$Id: INSTALL,v 1.12 2002/02/10 00:29:46 jmorris Exp $

Installation Instructions for Selopt 0.08.

REQUIREMENTS

  - SELinux release 2002011718, with the lsm-2.5 patched kernel.
  
    The SELinux code is available from http://www.nsa.gov/selinux/
    
  - Probably a recent Red Hat distribution; this has not been tested yet
    on anything other than RH 6.1, 6.2 and 7.2.  If you get this working
    under another distribution, please let me know.
    
  - Previous experience installing SELinux is assumed.  You should
    probably start with a plain SELinux installation first, verifying
    that it works, before attempting to install selopt.

  - A familiarity with the selopt labeling model.  See the README file
    for pointers to further documentation.
    
INSTRUCTIONS

Summary: Build and install a selopt enabled kernel, then install the
         userspace components.

   1. Start with the SELinux README file, at the "STEP-BY-STEP BUILDING AND
      INSTALLING" section.  Make 'insert' under "BUILDING" as per normal, so
      that the kernel is ready to be built.
  
   2. This archive must be unpacked under the 'selinux' directory alongside the
      other SELinux components such as 'setfiles' and 'utils', so that the
      kernel tree is '../../lsm-2.5'.
     
        [ from the 'selinux' directory: ]
       
        tar -xzvf selopt-0.08.tar.gz
        ln -svf selopt-0.08 selopt
  
   3. Next, apply the selopt kernel patch:
  
        cd ../lsm-2.5
        patch -p1 < ../selinux/selopt/patches/patch-kernel-lsm-2.5.txt

   4. Go back to the SELinux README file and follow the instructions for
      building the kernel.  When running menuconfig, you will also need
      to select Labeled IP Networking Support and CIPSO/FIPS-188 IP Options.
     
      Note that you will need to ensure that the SELinux Development Module
      option is enabled, as the selopt userspace components do not yet have
      policy configurations.
     
   5. Once the kernel is built, install it per the SELinux documentation
      and reboot.  With this release of selopt, you will not need to update
      any other SELinux components.
     
      You should see the following kernel message when booting:
     
        SELinux: NSID API initialized
       
   6. If the labeling option was built statically into the kernel,
      you should also see:
     
        SELinux: CIPSO/FIPS-188 IP labeling initialized 
    
   7. Build the selopt userspace components:

        cd selopt
	make install

   8. If the labeling code was built as a module, load it:
  
        modprobe selopt
        
      Then check for the same kernel message as described in (6).
        
   9. Start the security context mapping daemon in debug and observe syslog
      (typically /var/log/secure and /var/log/messages).

        scmpd -d

  10. Add an entry to the kernel perimeter table:
	
        pt add 10.1.2.2

      Note that all outgoing packets to this entry will be labeled, and
      all packets arriving from it will need to be labeled.
   	
  12. To test labeling between two hosts, add each into the other's perimeter
     table and ensure that scmpd is running at each end.  Try a ping -c 1
     otherhost and observe syslog messages.  To view the kernel mapping
     cache, type:

	ct dump
	
  12. Network performance between two peers within the same security perimeter
      will be slow due to per-packet debugging in the kernel module.  This can
      be disabled by undefining DEBUG_LABELING in
      security/selinux/include/linux/flask/selopt.h

CAVEATS

This is an unstable development snapshot, does not yet provide any actual
security, and should not be used for purposes other than development.


CONTACT

James Morris <jmorris@intercode.com.au>


URL

http://www.intercode.com.au/jmorris/selopt/




