This information is now completely our of date!
Running SELinux on the guest is quite easy if the distribution used supports it out of the box.
We provide an image based on the Gentoo 2005.1 SELinux profile,
which can be used using a kernel with SELinux enabled (all of these kernels do).
SELinux can be used to lock down UML instances,
controlling precisely which resources the instances are allowed to use and preventing a compromised instance
from being used to get through to the host.
(especially if you intend to run a honeypot instance)
These policy files assume the following layout is adopted.
(the names and location of these files can be changed in the
Multiple instances can be installed in
(the use of this suffix throughout can be used to help identify users and processes)
Obviously the filesystem must support SELinux security labels.
The instructions below do not yet cover the policies for creating and maintaining the filesystem images
directories and scripts.
The restrictions do not cover too much in terms of networking restrictions, since the networking configuration
is not covered here. Typically the instance will be connected to the internet (or not) through a bridge
or through iptables forwarding (and masquerading) which can be used for filtering (iptables and ebtables).
Each instance runs under its own user, with minimum access privileges.
Instances also run chrooted (security in layers).
Each instance is started using a script named
start.sh stored in the root.
This script will be responsible for setting up the environment and starting the kernel.
For example: setting up the network, starting the kernel with screen (so we can re-attach to the console),
call chroot and su to isolate the running instance, change the priority of the process,
start the fake /proc support, mounting /proc/mm (for skas support), notifying the administrator, etc.
Sample script here
Contents of the chroot
The chroot contains the bare minimum required for starting the instance:
Explore this tree for more details.
- A kernel named kernel-* (the suffix is be useful for identifying running instances in the
- /dev/net/tun device for networking.
- /etc skeleton only.
- /bin can be left mostly empty -
su is required to change user
unless you use compartment instead of chroot.
- /lib containing the libraries required by the binaries:
none if the kernel is statically linked - except when using the pcap transport which requires some network libraries.
- /uml contains the most important files:
the startup script which runs the kernel command line
and the filesystem image (some images are available here).
- /tmp just needs enough space to back the guest's ram (preferably tmpfs)
- /proc can be left empty
The policy files
And finally, here are the files:
These files need to be placed in the SELinux source directory (ie:
um.te: UML Type Enforcement file
um.fc: UML File Contexts
Ensure that the policy is rebuilt and reloaded, then the files need to be relabelled:
restorecon -R /uml/uml-*.
Once all the files are in place and labelled,
just run the start.sh script.