UML & SELinux

This information is now completely our of date!

SELinux Guest

Running SELinux on the guest is quite easy if the distribution used supports it out of the box.
We provide an image based on the Gentoo 2005.1 SELinux profile, which can be used using a kernel with SELinux enabled (all of these kernels do).

SELinux Host

SELinux can be used to lock down UML instances, controlling precisely which resources the instances are allowed to use and preventing a compromised instance from being used to get through to the host. (especially if you intend to run a honeypot instance)

Layout

These policy files assume the following layout is adopted. (the names and location of these files can be changed in the uml.fc file)

Instance Root

Multiple instances can be installed in /uml/uml-*/. (the use of this suffix throughout can be used to help identify users and processes)
Obviously the filesystem must support SELinux security labels.

Limitations

The instructions below do not yet cover the policies for creating and maintaining the filesystem images directories and scripts.
The restrictions do not cover too much in terms of networking restrictions, since the networking configuration is not covered here. Typically the instance will be connected to the internet (or not) through a bridge or through iptables forwarding (and masquerading) which can be used for filtering (iptables and ebtables).

Access rights

Each instance runs under its own user, with minimum access privileges.
Instances also run chrooted (security in layers).

Startup Script

Each instance is started using a script named start.sh stored in the root.
This script will be responsible for setting up the environment and starting the kernel.
For example: setting up the network, starting the kernel with screen (so we can re-attach to the console), call chroot and su to isolate the running instance, change the priority of the process, start the fake /proc support, mounting /proc/mm (for skas support), notifying the administrator, etc.
Sample script here

Contents of the chroot

The chroot contains the bare minimum required for starting the instance:

A kernel named kernel-* (the suffix is be useful for identifying running instances in the process list)
/dev/net/tun device for networking.
/etc skeleton only.
/bin can be left mostly empty - su is required to change user unless you use compartment instead of chroot.
/lib containing the libraries required by the binaries: none if the kernel is statically linked - except when using the pcap transport which requires some network libraries.
/uml contains the most important files: the startup script which runs the kernel command line and the filesystem image (some images are available here).
/tmp just needs enough space to back the guest's ram (preferably tmpfs)
/proc can be left empty

Explore this tree for more details.

The policy files

And finally, here are the files:

um.te: UML Type Enforcement file
um.fc: UML File Contexts

These files need to be placed in the SELinux source directory (ie: /etc/selinux): domains/programs and file_contexts/programs/ respectively.
Ensure that the policy is rebuilt and reloaded, then the files need to be relabelled: restorecon -R /uml/uml-*.

Run!

Once all the files are in place and labelled, just run the start.sh script.