From Fedora Project Wiki
 
(11 intermediate revisions by 5 users not shown)
Line 1: Line 1:
= SELinux Troubleshooter Redesign <!-- The name of your feature --> =
= SELinux Troubleshooter Redesign =


== Summary ==
== Summary ==
<!-- A sentence or two summarizing what this feature is and what it will do.  This information is used for the overall feature summary page for each release. -->
Redesign setroubleshoot to bring back all possible solutions, and simplify descriptions.
Redesign setroubleshoot to bring back all possible solutions, and simplify descriptions.


== Owner ==
== Owner ==
<!--This should link to your home wiki page so we know who you are-->
* Name: [[User:dwalsh| Dan Walsh]]
* Name: [[User:dwalsh| Dan Walsh]]
<!-- Include you email address that you can be reached should people want to contact you about helping with your feature, status is requested, or  technical issues need to be resolved-->
* Email: dwalsh@redhat.com
* Email: dwalsh@redhat.com


== Current status ==
== Current status ==
* Targeted release: Fedora 15  
* Targeted release: [[Releases/15 |Fedora 15]]
* Last updated: Sep 3 2010
* Last updated: Apr 5 2011
* Percentage of completion: 50%
* Percentage of completion: 100%
 
<!-- CHANGE THE "FedoraVersion" TEMPLATES ABOVE TO PLAIN NUMBERS WHEN YOU COMPLETE YOUR PAGE. -->


== Detailed Description ==
== Detailed Description ==
<!-- Expand on the summary, if appropriate.  A couple sentences suffices to explain the goal, but the more details you can provide the better. -->
We are redesigning setroubleshoot to attempt to make it easier to diagnose SELinux problems.  In the current setroubleshooter the "best" match is returned for a solution to the customer.  In the new redesign, all matches will be returned.  For example if samba tried to read content that it is not allowed, we would like to tell the admin that he could label the content samba_share_t or he could set up SELinux to allow samba to share all content Read Only, or Read Write, or samba should not be trying to read this content, it could be a bug or an attack.
 
We are redesigning setroubleshoot to attempt to make it easier do diagnose SELinux problems.  In the current setroubleshooter the "best" match is returned for a solution to the custemer.  In the new redesign, all matches will be returned.  For example if samba tried to read content that it is not allowed, we would like to tell the admin that he could label the content samba_share_t or he could set up SELinux to let samba to share all content Read Only, or Read Write, or samba should not be trying to read this content, it could be a bug or an attack.
 


We also want to simplify the interface with easier to explain definitions, like
We also want to simplify the interface with easier to explain definitions, like
Line 34: Line 24:
Make SELinux easier to administrate.
Make SELinux easier to administrate.
== Scope ==
== Scope ==
<!-- What work do the developers have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
Limited impact.
Limited impact.
== How To Test ==
== How To Test ==
Generate different SELinux scenarios to see what the application returns.
Generate different SELinux scenarios to see what the application returns.


* setup vsftpd to share the users homedir.   
* setup vsftpd to share the users homedir.   
** ftp into the users homedir.   
** ftp into the users homedir.   
** Setroubleshoot should fire, check the diagnostics, do they make sense.   
** Setroubleshoot should fire, check the diagnostics, do they make sense.   
** Is sharing the users homedir the highest priority.
** Is sharing the users homedir the highest priority.
* setup samba to share content in /myshares
* setup samba to share content in /myshares
** Try to access the share remotely
** Try to access the share remotely
** Setroubleshoot should fire, check the diagnostics, do they make sense.   
** Setroubleshoot should fire, check the diagnostics, do they make sense.   
** Is setting the label to samba_share_t the highest priority.
** Is setting the label to samba_share_t the highest priority.
* setup samba to share /var/log
* setup samba to share /var/log
** Try to access the share remotely
** Try to access the share remotely
** Setroubleshoot should fire, check the diagnostics, do they make sense.   
** Setroubleshoot should fire, check the diagnostics, do they make sense.   
** Is setting the label to samba_share_t the highest priority.
** Is setting the label to samba_share_t the highest priority.
* setup httpd  
* setup httpd  
** to share users homedirs
** to share users homedirs
** to share content in /var/lib/html
** to share content in /var/lib/html
** chcon -t ssh_home_t /var/www/index.html, try to access this file from apache.
** chcon -t ssh_home_t /var/www/index.html, try to access this file from apache.
* setup /root/.ssh directory, for password free login, chcon -t admin_home_t -R /root/.ssh; ssh into the box, what does setroubleshoot suggest as the solution.
* setup /root/.ssh directory, for password free login, chcon -t admin_home_t -R /root/.ssh; ssh into the box, what does setroubleshoot suggest as the solution.
* the setroubleshoot package has a series of avcs in the setroubleshoot/framework/test/audit/data directory, if you cat them to setdispatch, the setroubleshoot tool should fire.  What are the suggested fixes?  Do they make sense.
* the setroubleshoot package has a series of avcs in the setroubleshoot/framework/test/audit/data directory, if you cat them to setdispatch, the setroubleshoot tool should fire.  What are the suggested fixes?  Do they make sense.


== User Experience ==
== User Experience ==
Line 67: Line 56:


== Contingency Plan ==
== Contingency Plan ==
We can stick with the current setroubleshoot.  No other packages will be affected.
We can stick with the current setroubleshoot.  No other packages will be affected.


== Documentation ==
== Documentation ==
<!-- Is there upstream documentation on this feature, or notes you have written yourself?  Link to that material here so other interested developers can get involved. -->
Original Design
*
*https://fedorahosted.org/setroubleshoot/wiki/SETroubleShoot%20Overview
Released Product
*http://people.fedoraproject.org/~dwalsh/SELinux/Presentations/setroubleshoot.odt


== Release Notes ==
== Release Notes ==
<!-- The Fedora Release Notes inform end-users about what is new in the release.  Examples of past release notes are here: http://docs.fedoraproject.org/release-notes/ -->
* Old AVC's alerts will be deleted, since the format of the alert database has changed.
<!-- The release notes also help users know how to deal with platform changes such as ABIs/APIs, configuration or data file formats, or upgrade concerns.  If there are any such changes involved in this feature, indicate them here.  You can also link to upstream documentation if it satisfies this need.  This information forms the basis of the release notes edited by the documentation team and shipped with the release. -->
*


== Comments and Discussion ==
== Comments and Discussion ==
* See [[Talk:Features/YourFeatureName]] <!-- This adds a link to the "discussion" tab associated with your page.  This provides the ability to have ongoing comments or conversation without bogging down the main feature page -->
* See [[Talk:Features/SetroubleshootGuiRedesign]]
 


[[Category:FeaturePageIncomplete]]
[[Category:FeatureAcceptedF15]]
<!-- When your feature page is completed and ready for review -->
<!-- When your feature page is completed and ready for review -->
<!-- remove Category:FeaturePageIncomplete and change it to Category:FeatureReadyForWrangler -->
<!-- remove Category:FeaturePageIncomplete and change it to Category:FeatureReadyForWrangler -->
<!-- After review, the feature wrangler will move your page to Category:FeatureReadyForFesco... if it still needs more work it will move back to Category:FeaturePageIncomplete-->
<!-- After review, the feature wrangler will move your page to Category:FeatureReadyForFesco... if it still needs more work it will move back to Category:FeaturePageIncomplete-->
<!-- A pretty picture of the page category usage is at: https://fedoraproject.org/wiki/Features/Policy/Process -->
<!-- A pretty picture of the page category usage is at: https://fedoraproject.org/wiki/Features/Policy/Process -->

Latest revision as of 13:52, 5 April 2011

SELinux Troubleshooter Redesign

Summary

Redesign setroubleshoot to bring back all possible solutions, and simplify descriptions.

Owner

Current status

  • Targeted release: Fedora 15
  • Last updated: Apr 5 2011
  • Percentage of completion: 100%

Detailed Description

We are redesigning setroubleshoot to attempt to make it easier to diagnose SELinux problems. In the current setroubleshooter the "best" match is returned for a solution to the customer. In the new redesign, all matches will be returned. For example if samba tried to read content that it is not allowed, we would like to tell the admin that he could label the content samba_share_t or he could set up SELinux to allow samba to share all content Read Only, or Read Write, or samba should not be trying to read this content, it could be a bug or an attack.

We also want to simplify the interface with easier to explain definitions, like

if you want samba to share the entire system read/only, then you need to tell SELinux system about this, by setting the samba_export_all_ro boolean. Execute the following command as root. setsebool -P samba_export_all_ro=1

Benefit to Fedora

Make SELinux easier to administrate.

Scope

Limited impact.

How To Test

Generate different SELinux scenarios to see what the application returns.

  • setup vsftpd to share the users homedir.
    • ftp into the users homedir.
    • Setroubleshoot should fire, check the diagnostics, do they make sense.
    • Is sharing the users homedir the highest priority.
  • setup samba to share content in /myshares
    • Try to access the share remotely
    • Setroubleshoot should fire, check the diagnostics, do they make sense.
    • Is setting the label to samba_share_t the highest priority.
  • setup samba to share /var/log
    • Try to access the share remotely
    • Setroubleshoot should fire, check the diagnostics, do they make sense.
    • Is setting the label to samba_share_t the highest priority.
  • setup httpd
    • to share users homedirs
    • to share content in /var/lib/html
    • chcon -t ssh_home_t /var/www/index.html, try to access this file from apache.
  • setup /root/.ssh directory, for password free login, chcon -t admin_home_t -R /root/.ssh; ssh into the box, what does setroubleshoot suggest as the solution.
  • the setroubleshoot package has a series of avcs in the setroubleshoot/framework/test/audit/data directory, if you cat them to setdispatch, the setroubleshoot tool should fire. What are the suggested fixes? Do they make sense.

User Experience

The gui will change quite a bit. Hopefully becoming a lot less technical.

Dependencies

None

Contingency Plan

We can stick with the current setroubleshoot. No other packages will be affected.

Documentation

Original Design

Released Product

Release Notes

  • Old AVC's alerts will be deleted, since the format of the alert database has changed.

Comments and Discussion