m (→What the Documentation Covers (in no particular order, and subject to change): moving mcs/mls before users (since users talks about categories)) |
m (internal link cleaning) |
||
(37 intermediate revisions by 2 users not shown) | |||
Line 11: | Line 11: | ||
* [http://www.nsa.gov/selinux/ National Security Agency] | * [http://www.nsa.gov/selinux/ National Security Agency] | ||
* Russell Coker: <http://www.coker.com.au/selinux/> | * Russell Coker: <http://www.coker.com.au/selinux/>, [http://www.linuxjournal.com/article/9408 Multi-Category Security in SELinux in Fedora Core 5], <http://www.coker.com.au/selinux/talks/auug-2005/auug2005-paper.html> | ||
* James Morris: [http://namei.org/ols-2008-selinux-paper.pdf Have You Driven an SELinux Lately?] | * James Morris: [http://namei.org/ols-2008-selinux-paper.pdf Have You Driven an SELinux Lately?], [http://james-morris.livejournal.com/5020.html An Overview of Multilevel Security and LSPP under Linux]. | ||
* [http://selinux-symposium.org/ SELinux Symposium and Developer Summit] | |||
* [http://docs.fedoraproject.org/selinux-apache-fc3/ Fedora Core 3: Understanding and Customizing the Apache HTTP SELinux Policy (Beta Document)] | |||
* [http://www.redhat.com/magazine/001nov04/features/selinux/ What is Security-Enhanced Linux?] | * [http://www.redhat.com/magazine/001nov04/features/selinux/ What is Security-Enhanced Linux?] | ||
* [https://www.redhat.com/training/security/courses/rhs429.html RHS429 course]. | * [https://www.redhat.com/training/security/courses/rhs429.html RHS429 course]. | ||
* [http://www.redhat.com/magazine/006apr05/features/selinux/ Taking advantage of SELinux in Red Hat® Enterprise Linux®] | * [http://www.redhat.com/magazine/006apr05/features/selinux/ Taking advantage of SELinux in Red Hat® Enterprise Linux®] | ||
* [http://selinuxproject.org/page/Documentation_TODO Current SELinux project documentation todo list]. | * [http://selinuxproject.org/page/Documentation_TODO Current SELinux project documentation todo list]. | ||
* [http://gentoo-wiki.com/HOWTO_Understand_SELinux Gentoo Wiki | * [http://gentoo-wiki.com/HOWTO_Understand_SELinux Gentoo Wiki HOWTO Understand SELinux] | ||
* [http://oss.tresys.com/projects/refpolicy SELinux Reference Policy] | |||
* [http://www.cs.stthomas.edu/faculty/resmith/r/mls/index.html Introduction to Multilevel Security, Dr. Rick Smith]. | |||
* Red Hat Enterprise Linux 5 Deployment Guide: | * Red Hat Enterprise Linux 5 Deployment Guide: | ||
** [http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5.2/html/Deployment_Guide/rhlcommon-chapter-0017.html End User Control of SELinux]. | ** [http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5.2/html/Deployment_Guide/rhlcommon-chapter-0017.html End User Control of SELinux]. | ||
* [http://docs.fedoraproject.org/selinux-faq-fc5/ Fedora Core 5 SELinux FAQ] | |||
* [[SELinux/FAQ|Fedora SELinux/FAQ]] | |||
* Red Hat Enterprise Linux 4 SELinux Guide: [http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/selg-part-0062.html Working with SELinux]. | * Red Hat Enterprise Linux 4 SELinux Guide: [http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/selg-part-0062.html Working with SELinux]. | ||
* Mailing lists: <selinux@tycho.nsa.gov> and <fedora-selinux-list@redhat.com>. | * Mailing lists: <selinux@tycho.nsa.gov> and <fedora-selinux-list@redhat.com>. | ||
Line 30: | Line 36: | ||
* [http://www.redhatmagazine.com/2008/07/02/writing-policy-for-confined-selinux-users Confining Users.] | * [http://www.redhatmagazine.com/2008/07/02/writing-policy-for-confined-selinux-users Confining Users.] | ||
* [http://www.niap-ccevs.org/cc-scheme/st/st_vid10286-vr.pdf Common Criteria Evaluation and Validation Scheme Validation Report] | * [http://www.niap-ccevs.org/cc-scheme/st/st_vid10286-vr.pdf Common Criteria Evaluation and Validation Scheme Validation Report] | ||
* [http://www.redhatmagazine.com/2008/02/26/risk-report-three-years-of-red-hat-enterprise-linux-4/ Risk report: Three years of Red Hat Enterprise Linux 4] | |||
* [http://www.tresys.com/innovation.php Tresys (Mitigation News).] | |||
* [http://www.nsa.gov/selinux/papers/freenix01/freenix01.html Integrating Flexible Support for Security Policies into the Linux Operating System.] | |||
* [http://www.nsa.gov/selinux/papers/ottawa01/index.html Meeting Critical Security Objectives with Security-Enhanced Linux.] | |||
=== Purpose of the Documentation === | === Purpose of the Documentation === | ||
Line 47: | Line 57: | ||
=== What the Documentation Covers (in no particular order, and subject to change) === | === What the Documentation Covers (in no particular order, and subject to change) === | ||
* [[Docs/Drafts/SELinux User Guide/Previous TOC Ideas| Previous TOC Ideas]] | * [[Docs/Drafts/SELinux User Guide/Previous TOC Ideas| Previous TOC Ideas]] | ||
From the current [http://selinuxproject.org/page/Documentation_TODO SELinux documentation todo list]: | From the current [http://selinuxproject.org/page/Documentation_TODO SELinux documentation todo list]: | ||
* "Explain how to interpret an AVC message and how to get additional information via SYSCALL audit, including how to add a simple syscall audit filter to enable collection of PATH information". | * "Explain how to interpret an AVC message and how to get additional information via SYSCALL audit, including how to add a simple syscall audit filter to enable collection of PATH information". | ||
Line 57: | Line 66: | ||
----------------------------------------- | ----------------------------------------- | ||
'''SELinux Introduction:''' | '''SELinux Introduction:''' | ||
* Brief overview. | |||
* | * What SELinux can and can't do. | ||
* Examples to explain how SELinux works (e.g., Apache HTTP). | |||
''' | '''SELinux Contexts and Attributes:''' | ||
* Brief overview of objects, subjects, and object classes. | |||
* Explain each part of SELinux labels. | |||
* | |||
* | |||
'''Targeted Policy Overview:''' | '''Targeted Policy Overview:''' | ||
'''SELinux | * Confined and Unconfined processes. | ||
* Confined system and user domains. | |||
'''Working with SELinux:''' | |||
* Installing and Upgrading packages. | |||
* | * Configuration Files. | ||
* | * Enable and Disable SELinux. | ||
* | * semanage: booleans, labeling files, adding users, translations. | ||
* Managing and Maintaining SELinux Labels. | |||
* | |||
''' | '''Managing Users:''' | ||
* Linux and SELinux user account mappings. | |||
* | * Adding confined and unconfined users. | ||
* Modifying existing users. | |||
* | |||
''' | '''System Services:''' | ||
* Examples, sharing content between services. | |||
* | |||
'''SELinux Log Files and Denials:''' | '''SELinux Log Files and Denials:''' | ||
* auditd and | |||
* | * auditd and setroubleshoot. | ||
* | * Searching log files (ausearch). | ||
* Interpreting AVC Denials. | |||
* | * sealeart -l \* | ||
* What to check for after a denial (DAC permissions...) | |||
* audit2allow and audit2why. | |||
* What to check after | |||
'''Access Control''' | |||
* Concepts of DAC, MAC, Type Enforcement®, etc. | |||
* audit2allow | |||
'''Working with MCS and MLS''' | |||
* | |||
* | * Examples from domg472. | ||
= Project Plan = | = Project Plan = | ||
== Schedule == | == Schedule == | ||
Updated 30 September 2008 to reflect slip in Fedora 10 schedule. | |||
==='''Information Plan:''' July 14 -> July 24 (9 days)=== | ==='''Information Plan:''' July 14 -> July 24 (9 days)=== | ||
Line 181: | Line 133: | ||
* Phase review: subject matter experts approve the plan or request modifications to content. | * Phase review: subject matter experts approve the plan or request modifications to content. | ||
==='''Implementation:''' August 15 -> | ==='''Implementation:''' August 15 -> November 8 (70 days) === | ||
Designs for style, prototype sections, first, second, and approved drafts, weekly | Designs for style, prototype sections, first, second, and approved drafts, weekly reports sent to <selinux@tycho.nsa.gov>. | ||
==='''Localization and Production:''' | ==='''<strike>Localization and</strike> Production:''' November 16 -> November 24 (9 days)=== | ||
Translation, preparing final copies/PDFs. | <strike>Translation</strike>, preparing final copies/PDFs. | ||
==='''Evaluation:''' October 29 -> October 30 (1 day)=== | ==='''Evaluation:''' <strike>October 29 -> October 30 (1 day)</strike>=== | ||
* Evaluate the project. | * Evaluate the project. | ||
* Plan maintenance cycles. | * Plan maintenance cycles. | ||
* Plan next release. | * Plan next release. | ||
= Subject Matter Experts = | = Subject Matter Experts = | ||
Line 202: | Line 150: | ||
* domg472 | * domg472 | ||
* Russell Coker | * Russell Coker | ||
* Stephen Smalley | |||
* Karl MacMillan | |||
* Joshua Brindle | |||
* Christopher J. PeBenito | |||
[[Category:SELinux docs]] |
Latest revision as of 13:50, 18 September 2016
Phase 1: Information Planning
Deliverables and Milestones
- Information Plan: documents findings after the initial investigation is complete. Generates an idea about where the project is heading, and what it requires.
- Project Plan: an estimation of the time and resources required to complete the project.
Information Plan
Information Sources
- National Security Agency
- Russell Coker: <http://www.coker.com.au/selinux/>, Multi-Category Security in SELinux in Fedora Core 5, <http://www.coker.com.au/selinux/talks/auug-2005/auug2005-paper.html>
- James Morris: Have You Driven an SELinux Lately?, An Overview of Multilevel Security and LSPP under Linux.
- SELinux Symposium and Developer Summit
- Fedora Core 3: Understanding and Customizing the Apache HTTP SELinux Policy (Beta Document)
- What is Security-Enhanced Linux?
- RHS429 course.
- Taking advantage of SELinux in Red Hat® Enterprise Linux®
- Current SELinux project documentation todo list.
- Gentoo Wiki HOWTO Understand SELinux
- SELinux Reference Policy
- Introduction to Multilevel Security, Dr. Rick Smith.
- Red Hat Enterprise Linux 5 Deployment Guide:
- Fedora Core 5 SELinux FAQ
- Fedora SELinux/FAQ
- Red Hat Enterprise Linux 4 SELinux Guide: Working with SELinux.
- Mailing lists: <selinux@tycho.nsa.gov> and <fedora-selinux-list@redhat.com>.
- IRC: #fedora-selinux and #selinux
- fedora-selinux-list archives.
- Fedora SELinux Wiki.
- Blogs: <http://danwalsh.livejournal.com/>, <http://planet.fedoraproject.org/>, and <http://etbe.coker.com.au/>.
- SELinux news.
- SELinux webcast.
- Confining Users.
- Common Criteria Evaluation and Validation Scheme Validation Report
- Risk report: Three years of Red Hat Enterprise Linux 4
- Tresys (Mitigation News).
- Integrating Flexible Support for Security Policies into the Linux Operating System.
- Meeting Critical Security Objectives with Security-Enhanced Linux.
Purpose of the Documentation
- Provide a short, simple introduction to access control (MAC, MLS, MCS), and SELinux.
- Use examples to describe how SELinux operates (such as Apache HTTP server not reading user_home_t files).
- Give users information needed to do what they want without turning SELinux off.
- From the current SELinux documentation todo list, "Translate danwalsh.livejounal.com in to a beginner user guide".
Audience
- Familiar with using a Linux computer and a command line.
- No system administration experience is necessary; however, content may be geared towards system administration tasks.
- No previous SELinux experience.
- People who are never going to write their own SELinux policy.
What the Documentation Covers (in no particular order, and subject to change)
From the current SELinux documentation todo list:
- "Explain how to interpret an AVC message and how to get additional information via SYSCALL audit, including how to add a simple syscall audit filter to enable collection of PATH information".
- Document Confined Users".
- "Update FC5 FAQ".
- "Document the use of the mount command for overriding file context".
- "Describe Audit2allow and how it can just Fix the machine".
- "Update and organize the Fedora SELinux FAQ".
SELinux Introduction:
- Brief overview.
- What SELinux can and can't do.
- Examples to explain how SELinux works (e.g., Apache HTTP).
SELinux Contexts and Attributes:
- Brief overview of objects, subjects, and object classes.
- Explain each part of SELinux labels.
Targeted Policy Overview:
- Confined and Unconfined processes.
- Confined system and user domains.
Working with SELinux:
- Installing and Upgrading packages.
- Configuration Files.
- Enable and Disable SELinux.
- semanage: booleans, labeling files, adding users, translations.
- Managing and Maintaining SELinux Labels.
Managing Users:
- Linux and SELinux user account mappings.
- Adding confined and unconfined users.
- Modifying existing users.
System Services:
- Examples, sharing content between services.
SELinux Log Files and Denials:
- auditd and setroubleshoot.
- Searching log files (ausearch).
- Interpreting AVC Denials.
- sealeart -l \*
- What to check for after a denial (DAC permissions...)
- audit2allow and audit2why.
Access Control
- Concepts of DAC, MAC, Type Enforcement®, etc.
Working with MCS and MLS
- Examples from domg472.
Project Plan
Schedule
Updated 30 September 2008 to reflect slip in Fedora 10 schedule.
Information Plan: July 14 -> July 24 (9 days)
Deliverables: Information Project Plans
Content Specification: July 25 -> August 14 (15 days)
Deliverables:
- Individual publications that are planned for the final document. These publications are done on the Wiki. This occurs after extensive research into topics.
- Table of contents.
- Phase review: subject matter experts approve the plan or request modifications to content.
Implementation: August 15 -> November 8 (70 days)
Designs for style, prototype sections, first, second, and approved drafts, weekly reports sent to <selinux@tycho.nsa.gov>.
Localization and Production: November 16 -> November 24 (9 days)
Translation, preparing final copies/PDFs.
Evaluation: October 29 -> October 30 (1 day)
- Evaluate the project.
- Plan maintenance cycles.
- Plan next release.
Subject Matter Experts
- Daniel Walsh
- James Morris
- Eric Paris
- domg472
- Russell Coker
- Stephen Smalley
- Karl MacMillan
- Joshua Brindle
- Christopher J. PeBenito