Installation Guide

Installation Guide

LinSec team accepts no responsibility whatsoever for any disasterous events that may occur during LinSec installation or operation.

LinSec installation can be roughly divided into three distinct steps: kernel patching & compilation, tools compilation & installation and LinSec configuration.

Kernel patching & compilation
Download your favourite kernel source from your preffered kernel repository and uncompress it into designated directory.

Download LinSec kernel patch and uncompress it.

Patch the uncompressed kernel from the top level kernel dir (eg. cd /usr/src/linux):

patch -p1 < /path_to_linsec_patch/linsec-a.b.c-ea-x.y.z.patch

This will produce the listing of modified kernel source files, if some of the hunks fail than your LinSec patch probably does not match the kernel version you are using or you have already patched the kernel with another, unsupported patch.

Configure your kernel. You need to say yes to:

CONFIG_EXPERIMENTAL,
CONFIG_EXT2_FS_XATTR (if using ext2 fs),
CONFIG_EXT2_FS_XATTR_SHARING (if using ext2 fs),
CONFIG_EXT2_FS_XATTR_USER (if using ext2 fs),
CONFIG_EXT3_FS_XATTR (if using ext3 fs),
CONFIG_EXT3_FS_XATTR_SHARING (if using ext3 fs),
CONFIG_EXT3_FS_XATTR_USER (if using ext3 fs),
CONFIG_LINSEC,
CONFIG_LINSEC_SETUP.

Compile the newly configured kernel.

Install the image using your favorite bootloader. Make sure that you retain your old image, just in case…

Reboot the system, on bootloader prompt type:

linsec=off

this shall boot your new kernel but will turn all LinSec security checks off as we still have not configured the system properly. Ignore all LinSec error messages at this stage.

N.B. whenever you need linsec mechanisms turned off use the above boot parameter.

Tools compilation & installation
Download ea utilities from http://acl.bestbits.at (you will need e2fsprogs, libattr and attr).

Install ea utils as explained in the documentation on http://acl.bestbits.at.

Download LinSec tools package.

Unpack and compile LinSec tools as explained in README included in the package.

LinSec configuration
This is the trickiest part of the installation process. Sample configuration can be found here. It represents working LinSec configuration on a Slackware 8.1 system running these services.

To understand this process and problems you may encounter that depend on your Linux configuration you MUST read the basic parts of the documentation that can be found here.

First, start with the capabilities configuration:

create /etc/linsec directory where LinSec shall store its configuration files.

run lspasswd to set the administrative password for LinSec lsenable tool (the use of which will be explained later on).

use capadm -B to create global bounding capability set with the following capabilities included.

create the default capability group 0 with capadm -G -c.

use capadm capability to create LinSec user structure and assign permissions to root user (capadm -U switch) as defined in this sample.

now, the most daunting task, you need to set capabilities for various programs. The most basic list of the binaries you need to address and the contents of the respective capability sets for each of them can be found here (use capadm -F).

finally, in your last executing boot script (eg. rc.local), as the last line, enter:

echo “1” > /proc/linsec/boot

this is to indicate that the boot phase is over and that the system is in a sealed mode where all the security checks take place.

Now, the Filesystem Access Domain configuration:

To configure Filesystem Access Domain groups and their members please follow the instructions and the sample listing given here.

Finally, configure user access domains. This example shows the configuration for the root user.

Exact commands for creating this testing environment… click!

What you have now is a fully configured basic system (as in our test case, probably not fully configured as you need it but still working!). Remember that after you have rebooted the machine, you may log in as root (or as some other user that you have made proper configuration for), and you may also use the administrative tools to amend (extend) your configuration.

YOU MAY NOW REBOOT YOUR MACHINE 🙂

If anything goes wrong (except for kernel panics) it means that you have not given all the programs adequate permissions to perform required operations. If the machine still boots and you get the login prompt use the tools to extend the LinSec configuration for the problematic program. Otherwise boot the system with linsec=off parameter and try to amend the configuration. If you are still absolutely clueless and nothing is working shout at the mailing list and someone will certainly try to help.

Few important points to remember:

You must use lsenable to be able to use other tools once the system is booted with LinSec enabled (ie without the linsec=off boot parameter).

If the system starts complaining about lack of permissions for accessing some files and you are still unsure what the problem is, put / and other mount points in the default (0) fs access domain group. This will enable all of your programs to access any file.

If you are completely lost, boot the system with the linsec=off parameter and try to figure out what the problem is.

LinSec messages obtainable through dmesg tool should provide adequate trace to any problem.

Use the mailing list and read the documentation!