Navigation

← Previous Changeset
Next Changeset →

Changeset 238

Timestamp:

08/14/08 14:52:21 (3 months ago)

Author:

slawrence

Message:

Install /var/log/tallylog3 so pam_tally will have something to log to
Update INSTALL file
Update policy to allow anacron to run unix_update and create pid files
Update policy to allow ssh to bind to 0.0.0.0

Files:

trunk/RHEL5.2/INSTALL (modified) (1 diff)
trunk/RHEL5.2/README (modified) (1 diff)
trunk/RHEL5.2/RPM/clip.spec (modified) (1 diff)
trunk/RHEL5.2/pam_tally3/Makefile (modified) (3 diffs)
trunk/RHEL5.2/refpolicy/src/selinux-policy-clip/policy/modules/services/cron.te (modified) (2 diffs)
trunk/RHEL5.2/refpolicy/src/selinux-policy-clip/policy/modules/services/ssh.if (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed
: Modified
: Copied
: Moved

trunk/RHEL5.2/INSTALL

r236	r238
2	2	=================================================
3	3
4		To begin installation of Certifiable Linux Integration Platform (clip),
5		first obtain installation discs for Red Hat Enterprise Linux 5.2.
	4	=== Installing the RHEL 5.2 Base System ===
6	5
7		Next, obtain the kickstart file from
8		http://oss.tresys.com/projects/clip/DownloadRelease. This file supplies
9		Red Hat's installer, anaconda, with various install-time parameters.
10		Boot from Disc 1 of the RHEL5.2 installation discs, supplying the kickstart
11		script as a kernel boot parameter:
	6	To begin installation of the Certified Linux Integration Platform, first obtain installation discs for Red Hat Enterprise Linux 5.2, Server.
12	7
13		boot> linux ks=http://someserver/clip.ks
	8	Next, obtain the kickstart file (clip.ks) from http://oss.tresys.com/projects/clip/wiki/DownloadRelease#RHEL5.2. This file supplies Red Hat's installer, anaconda, with various install-time parameters. The local copy of the generic kickstart file needs to have the following edits made to it:
14	9
15		This will initiate the installation process. At this point, anaconda will
16		install the operating system and a few packages. At the end of the
17		installation you will be prompted for a password for the root and clipuser
18		users. Once the installation completes, a reboot will be necessary.
	10	1. The partitioning information needs to be defined for the specific systems hardware requirements. Partition sizes are specified in megabytes sizes.
	11	2. If the kickstart file is accessed via the network-based method, note that the client system must obtain its TCP/IP configuration information before it is able to resolve hostnames. This can be done by including the commented out line at the top of the kickstart script:
19	12
20		After rebooting, login to the sytem as the clipuser and su to root to perform
21		any post instalation tasks.
	13	# network --bootproto=dhcp
22	14
23		Various RPM files are required for the userspace component of the Gold
24		Standard platform. Download and install these RPMs from
25		http://oss.tresys.com/projects/clip/wiki/DownloadRelease
	15	If this is not present and a network-based installation method is chosen, the server on which the kickstart script resides must be referred to directly by IP address.
26	16
27		libsepol-1.16.14-1
28		libselinux-1.34.15-1
29		libselinux-python-1.34.15-1
30		libsemanage-1.10.9-1
31		checkpolicy-1.34.7-1
32		policycoreutils-1.34.16-1
33		policycoreutils-newrole-1.34.16-1
34		selinux-policy-clip-2.0-3
35		clip-2.0-1
	17	The kickstart script is supplied to the Linux kernel as a boot parameter. The script can be conveyed to the kernel in various ways, either via a network connection (HTTP, FTP/TFTP and NFS are supported) or locally via floppy, harddisk or CDROM.
36	18
	19	Boot from Disc 1 of the RHEL5.2 Server installation discs, supplying the kickstart script as a kernel boot parameter:
	20
	21	Accessing the kickstart file:
	22
	23	boot> linux ks=http://someserver/clip.ks
	24
	25	- or -
	26
	27	boot> linux ks=http://ipaddr/clip.ks
	28
	29	- or -
	30
	31	boot> linux ks=<device name>:/clip.ks
	32
	33	This will initiate the installation process. The user will choose appropriate values for settings prompted for by anaconda. At this point, anaconda will install the operating system and a few packages. At the end of the installation, you will be prompted to create a password for the 'root' and 'clipuser' users. Once this is complete, a reboot will be necessary.
	34
	35	After rebooting, login to the system with the 'clipuser' account and the password you created. (The user name should be entered without quotes.)
	36
	37	Once this account has been authenticated, you will need to switch to the superuser account via the su command to complete the remaining steps of the CLIP installation. The password for this account is the root password you created.
	38
	39
	40	=== Installing Packages ===
	41
	42	A full CLIP installation requires an update SELinux toolchain, modified policy and some other userland tools included in the clip rpm. You can optionally install the IPTables rpm to have the ability to dynamically label packets.
	43
	44	The installation of RHEL 5.2 CLIP packages needs to occur in two phases, the second of which requires setting SELinux's enforcing mode to permissive.
	45
	46	First, install the CLIP RPM for your architecture found in the Userland Packages section of http://oss.tresys.com/projects/clip/wiki/DownloadRelease#RHEL5.2:
	47
	48	# rpm -ivh --force clip-2.0-1.$ARCH.rpm
	49
	50	The --force option is needed because a package installed in this step will overwrite files already installed by another package. During this step, some system configuration files will be backed up and replaced by files provided by CLIP.
	51
	52	CLIP distributes an optionally installed IPTables package update that supports per packet labeling using SECMARK. A detailed description of SECMARK is available at: http://james-morris.livejournal.com/11010.html. The IPTables package is available at http://oss.tresys.com/projects/clip/wiki/DownloadRelease#RHEL5.2.
	53
	54	To use the update first install the rpm:
	55
	56	# rpm -Uvh iptables-1.3.5-4.99.el5.$ARCH.rpm
	57
	58	After installing the rpm you must turn off the compat_net option that is enabled by the clip kickstart file. You can enable this at runtime by using the command
	59
	60	# echo "0" > /selinux/compat_net
	61
	62	In order to make this change persistent across reboots edit the file /boot/grub/grub.conf and set selinux_compat_net=0
	63
	64	Finally packets can be labeled using rules such as:
	65
	66	# iptables -A INPUT -t mangle -p tcp --dport 21 -j SECMARK --selctx system_u:object_r:ftp_client_packet_t:s0
	67	# iptables -A INPUT -t mangle -m state --state RELATED,ESTABLISHED -j CONNSECMARK --restore
	68
	69	The first rule will label all tcp packets received on port 21 system_u:object_r:ftp_client_packet_t:s0. The second rule ensures that all further packets that are part of initial connection will keep that label. All rules must be added to the mangle table. If a rule has an invalid context IPTables will return a very bad error code that is not descriptive. This problem exists because of the way that IPTables returns errors and was not easily solvable as part of our back port.
	70
	71	Now download the updated SELinux toolchain and policy RPMs found in the SELinux Policy section of DownloadRelease. To install the new policy, it is necessary to temporarily force SELinux into permissive mode:
	72
	73	# setenforce 0
	74	# rpm -Uvh libsepol-1.16.14-1.$ARCH.rpm
	75	# rpm -Uvh --force libselinux-1.34.15-1.$ARCH.rpm
	76	# rpm -Uvh libselinux-python-1.34.15-1.$ARCH.rpm
	77	# rpm -Uvh libsemanage-1.10.9-1.$ARCH.rpm
	78	# rpm -Uvh checkpolicy-1.34.7-1.$ARCH.rpm
	79	# rpm -Uvh policycoreutils-1.34.16-1.$ARCH.rpm policycoreutils-newrole-1.34.16-1.$ARCH.rpm
	80	# rpm -ivh selinux-policy-clip-2.0-3.noarch.rpm
	81
	82	Note: Because the selinux-policy-clip rpm makes changes to class definitions, the policy will fail to load after installation. A reboot is require before the policy will load.
	83
	84	# reboot
	85
	86	After rebooting, login to the system with the 'clipuser' account and password.
	87
	88	Once this account has been authenticated, the user will be assigned a context of root:sysadm_r:sysadm_t. The user will still need to switch to the superuser account via the su command to perform administrative actions. These steps are necessary to meet auditing requirements specified by DCID 6/3.
	89
	90
	91	=== Configuring System Services ===
	92
	93	In order to minimize attack vectors into the system, the default installation of CLIP enables a minimal subset of services. The following services will be enabled when booted into runlevel 3 (the default for CLIP):
	94
	95	atd auditd crond iptables network syslog sysstat
	96
	97	An administrator who wishes to enable additional services should consider enabling the SELinux policy module(s) associated with the services being added. The chkconfig(8) utility should be used to add or remove services from a particular runlevel.
	98
	99	=== Additional Operational Considerations ===
	100
	101	The CLIP installation process also defines a password for the bootloader, as required by the DCID 6/3, which is '123)(*qweASD'.

trunk/RHEL5.2/README

r237	r238
60	60	make clip-rpm selinux-policy-clip-rpm
61	61
62		* You will need to install the following rpms on the production (See the INSTALL file for details on installing the production system):
	62	* You will need to install the following rpms on the production system (See the INSTALL file for details on installing the production system):
63	63
64	64	clip/RPM/clip-2.0-1.$ARCH.rpm

trunk/RHEL5.2/RPM/clip.spec

r234 r238

41 41 /%{_lib}/security/pam_tally3.so
42 42 /usr/share/doc/pam_tally3
43 /var/log/tally3
43 44 /sbin/pam_tally3
44 45 /usr/sbin/xar

trunk/RHEL5.2/pam_tally3/Makefile

r83	r238
10	10	APP=pam_tally3
11	11
	12	LOG=/var/log/
12	13	LIB_SECURITY=/lib/security
13	14	LIB64_SECURITY=/lib64/security
…	…
36	37	test -d $(DESTDIR)$(SBIN) \|\| install -m 755 -d $(DESTDIR)$(SBIN)
37	38	test -d $(DESTDIR)$(DOC) \|\| install -m 755 -d $(DESTDIR)$(DOC)
	39	test -d $(DESTDIR)$(LOG) \|\| install -m 755 -d $(DESTDIR)$(LOG)
38	40	install -s -m755 $(PAM_MODULE) $(DESTDIR)$(LIB_SECURITY)
39	41	install -s -m755 $(APP) $(DESTDIR)$(SBIN)
40	42	install -m644 doc/* $(DESTDIR)$(DOC)
	43	touch $(DESTDIR)$(LOG)/tally3
	44	chmod 640 $(DESTDIR)$(LOG)/tally3
41	45
42	46	installx86_64:
…	…
44	48	test -d $(DESTDIR)$(SBIN) \|\| install -m 755 -d $(DESTDIR)$(SBIN)
45	49	test -d $(DESTDIR)$(DOC) \|\| install -m 755 -d $(DESTDIR)$(DOC)
	50	test -d $(DESTDIR)$(LOG) \|\| install -m 755 -d $(DESTDIR)$(LOG)
46	51	install -s -m755 $(PAM_MODULE) $(DESTDIR)$(LIB64_SECURITY)
47	52	install -s -m755 $(APP) $(DESTDIR)$(SBIN)
48	53	install -m644 doc/* $(DESTDIR)$(DOC)
	54	touch $(DESTDIR)$(LOG)/tally3
	55	chmod 640 $(DESTDIR)$(LOG)/tally3

trunk/RHEL5.2/refpolicy/src/selinux-policy-clip/policy/modules/services/cron.te

r230	r238
129	129	auth_domtrans_chk_passwd(crond_t)
130	130
	131	# allow running of unix_update, needed by anacron
	132	auth_domtrans_upd_passwd(crond_t)
	133
131	134	corecmd_exec_shell(crond_t)
132	135	corecmd_list_bin(crond_t)
…	…
226	229	allow system_crond_t self:fifo_file rw_fifo_file_perms;
227	230	allow system_crond_t self:passwd rootok;
	231
	232	# This allows anacron to create pid files
	233	allow system_crond_t crond_var_run_t:file manage_file_perms;
	234	files_pid_filetrans(system_crond_t,crond_var_run_t,file)
228	235
229	236	# This is to handle creation of files in /var/log directory.

trunk/RHEL5.2/refpolicy/src/selinux-policy-clip/policy/modules/services/ssh.if

r230	r238
483	483	corenet_tcp_connect_generic_port($1_t)
484	484	corenet_sendrecv_ssh_server_packets($1_t)
	485
	486	# allow ssh to bind to 0.0.0.0
	487	corenet_tcp_bind_inaddr_any_node($1_t)
485	488
486	489	fs_dontaudit_getattr_all_fs($1_t)

Download in other formats:

Unified Diff
Zip Disabled

* Generating other formats may take time.

r234	r238
41	41	/%{_lib}/security/pam_tally3.so
42	42	/usr/share/doc/pam_tally3
	43	/var/log/tally3
43	44	/sbin/pam_tally3
44	45	/usr/sbin/xar