GettingStarted

#Getting Started with the Certified Linux Integration Platform

This section provides guidance for installing and configuring the Certified Linux Integration Platform.

##Selecting a CLIP Installation

For a new project, unless other overriding requirements exists, we recommend using the CLIP instance for the latest officially released operating system.

• Installing CLIP for RHEL 6
• Installing CLIP 3.1.3 RHEL 5.4 or CLIP 3.1.4 RHEL 5.5
• Installing CLIP 3.1.2 RHEL 5.3
• Installing CLIP 3.1.1 RHEL 5.3
• Installing RHEL 5.3
• Installing RHEL 5.2
• Installing RHEL 5.1
• Installing RHEL 5
• Installing RHEL 4

---

##Installing the CLIP for RHEL 6

Please read Help-Getting-Started.txt in the root of the repository for guidance: http://oss.tresys.com/projects/clip/browser

Installing the CLIP 3.1.3 RHEL 5.4 or CLIP 3.1.4 RHEL 5.5 Base System

To begin installation of the Certified Linux Integration Platform, first obtain installation discs for Red Hat Enterprise Linux 5.4, Server. The CLIP 3.1.3 RHEL 5.4 install requires an internet connection so that it can use yum to install packages from Redhats EPEL and the Tresys OSS yum repositories.

Next, obtain the kickstart file (clip.ks) from DownloadRelease. This file supplies Red Hat's installer, anaconda, with various install-time parameters. The local copy of the generic kickstart file needs to have the following edits made to it:

1. The partitioning information needs to be defined for the specific systems hardware requirements. Partition sizes are specified in megabytes sizes.

2. If the kickstart file is accessed via the network-based method, note that the client system must obtain its TCP/IP configuration information before it is able to resolve hostnames. This can be done by including the commented out line at the top of the kickstart script:

   # network --bootproto=dhcp
   

   If this is not present and a network-based installation method is chosen, the server on which the kickstart script resides must be referred to directly by IP address.

The kickstart script is supplied to the Linux kernel as a boot parameter. The script can be conveyed to the kernel in various ways, either via a network connection (HTTP, FTP/TFTP and NFS are supported) or locally via floppy, harddisk or CDROM.

Boot from Disc 1 of the RHEL5.4 Server installation discs, supplying the kickstart script as a kernel boot parameter:

Accessing the kickstart file:

boot> linux ks=http://someserver/clip.ks

- or -

boot> linux ks=<device name>:/clip.ks

- or - You can install directly from Tresys Technology via:

boot> linux ks=http://oss.tresys.com/projects/clip/chrome/site/files/clip-3.1.3/clip.ks

This will initiate the installation process. The user will choose appropriate values for settings prompted for by anaconda. At this point, anaconda will install the operating system and a few packages. At the end of the installation, you will be prompted to create a password for the 'root' and 'clipuser' users. Once this is complete, a reboot will be necessary.

After rebooting, login to the system with the 'clipuser' account and the password you created. (The user name should be entered without quotes.)

Once this account has been authenticated, you will need to switch to the superuser account via the su command to complete the remaining steps of the CLIP installation. The password for this account is the root password you created.

##Set SELinux to Enforcing

To set SELinux to ENFORCING:

su -
vi /etc/selinux/config
Change SELINUX=permissive to SELINUX=enforcing
reboot

After rebooting, login to the system with the 'clipuser' account and password.

Once this account has been authenticated, the user will be assigned a context of root:sysadm_r:sysadm_t. The user will still need to switch to the superuser account via the su command to perform administrative actions. These steps are necessary to meet auditing requirements.

##Configuring System Services

In order to minimize attack vectors into the system, the default installation of CLIP enables a minimal subset of services. The following services will be enabled when booted into runlevel 3 (the default for CLIP):

atd auditd crond iptables network syslog sysstat

An administrator who wishes to enable additional services should consider enabling the SELinux policy module(s) associated with the services being added. The chkconfig(8) utility should be used to add or remove services from a particular runlevel.

##Security Context packet Labeling

CLIP distributes an optionally installed IPTables package update that supports per packet labeling using SECMARK. A detailed description of SECMARK is available at: http://james-morris.livejournal.com/11010.html. The IPTables package is available at DownloadRelease

If you would like to utilize the packet labeling feature, after installing the system turn off the compat_net option that is enabled by the clip kickstart file. You can enable this at runtime by using the command

echo "0" > /selinux/compat_net

In order to make this change persistent across reboots edit the file /boot/grub/grub.conf and set selinux_compat_net=0

Finally packets can be labeled using rules such as:

iptables -A INPUT -t mangle -p tcp --dport 21 -j SECMARK --selctx system_u:object_r:ftp_client_packet_t:s0 
iptables -A INPUT -t mangle -m state --state RELATED,ESTABLISHED -j CONNSECMARK --restore 

The first rule will label all tcp packets received on port 21 system_u:object_r:ftp_client_packet_t:s0. The second rule ensures that all further packets that are part of initial connection will keep that label. All rules must be added to the mangle table. If a rule has an invalid context IPTables will return a very bad error code that is not descriptive. This problem exists because of the way that IPTables returns errors and was not easily solvable as part of our back port.

##Additional Operational Considerations

The CLIP installation process also defines a password for the bootloader which also is '123)(*qweASD'.

---

##Installing the CLIP 3.1.2 RHEL 5.3 Base System

To begin installation of the Certified Linux Integration Platform, first obtain installation discs for Red Hat Enterprise Linux 5.3, Server. The CLIP 3.1.2 RHEL 5.3 install requires an internet connection so that it can use yum to install packages from Redhats EPEL and the Tresys OSS yum repositories.

Next, obtain the kickstart file (clip.ks) from DownloadRelease. This file supplies Red Hat's installer, anaconda, with various install-time parameters. The local copy of the generic kickstart file needs to have the following edits made to it:

1. The partitioning information needs to be defined for the specific systems hardware requirements. Partition sizes are specified in megabytes sizes.

2. If the kickstart file is accessed via the network-based method, note that the client system must obtain its TCP/IP configuration information before it is able to resolve hostnames. This can be done by including the commented out line at the top of the kickstart script:

   # network --bootproto=dhcp
   

   If this is not present and a network-based installation method is chosen, the server on which the kickstart script resides must be referred to directly by IP address.

The kickstart script is supplied to the Linux kernel as a boot parameter. The script can be conveyed to the kernel in various ways, either via a network connection (HTTP, FTP/TFTP and NFS are supported) or locally via floppy, harddisk or CDROM.

Boot from Disc 1 of the RHEL5.3 Server installation discs, supplying the kickstart script as a kernel boot parameter:

Accessing the kickstart file:

boot> linux ks=http://someserver/clip.ks

- or -

boot> linux ks=http://ipaddr/clip.ks

- or -

boot> linux ks=<device name>:/clip.ks

This will initiate the installation process. The user will choose appropriate values for settings prompted for by anaconda. At this point, anaconda will install the operating system and a few packages. At the end of the installation, you will be prompted to create a password for the 'root' and 'clipuser' users. Once this is complete, a reboot will be necessary.

After rebooting, login to the system with the 'clipuser' account and the password you created. (The user name should be entered without quotes.)

Once this account has been authenticated, you will need to switch to the superuser account via the su command to complete the remaining steps of the CLIP installation. The password for this account is the root password you created.

##Set SELinux to Enforcing

To set SELinux to ENFORCING:

su -
vi /etc/selinux/config
Change SELINUX=permissive to SELINUX=enforcing
reboot

After rebooting, login to the system with the 'clipuser' account and password.

Once this account has been authenticated, the user will be assigned a context of root:sysadm_r:sysadm_t. The user will still need to switch to the superuser account via the su command to perform administrative actions. These steps are necessary to meet auditing requirements.

##Configuring System Services

In order to minimize attack vectors into the system, the default installation of CLIP enables a minimal subset of services. The following services will be enabled when booted into runlevel 3 (the default for CLIP):

atd auditd crond iptables network syslog sysstat

An administrator who wishes to enable additional services should consider enabling the SELinux policy module(s) associated with the services being added. The chkconfig(8) utility should be used to add or remove services from a particular runlevel.

##Additional Operational Considerations

The CLIP installation process also defines a password for the bootloader which also is '123)(*qweASD'.

---

##Installing the CLIP 3.1.1 RHEL 5.3 Base System

To begin installation of the Certified Linux Integration Platform, first obtain installation discs for Red Hat Enterprise Linux 5.3, Server. The CLIP 3.1.1 RHEL 5.3 install requires an internet connection so that it can use yum to install packages from Redhats EPEL and the Tresys OSS yum repositories.

Next, obtain the kickstart file (clip.ks) from DownloadRelease. This file supplies Red Hat's installer, anaconda, with various install-time parameters. The local copy of the generic kickstart file needs to have the following edits made to it:

1. The partitioning information needs to be defined for the specific systems hardware requirements. Partition sizes are specified in megabytes sizes.

2. If the kickstart file is accessed via the network-based method, note that the client system must obtain its TCP/IP configuration information before it is able to resolve hostnames. This can be done by including the commented out line at the top of the kickstart script:

   # network --bootproto=dhcp
   

   If this is not present and a network-based installation method is chosen, the server on which the kickstart script resides must be referred to directly by IP address.

The kickstart script is supplied to the Linux kernel as a boot parameter. The script can be conveyed to the kernel in various ways, either via a network connection (HTTP, FTP/TFTP and NFS are supported) or locally via floppy, harddisk or CDROM.

Boot from Disc 1 of the RHEL5.3 Server installation discs, supplying the kickstart script as a kernel boot parameter:

Accessing the kickstart file:

boot> linux ks=http://someserver/clip.ks

- or -

boot> linux ks=http://ipaddr/clip.ks

- or -

boot> linux ks=<device name>:/clip.ks

This will initiate the installation process. The user will choose appropriate values for settings prompted for by anaconda. At this point, anaconda will install the operating system and a few packages. At the end of the installation, you will be prompted to create a password for the 'root' and 'clipuser' users. Once this is complete, a reboot will be necessary.

After rebooting, login to the system with the 'clipuser' account and the password you created. (The user name should be entered without quotes.)

Once this account has been authenticated, you will need to switch to the superuser account via the su command to complete the remaining steps of the CLIP installation. The password for this account is the root password you created.

##Installing Packages

Install the CLIP RPM for your architecture found in the Userland Packages section of DownloadRelease:

rpm -ivh --force clip-3.1-1.$ARCH.rpm

The --force option is needed because a package installed in this step will overwrite files already installed by another package.

##Relabeling the System

The system must be relabeled.

su -
genhomedircon
touch /.autorelabel
reboot

After rebooting, login to the system with the 'clipuser' account and password.

Once this account has been authenticated, the user will be assigned a context of root:sysadm_r:sysadm_t. The user will still need to switch to the superuser account via the su command to perform administrative actions. These steps are necessary to meet auditing requirements.

##Configuring System Services

In order to minimize attack vectors into the system, the default installation of CLIP enables a minimal subset of services. The following services will be enabled when booted into runlevel 3 (the default for CLIP):

atd auditd crond iptables network syslog sysstat

An administrator who wishes to enable additional services should consider enabling the SELinux policy module(s) associated with the services being added. The chkconfig(8) utility should be used to add or remove services from a particular runlevel.

##Additional Operational Considerations

The CLIP installation process also defines a password for the bootloader which also is '123)(*qweASD'.

---

##Installing the RHEL 5.3 Base System

To begin installation of the Certified Linux Integration Platform, first obtain installation discs for Red Hat Enterprise Linux 5.3, Server.

Next, obtain the kickstart file (clip.ks) from DownloadRelease. This file supplies Red Hat's installer, anaconda, with various install-time parameters. The local copy of the generic kickstart file needs to have the following edits made to it:

1. The partitioning information needs to be defined for the specific systems hardware requirements. Partition sizes are specified in megabytes sizes.

2. If the kickstart file is accessed via the network-based method, note that the client system must obtain its TCP/IP configuration information before it is able to resolve hostnames. This can be done by including the commented out line at the top of the kickstart script:

   # network --bootproto=dhcp
   

   If this is not present and a network-based installation method is chosen, the server on which the kickstart script resides must be referred to directly by IP address.

The kickstart script is supplied to the Linux kernel as a boot parameter. The script can be conveyed to the kernel in various ways, either via a network connection (HTTP, FTP/TFTP and NFS are supported) or locally via floppy, harddisk or CDROM.

Boot from Disc 1 of the RHEL5.3 Server installation discs, supplying the kickstart script as a kernel boot parameter:

Accessing the kickstart file:

boot> linux ks=http://someserver/clip.ks

- or -

boot> linux ks=http://ipaddr/clip.ks

- or -

boot> linux ks=<device name>:/clip.ks

This will initiate the installation process. The user will choose appropriate values for settings prompted for by anaconda. At this point, anaconda will install the operating system and a few packages. At the end of the installation, you will be prompted to create a password for the 'root' and 'clipuser' users. Once this is complete, a reboot will be necessary.

After rebooting, login to the system with the 'clipuser' account and the password you created. (The user name should be entered without quotes.)

Once this account has been authenticated, you will need to switch to the superuser account via the su command to complete the remaining steps of the CLIP installation. The password for this account is the root password you created.

##Installing Packages

A full CLIP installation requires an update SELinux toolchain, modified policy and some other userland tools included in the clip rpm. You can optionally install the IPTables rpm to have the ability to dynamically label packets.

The installation of RHEL 5.3 CLIP packages needs to occur in two phases, the second of which requires setting SELinux's enforcing mode to permissive.

First, install the PAM RPM for your architecture found in the Userland Packages section of DownloadRelease. This rpm includes a patched cracklib module that allows password restrictions to be applied to the root user.

rpm -Uvh --force pam-0.99.6.2-3.27.$ARCH.rpm

Next, install the CLIP RPM for your architecture found in the Userland Packages section of DownloadRelease:

rpm -ivh --force clip-3.1-0.$ARCH.rpm

The --force option is needed because a package installed in this step will overwrite files already installed by another package.

Now download the updated SELinux toolchain and policy RPMs found in the SELinux Policy section of DownloadRelease. To install the new policy, it is necessary to temporarily force SELinux into permissive mode:

rpm -Uvh --force libsepol-1.16.14-1.$ARCH.rpm
rpm -Uvh --force --nodeps libselinux-1.34.15-1.$ARCH.rpm
rpm -Uvh libselinux-python-1.34.15-1.$ARCH.rpm
rpm -Uvh --force libsemanage-1.10.9-1.$ARCH.rpm
rpm -Uvh checkpolicy-1.34.7-1.$ARCH.rpm
rpm -Uvh --force policycoreutils-1.34.16-1.$ARCH.rpm policycoreutils-newrole-1.34.16-1.$ARCH.rpm
rpm -ivh --force selinux-policy-clip-3.1-0.noarch.rpm

Note: Because the selinux-policy-clip rpm makes changes to class definitions, the policy will fail to load after installation. A reboot is require before the policy will load.

reboot

After rebooting, login to the system with the 'clipuser' account and password and then authenticate to root and execute genhomedircon and relabel the filesystem. This step is necessary to correctly label home directories with the new CLIP policy.

su -
genhomedircon
touch /.autorelabel
reboot

After rebooting, login to the system with the 'clipuser' account and password.

Once this account has been authenticated, the user will be assigned a context of root:sysadm_r:sysadm_t. The user will still need to switch to the superuser account via the su command to perform administrative actions. These steps are necessary to meet auditing requirements.

CLIP distributes an optionally installed IPTables package update that supports per packet labeling using SECMARK. A detailed description of SECMARK is available at: http://james-morris.livejournal.com/11010.html. The IPTables package is available at DownloadRelease

To use the update first install the rpm:

rpm -Uvh iptables-1.3.5-4.99.el5.$ARCH.rpm

After installing the rpm you must turn off the compat_net option that is enabled by the clip kickstart file. You can enable this at runtime by using the command

echo "0" > /selinux/compat_net

In order to make this change persistent across reboots edit the file /boot/grub/grub.conf and set selinux_compat_net=0

Finally packets can be labeled using rules such as:

iptables -A INPUT -t mangle -p tcp --dport 21 -j SECMARK --selctx system_u:object_r:ftp_client_packet_t:s0 
iptables -A INPUT -t mangle -m state --state RELATED,ESTABLISHED -j CONNSECMARK --restore 

The first rule will label all tcp packets received on port 21 system_u:object_r:ftp_client_packet_t:s0. The second rule ensures that all further packets that are part of initial connection will keep that label. All rules must be added to the mangle table. If a rule has an invalid context IPTables will return a very bad error code that is not descriptive. This problem exists because of the way that IPTables returns errors and was not easily solvable as part of our back port.

##Configuring System Services

In order to minimize attack vectors into the system, the default installation of CLIP enables a minimal subset of services. The following services will be enabled when booted into runlevel 3 (the default for CLIP):

atd auditd crond iptables network syslog sysstat

An administrator who wishes to enable additional services should consider enabling the SELinux policy module(s) associated with the services being added. The chkconfig(8) utility should be used to add or remove services from a particular runlevel.

##Additional Operational Considerations

The CLIP installation process also defines a password for the bootloader which also is '123)(*qweASD'.

---

##Installing the RHEL 5.2 Base System

To begin installation of the Certified Linux Integration Platform, first obtain installation discs for Red Hat Enterprise Linux 5.2, Server.

Next, obtain the kickstart file (clip.ks) from DownloadRelease. This file supplies Red Hat's installer, anaconda, with various install-time parameters. The local copy of the generic kickstart file needs to have the following edits made to it:

1. The partitioning information needs to be defined for the specific systems hardware requirements. Partition sizes are specified in megabytes sizes.

2. If the kickstart file is accessed via the network-based method, note that the client system must obtain its TCP/IP configuration information before it is able to resolve hostnames. This can be done by including the commented out line at the top of the kickstart script:

   # network --bootproto=dhcp
   

   If this is not present and a network-based installation method is chosen, the server on which the kickstart script resides must be referred to directly by IP address.

The kickstart script is supplied to the Linux kernel as a boot parameter. The script can be conveyed to the kernel in various ways, either via a network connection (HTTP, FTP/TFTP and NFS are supported) or locally via floppy, harddisk or CDROM.

Boot from Disc 1 of the RHEL5.2 Server installation discs, supplying the kickstart script as a kernel boot parameter:

Accessing the kickstart file:

boot> linux ks=http://someserver/clip.ks

- or -

boot> linux ks=http://ipaddr/clip.ks

- or -

boot> linux ks=<device name>:/clip.ks

This will initiate the installation process. The user will choose appropriate values for settings prompted for by anaconda. At this point, anaconda will install the operating system and a few packages. At the end of the installation, you will be prompted to create a password for the 'root' and 'clipuser' users. Once this is complete, a reboot will be necessary.

After rebooting, login to the system with the 'clipuser' account and the password you created. (The user name should be entered without quotes.)

Once this account has been authenticated, you will need to switch to the superuser account via the su command to complete the remaining steps of the CLIP installation. The password for this account is the root password you created.

##Installing Packages

A full CLIP installation requires an update SELinux toolchain, modified policy and some other userland tools included in the clip rpm. You can optionally install the IPTables rpm to have the ability to dynamically label packets.

The installation of RHEL 5.2 CLIP packages needs to occur in two phases, the second of which requires setting SELinux's enforcing mode to permissive.

First, install the PAM RPM for your architecture found in the Userland Packages section of DownloadRelease. This rpm includes a patched cracklib module that allows password restrictions to be applied to the root user.

rpm -Uvh --force pam-0.99.6.2-3.27.$ARCH.rpm

Next, install the CLIP RPM for your architecture found in the Userland Packages section of DownloadRelease:

rpm -ivh --force clip-2.0-1.$ARCH.rpm

The --force option is needed because a package installed in this step will overwrite files already installed by another package.

CLIP distributes an optionally installed IPTables package update that supports per packet labeling using SECMARK. A detailed description of SECMARK is available at: http://james-morris.livejournal.com/11010.html. The IPTables package is available at DownloadRelease

To use the update first install the rpm:

rpm -Uvh iptables-1.3.5-4.99.el5.$ARCH.rpm

After installing the rpm you must turn off the compat_net option that is enabled by the clip kickstart file. You can enable this at runtime by using the command

echo "0" > /selinux/compat_net

In order to make this change persistent across reboots edit the file /boot/grub/grub.conf and set selinux_compat_net=0

Finally packets can be labeled using rules such as:

iptables -A INPUT -t mangle -p tcp --dport 21 -j SECMARK --selctx system_u:object_r:ftp_client_packet_t:s0 
iptables -A INPUT -t mangle -m state --state RELATED,ESTABLISHED -j CONNSECMARK --restore 

The first rule will label all tcp packets received on port 21 system_u:object_r:ftp_client_packet_t:s0. The second rule ensures that all further packets that are part of initial connection will keep that label. All rules must be added to the mangle table. If a rule has an invalid context IPTables will return a very bad error code that is not descriptive. This problem exists because of the way that IPTables returns errors and was not easily solvable as part of our back port.

Now download the updated SELinux toolchain and policy RPMs found in the SELinux Policy section of DownloadRelease. To install the new policy, it is necessary to temporarily force SELinux into permissive mode:

setenforce 0
rpm -Uvh libsepol-1.16.14-1.$ARCH.rpm
rpm -Uvh --force libselinux-1.34.15-1.$ARCH.rpm
rpm -Uvh libselinux-python-1.34.15-1.$ARCH.rpm
rpm -Uvh libsemanage-1.10.9-1.$ARCH.rpm
rpm -Uvh checkpolicy-1.34.7-1.$ARCH.rpm
rpm -Uvh policycoreutils-1.34.16-1.$ARCH.rpm policycoreutils-newrole-1.34.16-1.$ARCH.rpm
rpm -ivh selinux-policy-clip-3.0-1.noarch.rpm

Note: Because the selinux-policy-clip rpm makes changes to class definitions, the policy will fail to load after installation. A reboot is require before the policy will load.

reboot

After rebooting, login to the system with the 'clipuser' account and password.

Once this account has been authenticated, the user will be assigned a context of root:sysadm_r:sysadm_t. The user will still need to switch to the superuser account via the su command to perform administrative actions. These steps are necessary to meet auditing requirements specified by DCID 6/3.

##Configuring System Services

In order to minimize attack vectors into the system, the default installation of CLIP enables a minimal subset of services. The following services will be enabled when booted into runlevel 3 (the default for CLIP):

atd auditd crond iptables network syslog sysstat

An administrator who wishes to enable additional services should consider enabling the SELinux policy module(s) associated with the services being added. The chkconfig(8) utility should be used to add or remove services from a particular runlevel.

##Additional Operational Considerations

The CLIP installation process also defines a password for the bootloader, as required by the DCID 6/3, which also is '123)(*qweASD'.

---

##Installing the RHEL 5.1 Base System

To begin installation of the Certified Linux Integration Platform, first obtain installation discs for Red Hat Enterprise Linux 5.1, Server.

Next, obtain the kickstart file (clip.ks) from DownloadRelease. This file supplies Red Hat's installer, anaconda, with various install-time parameters. The local copy of the generic kickstart file needs to have the following edits made to it:

1. The partitioning information needs to be defined for the specific systems hardware requirements. Partition sizes are specified in megabytes sizes.

2. If the kickstart file is accessed via the network-based method, note that the client system must obtain its TCP/IP configuration information before it is able to resolve hostnames. This can be done by including the commented out line at the top of the kickstart script:

   # network --bootproto=dhcp
   

   If this is not present and a network-based installation method is chosen, the server on which the kickstart script resides must be referred to directly by IP address.

The kickstart script is supplied to the Linux kernel as a boot parameter. The script can be conveyed to the kernel in various ways, either via a network connection (HTTP, FTP/TFTP and NFS are supported) or locally via floppy, harddisk or CDROM.

Boot from Disc 1 of the RHEL5.1 Server installation discs, supplying the kickstart script as a kernel boot parameter:

Accessing the kickstart file:

boot> linux ks=http://someserver/clip.ks

- or -

boot> linux ks=http://ipaddr/clip.ks

- or -

boot> linux ks=<device name>:/clip.ks

This will initiate the installation process. The user will choose appropriate values for settings prompted for by anaconda. At this point, anaconda will install the operating system and a few packages. Once this completes, a reboot will be necessary.

After rebooting, login to the system with the 'clipuser' account and password, which is '123)(*qweASD'. (Both the user name and password are entered without quotes.)

Once this account has been authenticated, the user will need to switch to the superuser account via the su command. This is because superuser privleges are needed for the remaining steps that involve installing the CLIP and SELinux RPMs. The password for this account is also '123)(*qweASD'

##Installing Packages

A full CLIP installation requires a modified policy and some other userland tools included in the clip rpm. You can optionally install the IPTables rpm to have the ability to dynamically label packets.

The installation of RHEL 5.1 CLIP packages needs to occur in two phases, the second of which requires setting SELinux's enforcing mode to permissive.

First, install the CLIP RPM for your architecture found in the Userland Packages section of DownloadRelease:

rpm -ivh --force clip-2.0-1.arch.rpm

The --force option is needed because a package installed in this step will overwrite files already installed by another package. During this step, some system configuration files will be backed up and replaced by files provided by CLIP. A log of these changes is written to /var/log/clip_installer.log.

CLIP distributes an optionally installed IPTables package update that supports per packet labeling using SECMARK. A detailed description of SECMARK is available at: http://james-morris.livejournal.com/11010.html. The IPTables package is available from the download page DownloadRelease.

To use the update first install the rpm:

rpm -Uvh iptables-1.3.5-1.2.1.99.arch.rpm

After installing the rpm you must turn off the compat_net option that is enabled by the clip kickstart file. You can enable this at runtime by using the command

echo "0" > /selinux/compat_net

In order to make this change persistent across reboots edit the file /boot/grub/grub.conf and set selinux_compat_net=0

Finally packets can be labeled using rules such as:

iptables -A INPUT -t mangle -p tcp --dport 21 -j SECMARK --selctx system_u:object_r:ftp_client_packet_t:s0 
iptables -A INPUT -t mangle -m state --state RELATED,ESTABLISHED -j CONNSECMARK --restore 

The first rule will label all tcp packets received on port 21 system_u:object_r:ftp_client_packet_t:s0. The second rule ensures that all further packets that are part of initial connection will keep that label. All rules must be added to the mangle table. If a rule has an invalid context IPTables will return a very bad error code that is not descriptive. This problem exists because of the way that IPTables returns errors and was not easily solvable as part of our back port.

Now download the policy RPM found in the SELinux Policy section of DownloadRelease. To install the new policy, it is necessary to temporarily force SELinux into permissive mode:

setenforce 0
rpm -ivh selinux-policy-clip-2.0-3.noarch.rpm

At this point, the utilities and configuration files for CLIP will be installed. A reboot is required so that the filesystem can be relabeled:

reboot

After rebooting, login to the system with the 'clipuser' account and password, which is '123)(*qweASD'. (Both the user name and password are entered without quotes.)

Once this account has been authenticated, the user will be assigned a context of root:sysadm_r:sysadm_t. The user will still need to switch to the superuser account via the su command to perform administrative actions. The password for the root account is also '123)(*qweASD'. These steps are necessary to meet auditing requirements specified by DCID 6/3.

##Configuring System Services

In order to minimize attack vectors into the system, the default installation of CLIP enables a minimal subset of services. The following services will be enabled when booted into runlevel 3 (the default for CLIP):

atd auditd crond iptables network syslog sysstat

An administrator who wishes to enable additional services should consider enabling the SELinux policy module(s) associated with the services being added. The chkconfig(8) utility should be used to add or remove services from a particular runlevel.

##Additional Operational Considerations

The CLIP installation process also defines a password for the bootloader, as required by the DCID 6/3, which also is '123)(*qweASD'.

---

##Installing the RHEL 5 Base System

To begin installation of the Certified Linux Integration Platform, first obtain installation discs for Red Hat Enterprise Linux 5, Server.

Next, obtain the kickstart file (clip.ks) from DownloadRelease. This file supplies Red Hat's installer, anaconda, with various install-time parameters. The local copy of the generic kickstart file needs to have the following edits made to it:

1. The partitioning information needs to be defined for the specific systems hardware requirements. Partition sizes are specified in megabytes sizes.

2. If the kickstart files is accessed via the network-based method, note that the client system must obtain its TCP/IP configuration information before it is able to resolve hostnames. This can be done by including the commented out line at the top of the kickstart script:

   # network --bootproto=dhcp
   

   If this is not present and a network-based installation method is chosen, the server on which the kickstart script resides must be referred to directly by IP address.

The kickstart script is supplied to the Linux kernel as a boot parameter. The script can be conveyed to the kernel in various ways, either via a network connection (HTTP, FTP/TFTP and NFS are supported) or locally via floppy, harddisk or CDROM.

Boot from Disc 1 of the RHEL5 Server installation discs, supplying the kickstart script as a kernel boot parameter:

Accessing the kickstart file:

boot> linux ks=http://someserver/clip.ks

- or -

boot> linux ks=http://ipaddr/clip.ks

- or -

boot> linux ks=<device name>:/clip.ks

This will initiate the installation process. The user will choose appropriate values for settings prompted for by anaconda. At this point, anaconda will install the operating system and a few packages. Once this completes, a reboot will be necessary.

After rebooting, login to the system with the root password, which is '123)(*qweASD'. (The passwords are entered without quotes.)

##Installing Packages

CLIP requires a modified policy and a few other userland tools.

The installation of RHEL 5 CLIP packages needs to occur in three phases, the third of which requires setting SELinux's enforcing mode to permissive.

First, install the CLIP RPM for your architecture found in the Userland Packages section of DownloadRelease:

rpm -ivh --force clip-2.0-1.arch.rpm

The --force option is needed because a package installed in this step will overwrite files already installed by another package. During this step, some system configuration files will be backed up and replaced by files provided by CLIP. A log of these changes is written to /var/log/clip_install.log.

Second, install the updated PAM RPM for your architecture from the LSPP projects site maintained by Steve Grubb at: http://people.redhat.com/sgrubb/files/lspp/

At the time of this release the current version is pam-0.99.6.2-3.22.el5. This will not be needed when RHEL 5 Update 1 is released.

Now download the policy RPM found in the SELinux Policy section of DownloadRelease. To install the new policy, it is necessary to temporarily force SELinux into permissive mode:

setenforce 0
rpm -ivh selinux-policy-clip-2.0-1.noarch.rpm

At this point, the utilities and configuration files for CLIP will be installed. A reboot is required so that the filesystem can be relabeled:

reboot

Upon logging in to the system, the user will be assigned a staff_r context, if additional administrative tasks are required the user will need to execute the newrole utility to select a different context:

newrole -r sysadm_r -t sysadm_t

##Configuring System Services

In order to minimize attack vectors into the system, the default installation of CLIP enables a minimal subset of services. The following services will be enabled when booted into runlevel 3 (the default for CLIP):

atd auditd crond iptables network syslog sysstat

An administrator who wishes to enable additional services should consider enabling the SELinux policy module(s) associated with the services being added. The chkconfig(8) utility should be used to add or remove services from a particular runlevel.

---

##Installing the RHEL 4 Base System

To begin installation of the Certified Linux Integration Platform, first obtain installation discs for Red Hat Enterprise Linux 4, Update 5 Enterprise Server.

Next, obtain the kickstart file (clip.ks) from DownloadRelease. This file supplies Red Hat's installer, anaconda, with various install-time parameters. The local copy of the generic kickstart file needs to have the following edits made to it:

1. The partitioning information needs to be defined for the specific systems hardware requirements. Partition sizes are specified in megabytes sizes.

2. If the kickstart files is accessed via the network-based method, note that the client system must obtain its TCP/IP configuration information before it is able to resolve hostnames. This can be done by including the commented out line at the top of the kickstart script:

   # network --bootproto=dhcp
   

   If this is not present and a network-based installation method is chosen, the server on which the kickstart script resides must be referred to directly by IP address.

The kickstart script is supplied to the Linux kernel as a boot parameter. The script can be conveyed to the kernel in various ways, either via a network connection (HTTP, FTP/TFTP and NFS are supported) or locally via floppy, harddisk or CDROM.

Boot from Disc 1 of the RHEL4 ES installation discs, supplying the kickstart script as a kernel boot parameter:

Accessing the kickstart file:

boot> linux ks=http://someserver/clip.ks

- or -

boot> linux ks=http://ipaddr/clip.ks

- or -

boot> linux ks=<device name>:/clip.ks

This will initiate the installation process. The user will choose appropriate values for settings prompted for by anaconda. At this point, anaconda will install the operating system and a few packages. Once this completes, a reboot will be necessary.

After rebooting, login to the system with the root password, which is '123)(*qweASD'. (The passwords are entered without quotes.)

##Installing Packages

CLIP requires an updated SELinux userland, as well as a modified policy and a few other userland tools. These packages can be downloaded and installed individually or collectively as part of a tarball. Users interested in a quick installation should follow the instructions found in Quick Install.

Quick Install

To install the packages simultaneously, download the tarball found in the All Files section of DownloadRelease. Then, follow the instructions below:

tar -zxvf clip-files-1.0-5.(arch).tar.gz
./run-fixes.sh <<This script will ask for a new Password and Confirmation for the CLIPUser account>>

rpm -Uvh --force selinux-usr/*.rpm usr/*.rpm
setenforce 0
rpm -ivh refpolicy/*.rpm
reboot

Note: Replacing the (arch) with the correct identifier for the system architecture, e.g. 'i386' or 'x86_64'.

Installing Packages Individually

The installation of individual packages needs to occur in two phases, the second of which requires setting SELinux's enforcing mode to permissive.

First, install the RPMs found in the Userland Packages section of DownloadRelease, in this order:

rpm -Uvh --force python-xattr-0.2-1.2.el4.rf.(arch).rpm
rpm -Uvh --force clip-1.0-5.noarch.rpm
rpm -Uvh --force libsepol-1.14-1.clip.(arch).rpm 
rpm -Uvh --force libselinux-1.32-1.clip.(arch).rpm
rpm -Uvh --force libselinux-python-1.32-1.clip.(arch).rpm
rpm -Uvh --force libsemanage-1.8-1.clip.(arch).rpm
rpm -Uvh --force checkpolicy-1.32-1.clip.(arch).rpm
rpm -Uvh --force policycoreutils-1.32-1.clip.(arch).rpm

Note: Replacing the (arch) with the correct identifier for the system architecture, e.g. 'i386' or 'x86_64'.

The --force option is needed because a package installed in this step will overwrite files already installed by another package. During this step, some system configuration files will be backed up and replaced by files provided by CLIP. A log of these changes is written to /var/log/clip_install.log.

Now download the policy RPM found in the SELinux Policy section of DownloadRelease. To install the new policy, it is necessary to temporarily force SELinux into permissive mode:

setenforce 0
rpm -ivh selinux-policy-clip-1.0-5.noarch.rpm

At this point, the utilities and configuration files for CLIP will be installed. A reboot is required so that the filesystem can be relabeled:

reboot

Upon logging in to the system, the user will be assigned a staff_r context, if additional administrative tasks are required the user will need to execute the newrole utility to select a different context:

newrole -r sysadm_r -t sysadm_t

##Configuring System Services

In order to minimize attack vectors into the system, the default installation of CLIP enables a minimal subset of services. The following services will be enabled when booted into runlevel 3 (the default for CLIP):

atd auditd crond iptables network syslog sysstat

An administrator who wishes to enable additional services should consider enabling the SELinux policy module(s) associated with the services being added. The chkconfig(8) utility should be used to add or remove services from a particular runlevel.