Distro_CentOS: initial markdown conversion

2025-08-22 01:57:43 +00:00 · 2017-11-07 10:59:09 -08:00 · 2017-11-07 10:59:09 -08:00 · 750b5c741c
commit 750b5c741c
parent 8b37193c0b
1 changed files with 268 additions and 0 deletions
--- a/Distro_CentOS.md
+++ b/Distro_CentOS.md
@ -0,0 +1,268 @@
+Experimental AppArmor on CentOS 5.5, x86\_64
+--------------------------------------------
+
+Warning! This is an experimental (RC) version of the kernel with
+experimental AppArmor patch in it, use at your own risk!
+
+### Kernel
+
+Currently we ignore the [CentOS-specific
+instructions](http://wiki.centos.org/HowTos/Custom_Kernel), we build
+a simple vanilla kernel instead.
+
+#### Obtaining
+
+We need GIT. Either grab it from the
+[RPMForge](http://wiki.centos.org/AdditionalResources/Repositories/RPMForge)
+repository (yum install git) or if that doesn't work, then:
+
+```
+ rpm -i http://dag.linux.iastate.edu/dag/redhat/el5/en/x86_64/rpmforge/RPMS/git-1.7.1-3.el5.rf.x86_64.rpm http://dag.linux.iastate.edu/dag/redhat/el5/en/x86_64/rpmforge/RPMS/perl-Git-1.7.1-3.el5.rf.x86_64.rpm
+```
+
+Now we can check out the kernel:
+
+```
+ mkdir -p ~/apparmor/ && cd ~/apparmor/
+ git clone git://git.kernel.org/pub/scm/linux/kernel/git/jj/apparmor-dev.git
+ cd apparmor-dev/
+ git checkout --track -b AA2.5-2.6.33 origin/AA2.5-2.6.33
+```
+
+#### Building
+
+```
+ cd ~/apparmor/apparmor-dev/
+```
+
+See if we can reuse the existing kernel configuration
+(CONFIG\_IKCONFIG=y, CONFIG\_IKCONFIG\_PROC=y):
+
+```
+ cp /proc/config.gz ./ && gzip -d config.gz
+```
+
+Tweak the kernel, enable AppArmor and CONFIG\_SYSFS\_DEPRECATED\_V2:
+
+```
+ yum install ncurses-devel
+ make menuconfig
+```
+
+“Security options” ---&gt; “AppArmor support”.
+
+**Warning!** To boot CentOS 5.5 we have
+to switch on the old init tools support:
+[CONFIG\_SYSFS\_DEPRECATED\_V2=Y](http://serverfault.com/questions/108189/kernel-upgrade-centos-5-3-mount-could-not-find-filesystem-dev-root).
+
+#### Installing
+
+```
+ cd ~/apparmor/apparmor-dev/
+ yum install rpm-build
+ make rpm
+ rpm -i /usr/src/redhat/RPMS/x86_64/kernel-2.6.33-1.x86_64.rpm
+ mkinitrd -f /boot/initrd-2.6.33.img 2.6.33
+```
+
+Try booting the new kernel with kexec:
+
+```
+ yum install kexec-tools
+ kexec -l /boot/vmlinuz-2.6.33 --initrd=/boot/initrd-2.6.33.img --append=“ro root=LABEL=/ noapic”
+ kexec -e
+```
+
+Edit “/boot/grub/grub.conf” and add:
+
+```
+ title AppArmor(2.6.33-1)
+   root (hd0,0)
+   kernel /vmlinuz-2.6.33 ro root=LABEL=/ noapic
+   initrd /initrd-2.6.33.img
+```
+
+If this is your first grub.conf title, it makes sense to add
+ 
+```
+ fallback=1
+```
+
+#### Checking
+
+Reboot under new kernel:
+
+```
+ /sbin/shutdown -r now
+```
+
+or
+
+```
+ reboot
+```
+
+Now see if AppArmor is loaded and enabled (should print “Y”):
+
+```
+ cat /sys/module/apparmor/parameters/enabled
+```
+
+### Tools
+
+For CentOS we will be building the AppArmor tools from source.
+
+#### Necessary Perl packages
+
+AppArmor tools depend on these additional Perl packages which we will
+let CentOS to maintain:
+
+```
+ yum install perl-libxml-perl
+```
+
+We also need Term::ReadKey, but it isn't available
+in the default CentOS install, perhaps you have it from
+[RPMForge](http://wiki.centos.org/AdditionalResources/Repositories/RPMForge)
+or some other repository:
+
+```
+ yum whatprovides “*/perl(Term::ReadKey)”
+ yum whatprovides “*/perl(Locale::gettext)”
+ yum whatprovides “*/perl(RPC::XML)”
+```
+
+with RPMForge it is:
+
+```
+ yum install perl-TermReadKey
+ yum install perl-Locale-gettext
+ yum install perl-RPC-XML
+```
+
+otherwise just grab it from the nearest RedHat repository:
+
+```
+ rpm -i http://dag.linux.iastate.edu/dag/redhat/el5/en/x86_64/rpmforge/RPMS/perl-TermReadKey-2.30-3.el5.rf.x86_64.rpm
+ rpm -i http://dag.linux.iastate.edu/dag/redhat/el5/en/x86_64/rpmforge/RPMS/perl-Locale-gettext-1.05-1.el5.rf.x86_64.rpm
+ rpm -i http://dag.linux.iastate.edu/dag/redhat/el5/en/x86_64/rpmforge/RPMS/perl-XML-Parser-2.36-1.el5.rf.x86_64.rpm
+ rpm -i http://dag.linux.iastate.edu/dag/redhat/el5/en/x86_64/rpmforge/RPMS/perl-RPC-XML-0.71-1.el5.rf.noarch.rpm
+```
+
+#### Fetch and build
+
+Make sure the necessary build tools and libraries are installed:
+
+ yum install bison gcc-c++ tetex-latex gettext-devel
+
+We need a version of flex with “yypop\_buffer\_state” (the version from “yum install flex” is too old). Grab the fresh version from http://flex.sourceforge.net/:
+
+```
+ mkdir -p ~/apparmor/ && cd ~/apparmor/
+ wget “http://downloads.sourceforge.net/project/flex/flex/flex-2.5.35/flex-2.5.35.tar.bz2"
+ tar -xjf flex-2.5.35.tar.bz2
+ cd flex-2.5.35/
+ ./configure && make && make install && echo okay
+ ```
+
+Fetch a stable tools build [from launchpad](https://launchpad.net/apparmor)
+
+```
+ mkdir -p ~/apparmor/ && cd ~/apparmor/
+ wget http://launchpad.net/apparmor/2.5/2.5.1/+download/apparmor-2.5.1.tar.gz
+ tar -xzf apparmor-2.5.1.tar.gz
+```
+
+Build parser:
+
+```
+ cd ~/apparmor/apparmor-2.5.1/parser/
+ make LEX=/usr/local/bin/flex
+ make install
+```
+
+Build apparmor utils:
+
+```
+ cd ~/apparmor/apparmor-2.5.1/utils/
+ make && make install && echo okay
+```
+
+Create profiles directory:
+
+```
+ cd ~/apparmor/apparmor-2.5.1/profiles/
+ make install
+```
+
+#### Startup
+
+Manual restart:
+
+```
+ /etc/init.d/apparmor restart
+```
+
+Automatic startup:
+
+```
+ cd /etc/init.d/
+ chkconfig --add apparmor
+```
+
+#### Checking
+
+The `aa-status` tool now should print a list of known and used
+profiles, like this:
+
+```
+ apparmor module is loaded.
+ 25 profiles are loaded.
+ 25 profiles are in enforce mode.
+    /bin/ping
+    /sbin/klogd
+    /sbin/syslog-ng
+    /sbin/syslogd
+    /usr/lib/apache2/mpm-prefork/apache2
+    /usr/lib/apache2/mpm-prefork/apache2//DEFAULT_URI
+    /usr/lib/apache2/mpm-prefork/apache2//HANDLING_UNTRUSTED_INPUT
+    /usr/lib/apache2/mpm-prefork/apache2//phpsysinfo
+    /usr/lib/dovecot/deliver
+    /usr/lib/dovecot/dovecot-auth
+    /usr/lib/dovecot/imap
+    /usr/lib/dovecot/imap-login
+    /usr/lib/dovecot/managesieve-login
+    /usr/lib/dovecot/pop3
+    /usr/lib/dovecot/pop3-login
+    /usr/sbin/avahi-daemon
+    /usr/sbin/dnsmasq
+    /usr/sbin/dovecot
+    /usr/sbin/identd
+    /usr/sbin/mdnsd
+    /usr/sbin/nmbd
+    /usr/sbin/nscd
+    /usr/sbin/ntpd
+    /usr/sbin/smbd
+    /usr/sbin/traceroute
+ 0 profiles are in complain mode.
+ 2 processes have profiles defined.
+ 0 processes are in enforce mode :
+ 0 processes are in complain mode.
+ 2 processes are unconfined but have a profile defined.
+    /sbin/klogd (2282)
+    /sbin/syslogd (2278)
+```
+
+#### Tuning logs
+
+Audit data by default is dropped into /var/log/messages via
+syslogd. That way, the data is severely capped by the kernel in order
+not to overload the messages log. To make audit data usable with
+AppArmor we should install auditd and tune it to keep large amounts
+of data:
+
+```
+ yum install audit
+ joe /etc/audit/auditd.conf # num_logs = 2, max_log_file = 200
+ /etc/init.d/auditd restart
+```