, anaconda, with various install-time parameters. The local copy of the generic kickstart file needs to have the following edits made to it:

        1. The partitioning information needs to be defined for the specific systems hardware requirements. Partition sizes are specified in megabytes sizes.
        2. If the kickstart file is accessed via the network-based method, note that the client system must obtain its TCP/IP configuration information before it is able to resolve hostnames. This can be done by including the commented out line at the top of the kickstart script:

                # network --bootproto=dhcp

        If this is not present and a network-based installation method is chosen, the server on which the kickstart script resides must be referred to directly by IP address.

The kickstart script is supplied to the Linux kernel as a boot parameter. The script can be conveyed to the kernel in various ways, either via a network connection (HTTP, FTP/TFTP and NFS are supported) or locally via floppy, harddisk or CDROM.

Boot from Disc 1 of the RHEL5.2 Server installation discs, supplying the kickstart script as a kernel boot parameter:

Accessing the kickstart file:

        boot> linux ks=http://someserver/clip.ks

        - or -

        boot> linux ks=http://ipaddr/clip.ks

        - or -

        boot> linux ks=<device name>:/clip.ks

This will initiate the installation process. The user will choose appropriate values for settings prompted for by anaconda. At this point, anaconda will install the operating system and a few packages. At the end of the installation, you will be prompted to create a password for the 'root' and 'clipuser' users.  Once this is complete, a reboot will be necessary.

After rebooting, login to the system with the 'clipuser' account and the password you created. (The user name should be entered without quotes.)

Once this account has been authenticated, you will need to switch to the superuser account via the su command to complete the remaining steps of the CLIP installation. The password for this account is the root password you created.


=== Installing Packages ===

A full CLIP installation requires an update SELinux toolchain, modified policy and some other userland tools included in the clip rpm. You can optionally install the IPTables rpm to have the ability to dynamically label packets.

The installation of RHEL 5.2 CLIP packages needs to occur in two phases, the second of which requires setting SELinux's enforcing mode to permissive.

First, install the PAM RPM for your architecture found in the Userland Packages section of http://oss.tresys.com/projects/clip/wiki/DownloadRelease#RHEL5.2. This rpm includes a patched cracklib module that allows password restrictions to be applied to the root user.

        rpm -Uvh --force pam-0.99.6.2-3.27.$ARCH.rpm

Next, install the CLIP RPM for your architecture found in the Userland Packages section of http://oss.tresys.com/projects/clip/wiki/DownloadRelease#RHEL5.2:

        rpm -ivh --force clip-2.0-1.$ARCH.rpm

The --force option is needed because a package installed in this step will overwrite files already installed by another package.

CLIP distributes an optionally installed IPTables package update that supports per packet labeling using SECMARK. A detailed description of SECMARK is available at: http://james-morris.livejournal.com/11010.html. The IPTables package is available at [wiki:DownloadRelease#RHEL5.1 DownloadRelease]

To use the update first install the rpm:

        rpm -Uvh iptables-1.3.5-4.99.el5.$ARCH.rpm

After installing the rpm you must turn off the compat_net option that is enabled by the clip kickstart file. You can enable this at runtime by using the command

        echo "0" > /selinux/compat_net

In order to make this change persistent across reboots edit the file /boot/grub/grub.conf and set selinux_compat_net=0

Finally packets can be labeled using rules such as:

        iptables -A INPUT -t mangle -p tcp --dport 21 -j SECMARK --selctx system_u:object_r:ftp_client_packet_t:s0 
        iptables -A INPUT -t mangle -m state --state RELATED,ESTABLISHED -j CONNSECMARK --restore 

The first rule will label all tcp packets received on port 21 system_u:object_r:ftp_client_packet_t:s0. The second rule ensures that all further packets that are part of initial connection will keep that label. All rules must be added to the mangle table. If a rule has an invalid context IPTables will return a very bad error code that is not descriptive. This problem exists because of the way that IPTables returns errors and was not easily solvable as part of our back port.

Now download the updated SELinux toolchain and policy RPMs found in the SELinux Policy section of DownloadRelease. To install the new policy, it is necessary to temporarily force SELinux into permissive mode:

        setenforce 0
        rpm -Uvh libsepol-1.16.14-1.$ARCH.rpm
        rpm -Uvh --force libselinux-1.34.15-1.$ARCH.rpm
        rpm -Uvh libselinux-python-1.34.15-1.$ARCH.rpm
        rpm -Uvh libsemanage-1.10.9-1.$ARCH.rpm
        rpm -Uvh checkpolicy-1.34.7-1.$ARCH.rpm
        rpm -Uvh policycoreutils-1.34.16-1.$ARCH.rpm policycoreutils-newrole-1.34.16-1.$ARCH.rpm
        rpm -ivh selinux-policy-clip-3.0-1.noarch.rpm

Note: Because the selinux-policy-clip rpm makes changes to class definitions, the policy will fail to load after installation.  A reboot is require before the policy will load.

        reboot

After rebooting, login to the system with the 'clipuser' account and password.

Once this account has been authenticated, the user will be assigned a context of root:sysadm_r:sysadm_t. The user will still need to switch to the superuser account via the su command to perform administrative actions. These steps are necessary to meet auditing requirements specified by DCID 6/3.


=== Configuring System Services ===

In order to minimize attack vectors into the system, the default installation of CLIP enables a minimal subset of services. The following services will be enabled when booted into runlevel 3 (the default for CLIP):

        atd auditd crond iptables network syslog sysstat

An administrator who wishes to enable additional services should consider enabling the SELinux policy module(s) associated with the services being added. The chkconfig(8) utility should be used to add or remove services from a particular runlevel.

=== Additional Operational Considerations ===

The CLIP installation process also defines a password for the bootloader, as required by the DCID 6/3, which is '123)(*qweASD'.