[DSE-User] How to add SELinux to Debian Live?

[adrian15]

(Sorry if some pieces explained here seems too obvious for SELinux or 
Debian users. I am recycling an former email sent to a non Debian Live 
person.)

1) Introduction

1.1) I develop Rescatux ( http://www.supergrubdisk.org/rescatux/ ) which 
it's a live cd aimed at rescue tasks.
1.2) Rescatux is based on Debian Live ( http://live.debian.net/ ).
1.3) Debian Jessie (current Debian stable version) supports SElinux if 
you install some packages from sid (Debian unstable branch). What I mean 
by "supports SElinux" is that you can use it from a Debian installation.

2) SElinux permissions problems on Fedora / Centos / RHEL systems.

Rescatux has many options for interacting from itself (as a Debian Live 
cd) to installed systems.
E.g. you can change root password easily.

These operation involves modifying /etc/shadow file.

As Rescatux does not currently support SElinux the /etc/shadow loses its 
default SElinux permissions.

As you might know the consequence is that if you did that in a SElinux 
enforced mode Fedora installation the next time you try to login into 
your system as root (and actually as another users too) it will fail. 
Why? Because SElinux refuses whatever library handles login to read the 
/etc/shadow file.

3) As Rescatux is a Debian Live based system I want to add SElinux 
support to Debian Live in order to have SElinux support in Rescatux and 
avoid these problems.

The final target is to have SElinux support and then change selinux 
policy for the chrooted system's one. As mjg59 suggested in fedora-devel 
chat it's just running: semodule -R (inside the chroot I guess) which 
does it.

4) What I have done so far?

4.1) I have added Debian SELinux packages
(
+ libapol4 \
+ libqpol1 \
+ policycoreutils \
+ python-ipy \
+ python-selinux \
+ python-semanage \
+ python-sepolgen \
+ python-sepolicy \
+ python-setools \
+ selinux-utils \
+ selinux-basics \
+ auditd \
)

to both binary and chroot part of Debian Live (binary is what goes into 
the final iso itself and chroot is what's inside the squashfs).

4.2) When I boot from Rescatux I add to kernel boot command line these 
parametres: selinux=1 enforcing=0 .

4.3) I have also modified Debian Live to inforce SELinux. (Not fully 
succesfully but I have done it.)

(Here there is where I got inspiration from Fedora's livecd-tools 
(https://github.com/rhinstaller/livecd-tools) 
(https://github.com/rhinstaller/livecd-tools/blob/master/imgcreate/creator.py).

4.3.1) Make sure the directory which it's going to be converted into 
SElinux has SELinux permissions thanks to:

+                               setfiles -F -r chroot 
/etc/selinux/default/contexts/files/file_contexts chroot
+                               chcon -u system_u chroot/proc
+                               chcon -u system_u chroot/sys

4.3.2) Make sure the mksquashfs puts the SElinux permissions into the 
big squashfs file (I have checked and it's true that they are there).

+               MKSQUASHFS_OPTIONS="${MKSQUASHFS_OPTIONS} -xattrs"

5) So, well, the problem is that after all these changes Rescatux 
refuses to boot in SElinux mode thus I cannot load any policy manually 
and thus the SElinux permissions problems persists.

6) What am I missing?

Is there anything about how livecd-tools prepare the live cd that I am 
missing?
Something that has to be inside the initrd that does not come by default 
in the Debian or Debian Live's initrds ?

Thank you very much for any insight you might have.

7) Annex A. Rescatux updates:

Jessie branch: http://sourceforge.net/p/rescatux/git/ci/jessie/tree/
Commit: 9f74111d7c5222a739054af1900784481f6496c3

8) Annex B. Debian Live update:

tmp-selinux branch: https://github.com/adrian15/live-build/tree/tmp-selinux
Commit: 42a8f50690be1153285dc8841ec532ac2281e27d


adrian15
-- 
Support free software. Donate to Super Grub Disk. Apoya el software 
libre. Dona a Super Grub Disk. http://www.supergrubdisk.org/donate/