$Id: INSTALL,v 1.9 2001/12/12 08:02:30 jmorris Exp $

Installation Instructions for Selopt 0.06.

REQUIREMENTS

  - SELinux release 2001121010 with the selinux_file_send_sigiotask patch.
  
    The SELinux code is available from http://www.nsa.gov/selinux/
    
    The additional patch was posted to the SELinux mailing list, and is
    archived at http://marc.theaimsgroup.com/?l=selinux&m=100808452800605&w=2
    
    Note that this code had only been tested with the 2.4 version of LSM.
    
  - Probably a recent Red Hat distribution; this has not been tested yet
    on anything other than RH 6.1, 6.2 and 7.2.  If you get this working
    under another distribution, please let me know.
    
  - Previous experience installing SELinux is assumed.  You should
    probably start with a plain SELinux installation first, verifying
    that it works, before attempting to install selopt.

  - A familiarity with the selopt labeling model, an overview of which is
    provided in the README file.  More detailed documentation is expected
    to be provided in future releases.
    
INSTRUCTIONS

Summary: Build and install a selopt enabled kernel, then install the
         userspace components.

   1. Start with the SELinux README file, at the "STEP-BY-STEP BUILDING AND
      INSTALLING" section.  Make 'insert' under "BUILDING" as per normal, so
      that the kernel is ready to be built.  For this release, you will also
      then need to apply the sigiotask patch mentioned above.
  
   2. This archive must be unpacked under the 'selinux' directory alongside the
      other SELinux components such as 'setfiles' and 'utils', so that the
      kernel tree is '../../lsm'.
     
        [ from the 'selinux' directory: ]
       
        tar -xzvf selopt-0.06.tar.gz
        ln -svf selopt-0.06 selopt
  
   3. Next, apply the selopt kernel patch:
  
        cd ../lsm
        patch -p1 < ../selinux/selopt/patches/diff-kernel.txt

   4. Go back to the SELinux README file and follow the instructions for
      building the kernel.  When running menuconfig, you will also need
      to select Labeled IP Networking Support and CIPSO/FIPS188 IP Options.
     
      Note that you will need to ensure that the SELinux Development Module
      option is enabled, as the selopt userspace components do not yet have
      policy configurations.
     
   5. Once the kernel is built, install it per the SELinux documentation
      and reboot.  With this release of selopt, you will not need to update
      any other SELinux components.
     
      You should see the following kernel message when booting:
     
        SELinux: NSID API initialized
       
   6. If the labeling option was built statically into the kernel,
      you should also see:
     
        SELinux: CIPSO/FIPS188 IP labeling initialized 
    
   7. Build the selopt userspace components:

        cd selopt
	make install

   8. If the labeling code was built as a module, load it:
  
        modprobe selopt
        
      Then check for the same kernel message as described in (6).
        
   9. Start the security context mapping daemon in debug and observe syslog
      (typically /var/log/secure and /var/log/messages).

        scmpd -d

  10. Add an entry to the kernel perimeter table:
	
        pt add 10.1.2.2

      Note that all outgoing packets to this entry will be labeled, and
      all packets arriving from it will need to be labeled.
   	
  12. To test labeling between two hosts, add each into the other's perimeter
     table and ensure that scmpd is running at each end.  Try a ping -c 1
     otherhost and observe syslog messages.  To view the kernel mapping
     cache, type:

	ct dump
	
  12. Network performance between two peers within the same security perimeter
      will be slow due to per-packet debugging in the kernel module.  This can
      be disabled by undefining DEBUG_LABELING in
      security/selinux/include/linux/flask/selopt.h
  
CAVEATS

This is an unstable development snapshot, does not yet provide any actual
security, and should not be used for purposes other than development.


CONTACT

James Morris <jmorris@intercode.com.au>


URL

http://www.intercode.com.au/jmorris/selopt/




