How to make/build/install ?

Robert Watson rwatson at FreeBSD.org
Tue Feb 24 17:05:34 GMT 2004 

To follow up, the attached is the install documentation for the SEBSD
CDROM we have previously distributed.  It includes a modified FreeBSD
sysinstall, but following the installation procedure from the first boot
from hard disk should apply to your environment.  I'll look at getting an
ISO image online sometime soon, which should make it a lot easier to
install.

Robert N M Watson             FreeBSD Core Team, TrustedBSD Projects
robert at fledge.watson.org      Senior Research Scientist, McAfee Research



Instructions for installing Security-Enhanced BSD

SEBSD ships as a kernel loadable module that loads into a FreeBSD 5.1
kernel supporting the TrustedBSD MAC framework
(http://www.trustedbsd.org/).  The SEBSD installation CD contains a
modified FreeBSD 5.1 distribution and a MAC kernel.  The installation
process installs the FreeBSD operating system, including full source
code and MAC-aware programs.

These instructions assume some familiarity with the FreeBSD operating
system installation, boot loader, kernel configuration, etc.  The
sysinstall installation application used by SEBSD is nearly identical
to the one used by the FreeBSD project.  A custom release was built to
install the SEBSD policy source files and to build a kernel with
TrustedBSD MAC Framework support.  For more detailed information on
the FreeBSD operating system or the installation process, refer to the
FreeBSD handbook available at the project website: http://www.freebsd.org/.

1.  Boot the FreeBSD 5.1-SEBSD installation CD; this CD will install
    the complete operating system, including kernels, user
    applications, and complete source code.  A series of menus will
    prompt the user how to proceed.

	a.  At the main menu, select an installation method,
	    typically, the standard installation is adequate.  The
	    remainder of these instructions assume the standard
	    installation option was selected.

	b.  The next menu displays the disk partition manager.  As
	    long as the installation machine will be dedicated to
	    SEBSD, allow the partition manager to use the entire disk
	    by selecting 'A'.  Select 'Q' to exit the partition
	    manager.  The installation program may print a warning
	    that this creates a dedicated machine.  It will proceed to
	    ask which boot manager to install; select 'BootMgr' to
	    install the normal FreeBSD boot manager on this hard disk.

	c.  The next menu will label the disk to create swap space and
	    individual file systems.  Selecting 'A' will use the
	    default values.  Select 'Q' to proceed to the next menu.

	d.  The next menu selects the distributions to install.  The
	    'Developer' option is recommended.  X Window support is
	    not included on this installation CD, and may be installed
	    later.  Likewise, the optional ports collection is not
	    include on the SEBSD installation CD.

	e.  On the next screen, Select CD/DVD from the installation
	    media menu.

	f.  Confirm installation.  WARNING: With the configuration
	    recommended in these instructions, all existing data on
	    the hard disk will be destroyed!

	g.  SEBSD will be installed on the machine.  Once complete,
	    the installation program will ask a series of questions to
	    help configure the new system.  Answer these questions as
	    appropriate.

2.  Reboot the system when prompted.  By default, the system will boot
    the MAC kernel and load the SEBSD security module (with the
    default policy).  The file systems have not yet been labeled, so
    many warnings will be printed to the system console.  If it is
    necessary to boot the generic FreeBSD kernel (without the MAC
    framework), comment out the following lines in /boot/loader.conf:
	kernel="MAC"
	sebsd_load="YES"
    Alternatively, the kernel and modules to load may be selected from
    the FreeBSD boot loader.  Refer to the FreeBSD handbook for more
    information on the boot loader.

4. Inspect the SEBSD policy.  The system comes pre-installed with a
   sample policy, but local changes might be required.  The policy
   source is located in /etc/security/sebsd/policy and the compiled
   (binary) version is installed in /etc/security/sebsd/policy.16 by
   default.  Only the binary version is loaded by the SEBSD module at
   boot time.  An alternate location for the binary policy file may be
   specified at the boot loader or in /boot/loader.conf.

   Since SEBSD uses the same policy language as SELinux, the SELinux
   report titled, "Configuring the SELinux Policy", (available at the
   SELinux project web site: http://www.nsa.gov/selinux/) can provide
   additional information.  If you make changes to the policy source,
   you must re-install the modified binary policy:

	cd /etc/security/sebsd/policy && make install

   If changes were made to the policy, the modified version must be
   loaded into the kernel.  The /sbin/sebsd_loadpolicy program can be
   used instead of a reboot:

	/sbin/sebsd_loadpolicy /etc/security/sebsd/policy.16

5. Label the file system.  By default, extended attribute support was
   enabled during the install, but the individual files were not
   labeled. To label all file systems, login as root and run the
   following command:

	cd /etc/security/sebsd/policy && make relabel

6.  Reboot the machine, so that applications can use the file labels
    and will be started in the correct domains.

At this point, the machine will be running SEBSD with the sample
policy. The sample policy is only an example and must be customized.
Furthermore, the sample policy is not complete, so the system will
print some access control warnings.  By default, the system is
configured in the development mode; in this mode, access control
failures are logged but not enforced.  To toggle between enforcing
mode and development mode, use the security.mac.sebsd.enforcing sysctl
as follows:
    To enable:	 sysctl security.mac.sebsd.enforcing=1
    To disable:	 sysctl security.mac.sebsd.enforcing=0

Note that with the sample policy, only root running in the sysadm_r
role is permitted to toggle the enforcement state.

If you would like the machine to default to enforcing mode at boot
time, you may specify a default value for this sysctl in
/etc/sysctl.conf.  Uncomment the following line at the end of the file:
	security.mac.sebsd.enforcing=1


To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message

More information about the trustedbsd-discuss mailing list