Changeset 239

Show
Ignore:
Timestamp:
08/15/08 14:15:10 (3 months ago)
Author:
slawrence
Message:

Revert back to using cracklib for password control
Fix typo in tallylog3 installation location
Update INSTALL instructions
Update policy version number
Add pam and cracklib patch to the tree
Update build instructions with packages needed to build pam

Files:

Legend:

Unmodified
Added
Removed
Modified
Copied
Moved

  • trunk/RHEL5.2/INSTALL

    r238 r239  
    4444The installation of RHEL 5.2 CLIP packages needs to occur in two phases, the second of which requires setting SELinux's enforcing mode to permissive. 
    4545 
    46 First, install the CLIP RPM for your architecture found in the Userland Packages section of http://oss.tresys.com/projects/clip/wiki/DownloadRelease#RHEL5.2: 
     46First, install the PAM RPM for your architecture found in the Userland Packages section of http://oss.tresys.com/projects/clip/wiki/DownloadRelease#RHEL5.2. This rpm includes a patched cracklib module that allows password restrictions to be applied to the root user. 
    4747 
    48         # rpm -ivh --force clip-2.0-1.$ARCH.rpm 
     48        rpm -Uvh --force pam-0.99.6.2-3.27.$ARCH.rpm 
    4949 
    50 The --force option is needed because a package installed in this step will overwrite files already installed by another package. During this step, some system configuration files will be backed up and replaced by files provided by CLIP. 
     50Next, install the CLIP RPM for your architecture found in the Userland Packages section of http://oss.tresys.com/projects/clip/wiki/DownloadRelease#RHEL5.2: 
    5151 
    52 CLIP distributes an optionally installed IPTables package update that supports per packet labeling using SECMARK. A detailed description of SECMARK is available at: http://james-morris.livejournal.com/11010.html. The IPTables package is available at http://oss.tresys.com/projects/clip/wiki/DownloadRelease#RHEL5.2. 
     52        rpm -ivh --force clip-2.0-1.$ARCH.rpm 
     53 
     54The --force option is needed because a package installed in this step will overwrite files already installed by another package. 
     55 
     56CLIP distributes an optionally installed IPTables package update that supports per packet labeling using SECMARK. A detailed description of SECMARK is available at: http://james-morris.livejournal.com/11010.html. The IPTables package is available at [wiki:DownloadRelease#RHEL5.1 DownloadRelease] 
    5357 
    5458To use the update first install the rpm: 
    5559 
    56         # rpm -Uvh iptables-1.3.5-4.99.el5.$ARCH.rpm 
     60        rpm -Uvh iptables-1.3.5-4.99.el5.$ARCH.rpm 
    5761 
    5862After installing the rpm you must turn off the compat_net option that is enabled by the clip kickstart file. You can enable this at runtime by using the command 
    5963 
    60         # echo "0" > /selinux/compat_net 
     64        echo "0" > /selinux/compat_net 
    6165 
    6266In order to make this change persistent across reboots edit the file /boot/grub/grub.conf and set selinux_compat_net=0 
     
    6468Finally packets can be labeled using rules such as: 
    6569 
    66         # iptables -A INPUT -t mangle -p tcp --dport 21 -j SECMARK --selctx system_u:object_r:ftp_client_packet_t:s0  
    67         # iptables -A INPUT -t mangle -m state --state RELATED,ESTABLISHED -j CONNSECMARK --restore  
     70        iptables -A INPUT -t mangle -p tcp --dport 21 -j SECMARK --selctx system_u:object_r:ftp_client_packet_t:s0  
     71        iptables -A INPUT -t mangle -m state --state RELATED,ESTABLISHED -j CONNSECMARK --restore  
    6872 
    6973The first rule will label all tcp packets received on port 21 system_u:object_r:ftp_client_packet_t:s0. The second rule ensures that all further packets that are part of initial connection will keep that label. All rules must be added to the mangle table. If a rule has an invalid context IPTables will return a very bad error code that is not descriptive. This problem exists because of the way that IPTables returns errors and was not easily solvable as part of our back port. 
     
    7175Now download the updated SELinux toolchain and policy RPMs found in the SELinux Policy section of DownloadRelease. To install the new policy, it is necessary to temporarily force SELinux into permissive mode: 
    7276 
    73         # setenforce 0 
    74         # rpm -Uvh libsepol-1.16.14-1.$ARCH.rpm 
    75         # rpm -Uvh --force libselinux-1.34.15-1.$ARCH.rpm 
    76         # rpm -Uvh libselinux-python-1.34.15-1.$ARCH.rpm 
    77         # rpm -Uvh libsemanage-1.10.9-1.$ARCH.rpm 
    78         # rpm -Uvh checkpolicy-1.34.7-1.$ARCH.rpm 
    79         # rpm -Uvh policycoreutils-1.34.16-1.$ARCH.rpm policycoreutils-newrole-1.34.16-1.$ARCH.rpm 
    80         # rpm -ivh selinux-policy-clip-2.0-3.noarch.rpm 
     77        setenforce 0 
     78        rpm -Uvh libsepol-1.16.14-1.$ARCH.rpm 
     79        rpm -Uvh --force libselinux-1.34.15-1.$ARCH.rpm 
     80        rpm -Uvh libselinux-python-1.34.15-1.$ARCH.rpm 
     81        rpm -Uvh libsemanage-1.10.9-1.$ARCH.rpm 
     82        rpm -Uvh checkpolicy-1.34.7-1.$ARCH.rpm 
     83        rpm -Uvh policycoreutils-1.34.16-1.$ARCH.rpm policycoreutils-newrole-1.34.16-1.$ARCH.rpm 
     84        rpm -ivh selinux-policy-clip-3.0-1.noarch.rpm 
    8185 
    8286Note: Because the selinux-policy-clip rpm makes changes to class definitions, the policy will fail to load after installation.  A reboot is require before the policy will load. 
    8387 
    84         # reboot 
     88        reboot 
    8589 
    8690After rebooting, login to the system with the 'clipuser' account and password. 

  • trunk/RHEL5.2/README

    r238 r239  
    88 
    99        - audit-libs-devel 
     10        - autoconf 
     11        - automake 
    1012        - bison 
    1113        - byacc 
     14        - docbook-style-xsl 
    1215        - flex 
    1316        - gcc 
    1417        - libcap-devel 
     18        - libtool 
     19        - linuxdoc-tools 
    1520        - pam-devel 
    1621        - python-devel 
     
    1823        - subversion 
    1924        - swig 
     25        - w3m 
    2026 
    2127        To have yum install the packages from the RHEL5.2 installation cd, perform  

  • trunk/RHEL5.2/RPM/clip.spec

    r238 r239  
    4141/%{_lib}/security/pam_tally3.so 
    4242/usr/share/doc/pam_tally3 
    43 /var/log/tally
     43/var/log/tallylog
    4444/sbin/pam_tally3 
    4545/usr/sbin/xar 

  • trunk/RHEL5.2/conf/pam/system-auth.pam

    r217 r239  
    1414account     required      pam_permit.so 
    1515 
    16 password    required      pam_passwdqc.so min=disabled,disabled,disabled,disabled,14 max=40 passphrase=0 match=0 similar=deny random=0 enforce=everyone retry=3 
     16password    required      pam_cracklib.so try_first_pass retry=3 minlen=12 difok=3 dcredit=-2 ucredit=-2 ocredit=-2 lcredit=-2 enforce_root 
    1717password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=12 
    1818password    required      pam_deny.so 

  • trunk/RHEL5.2/kickstart/clip.ks

    r233 r239  
    382382account     required      pam_permit.so 
    383383 
    384 password    required      pam_passwdqc.so min=disabled,disabled,disabled,disabled,14 max=40 passphrase=0 match=0 similar=deny random=0 enforce=everyone retry=3 
     384password    required      pam_cracklib.so try_first_pass retry=3 minlen=12 difok=3 dcredit=-2 ucredit=-2 ocredit=-2 lcredit=-2 
    385385password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=12 
    386386password    required      pam_deny.so 

  • trunk/RHEL5.2/pam_tally3/Makefile

    r238 r239  
    4141        install -s -m755 $(APP) $(DESTDIR)$(SBIN) 
    4242        install  -m644 doc/* $(DESTDIR)$(DOC) 
    43         touch $(DESTDIR)$(LOG)/tally
    44         chmod 640 $(DESTDIR)$(LOG)/tally
     43        touch $(DESTDIR)$(LOG)/tallylog
     44        chmod 640 $(DESTDIR)$(LOG)/tallylog
    4545 
    4646installx86_64: 
     
    5252        install -s -m755 $(APP) $(DESTDIR)$(SBIN) 
    5353        install  -m644 doc/* $(DESTDIR)$(DOC) 
    54         touch $(DESTDIR)$(LOG)/tally
    55         chmod 640 $(DESTDIR)$(LOG)/tally
     54        touch $(DESTDIR)$(LOG)/tallylog
     55        chmod 640 $(DESTDIR)$(LOG)/tallylog

  • trunk/RHEL5.2/refpolicy/build/Makefile

    r183 r239  
    2323# This is the version number of the RPM that will be  
    2424# generated.  Typically you bump this for delivery. 
    25 VERSION ?= 2.0 
     25VERSION ?= 3.0 
    2626 
    2727# bump this if creating multiple releases from the same  
    2828# version (think about this... why are you doing this?) 
    29 RELEASE ?= 3 
     29RELEASE ?= 1  
    3030 
    3131# The name of the Vendor 

  • trunk/RHEL5.2/refpolicy/src/selinux-policy-clip/support/selinux-relabel

    r237 r239  
    117117                                do_relabel $i 
    118118                        done 
    119                         rm -f $statusfile $switchfile 
     119                        #rm -f $statusfile $switchfile 
    120120                fi 
    121121        fi 
     122         
     123        #remove ourseleves from startup 
     124        chkconfig --del selinux-relabel 2>/dev/null 
     125 
    122126        rm -f $lockfile 
    123127} 

  • trunk/RHEL5.2/scripts/stig-fix/cat2/gen000460.sh

    r217 r239  
    2424account     required      pam_permit.so 
    2525 
    26 password    required      pam_passwdqc.so min=disabled,disabled,disabled,disabled,14 max=40 passphrase=0 match=0 similar=deny random=0 enforce=everyone retry=3 
     26password    required      pam_cracklib.so try_first_pass retry=3 minlen=12 difok=3 dcredit=-2 ucredit=-2 ocredit=-2 lcredit=-2 
    2727password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=12 
    2828password    required      pam_deny.so