SELinux Tools (setools), version 1.4
by Tresys Technology, LLC
(selinux@tresys.com, www.tresys.com/selinux)

June 02, 2004

BUILDING AND INSTALLING NOTES AND WARNINGS

We have built and used this package on several distributions with and
without SELinux (see TESTING INFORMATION in KNOWN-BUGS file). These
directions should work well on most distributions, but you should be
familiar with the documentation for the distribution you are using.

The directory structure of the Setools distribution is as follows:

apol            The policy analysis tool
awish           Our customized version of the Tk wish interpreter
docs-src	Repository for generating setools documentation.
libapol         The main policy analysis library
libseaudit	The seaudit support library 
libseuser       The seuser support library	
seaudit 	The audit log analysis tool (seaudit)
secmds		The setools command line tools (seinfo, sesearch, 
		findcon, replcon)
sepct           The policy configuration/editing tool (sepcut)
seuser          The user management tool and shell scripts
packages	External packages required by setools

Apol and the other tools are designed to specifically not address MLS
policies. However, you can set the config option CONFIG_SECURITY_SELINUX_MLS
in the Makefile to enable support for parsing MLS policy files. Even with
this flag set during compile time, Setools still ignores all the MLS aspects
of a policy, but should be able to parse such policies. We have conducted
very little testing with MLS enabled.
	
REQUIREMENTS

TCL/TK VERSION AND INSTALL: Before building you will need to ensure that you
have Tcl/Tk 8.3 or higher installed with BWidgets. Generally, modern Linux
distributions have appropriate versions of Tcl and Tk. Usually the BWidgets
package IS NOT installed by default, however. If you do not have BWidgets
installed it is available in the packages subdirectory of the Setools
distribution. It can be installed by going to the packages subdirectory and
typing "make install". If you have BWidgets installed make certain that it
is a compatible version. See BWIDGETS VERSIONS below for more information.

LIBSELINUX:In order to successfully build and install secmds
onto your system you will need libselinux and the associated headers. A
package may be available for your distribution - on Fedora Core it is called
libselinux-devel.

GTK: In order to successfully install seaudit onto your system you will need
libglade and GTK2.0 or above installed. It also requires the pkg-config
program to be installed before you can build.

INSTALLATION

These are the instructions for building and installing all of the Setools.
You can also build and install portions of the package including only those
tools and libraries that do not require a GUI and X support. See "make help"
for more information or for a complete list of make targets.

BUILDING AND INSTALL

Short version: make all; su root; make install; make install-policy  

Long version follows:

0. Review the ./setools/Makefile. When running 'make', the TCLVER,
TCL_INCLUDE and TCL_LIBINC variables should be automatically set
appropriately for your installation of Tcl/Tk; however, if you need to
it is possible to manually these variables in the Makefile.
   
1. If you are installing seuser and have a version of SELinux based
on an LSM kernel earlier than 2.4.19 (prior to August 2002 or so): 

	a. Check that you have the policy management changes to your 
	installed policy. Starting with the 2.4.19 LSM kernel based 
	SELinux, you do NOT need to install the policy patch; skip 
	ahead to Step 2.

	The changes to the policy necessary for pre-2.4.19 LSM kernels 
	are based on a patch we posted for the SELinux main 
	distribution.  See ./setools/policy/polpatch/readme.txt for 
	further instructions on determining whether you need the patch 
	and if so how to apply it.

	b. After you have applied the patch for the policy, make sure 
	the policy sources are installed. The patched policy make 
	file (./selinux/policy/Makefile) should have an 
	"install-src" target that will do this for you.

2. Build and install tools:  If you want to install all tools, just 
type "make install" to build and install everything.  Type "make help" 
to see options to build individual pieces, for example to install just 
seuser, sepcut, or apol.

3. If you installed seuser or secmds and you are using the default policy
distributed by the NSA or a similar policy (e.g. the "strict" policy
distributed with Fedora Core 2), then you will need to type "make
install-policy". This will install the policy for seuser and label the
binaries and config files for seuser and the secmds.

If this failed, you either are not using an SELinux machine, 
the policy management patch isn't installed (see Step 1), or the 
policy source directory is not installed in the conventional location 
(use make install-src in the policy source directory from the SELinux 
distribution). Email us; we'll try to help (selinux@tresys.com)!

Most errors result from improperly installed Tcl/Tk, BWidgets, or the 
above libapol files.  
   
Send comments/questions to selinux@tresys.com.

BWIDGETS VERSIONS

The BWidgets package can be found at 
http://sourceforge.net/projects/tcllib. There are some 
incompatibilities with different versions of Tcl/Tk and BWidgets that 
can cause critical runtime errors. You will not be able to run any of 
the tools if you are using incompatible versions of Tcl/Tk and 
BWidgets. Correct versions of BWidgets for the Tcl/Tk version you are 
using are:

	- Tcl/Tk 8.3 - BWidget-1.4.1
	- Tcl/Tk 8.4 or greater - any

NOTE: You may run the tools using a pre-1.4.1 BWidgets package, 
however, you may experience problems. These tools have been tested 
using the latest BWidgets packages starting from version 1.4.1. 
See TESTING INFORMATION in KNOWN-BUGS for more information on what 
platforms and configurations these tools have been tested against.

Once you  have downloaded the correct version of BWidgets, then you 
can install it in your TCL directory. For instance, if you have 
Tcl installed in the /usr/lib directory, then you should install the 
BWidgets directory to /usr/lib/tcl8.3/.
