Latest revision as of 13:50, 18 September 2016

Phase 1: Information Planning

Deliverables and Milestones

Information Plan: documents findings after the initial investigation is complete. Generates an idea about where the project is heading, and what it requires.

Project Plan: an estimation of the time and resources required to complete the project.

Information Plan

Information Sources

National Security Agency
Russell Coker: <http://www.coker.com.au/selinux/>, Multi-Category Security in SELinux in Fedora Core 5, <http://www.coker.com.au/selinux/talks/auug-2005/auug2005-paper.html>
James Morris: Have You Driven an SELinux Lately?, An Overview of Multilevel Security and LSPP under Linux.
SELinux Symposium and Developer Summit
Fedora Core 3: Understanding and Customizing the Apache HTTP SELinux Policy (Beta Document)
What is Security-Enhanced Linux?
RHS429 course.
Taking advantage of SELinux in Red Hat® Enterprise Linux®
Current SELinux project documentation todo list.
Gentoo Wiki HOWTO Understand SELinux
SELinux Reference Policy
Introduction to Multilevel Security, Dr. Rick Smith.
Red Hat Enterprise Linux 5 Deployment Guide:
- End User Control of SELinux.
Fedora Core 5 SELinux FAQ
Fedora SELinux/FAQ
Red Hat Enterprise Linux 4 SELinux Guide: Working with SELinux.
Mailing lists: <selinux@tycho.nsa.gov> and <fedora-selinux-list@redhat.com>.
IRC: #fedora-selinux and #selinux
fedora-selinux-list archives.
Fedora SELinux Wiki.
Blogs: <http://danwalsh.livejournal.com/>, <http://planet.fedoraproject.org/>, and <http://etbe.coker.com.au/>.
SELinux news.
SELinux webcast.
Confining Users.
Common Criteria Evaluation and Validation Scheme Validation Report
Risk report: Three years of Red Hat Enterprise Linux 4
Tresys (Mitigation News).
Integrating Flexible Support for Security Policies into the Linux Operating System.
Meeting Critical Security Objectives with Security-Enhanced Linux.

Purpose of the Documentation

Provide a short, simple introduction to access control (MAC, MLS, MCS), and SELinux.
Use examples to describe how SELinux operates (such as Apache HTTP server not reading user_home_t files).
Give users information needed to do what they want without turning SELinux off.
From the current SELinux documentation todo list, "Translate danwalsh.livejounal.com in to a beginner user guide".

Audience

Familiar with using a Linux computer and a command line.
No system administration experience is necessary; however, content may be geared towards system administration tasks.
No previous SELinux experience.
People who are never going to write their own SELinux policy.

What the Documentation Covers (in no particular order, and subject to change)

Previous TOC Ideas

From the current SELinux documentation todo list:

"Explain how to interpret an AVC message and how to get additional information via SYSCALL audit, including how to add a simple syscall audit filter to enable collection of PATH information".
Document Confined Users".
"Update FC5 FAQ".
"Document the use of the mount command for overriding file context".
"Describe Audit2allow and how it can just Fix the machine".
"Update and organize the Fedora SELinux FAQ".

SELinux Introduction:

Brief overview.
What SELinux can and can't do.
Examples to explain how SELinux works (e.g., Apache HTTP).

SELinux Contexts and Attributes:

Brief overview of objects, subjects, and object classes.
Explain each part of SELinux labels.

Targeted Policy Overview:

Confined and Unconfined processes.
Confined system and user domains.

Working with SELinux:

Installing and Upgrading packages.
Configuration Files.
Enable and Disable SELinux.
semanage: booleans, labeling files, adding users, translations.
Managing and Maintaining SELinux Labels.

Managing Users:

Linux and SELinux user account mappings.
Adding confined and unconfined users.
Modifying existing users.

System Services:

Examples, sharing content between services.

SELinux Log Files and Denials:

auditd and setroubleshoot.
Searching log files (ausearch).
Interpreting AVC Denials.
sealeart -l \*
What to check for after a denial (DAC permissions...)
audit2allow and audit2why.

Access Control

Concepts of DAC, MAC, Type Enforcement®, etc.

Working with MCS and MLS

Examples from domg472.

Project Plan

Schedule

Updated 30 September 2008 to reflect slip in Fedora 10 schedule.

Information Plan: July 14 -> July 24 (9 days)

Deliverables: Information Project Plans

Content Specification: July 25 -> August 14 (15 days)

Deliverables:

Individual publications that are planned for the final document. These publications are done on the Wiki. This occurs after extensive research into topics.
Table of contents.
Phase review: subject matter experts approve the plan or request modifications to content.

Implementation: August 15 -> November 8 (70 days)

Designs for style, prototype sections, first, second, and approved drafts, weekly reports sent to <selinux@tycho.nsa.gov>.

Localization and Production: November 16 -> November 24 (9 days)

~~Translation~~, preparing final copies/PDFs.

Evaluation: October 29 -> October 30 (1 day)

Evaluate the project.
Plan maintenance cycles.
Plan next release.

Subject Matter Experts

Daniel Walsh
James Morris
Eric Paris
domg472
Russell Coker
Stephen Smalley
Karl MacMillan
Joshua Brindle
Christopher J. PeBenito

@@ Line 11: / Line 11: @@
 * [http://www.nsa.gov/selinux/ National Security Agency]
-* Russell Coker: <http://www.coker.com.au/selinux/> and <http://www.linuxjournal.com/article/9408>.
+* Russell Coker: <http://www.coker.com.au/selinux/>, [http://www.linuxjournal.com/article/9408 Multi-Category Security in SELinux in Fedora Core 5], <http://www.coker.com.au/selinux/talks/auug-2005/auug2005-paper.html>
-* James Morris: [http://namei.org/ols-2008-selinux-paper.pdf Have You Driven an SELinux Lately?]
+* James Morris: [http://namei.org/ols-2008-selinux-paper.pdf Have You Driven an SELinux Lately?], [http://james-morris.livejournal.com/5020.html An Overview of Multilevel Security and LSPP under Linux].
 * [http://selinux-symposium.org/ SELinux Symposium and Developer Summit]
+* [http://docs.fedoraproject.org/selinux-apache-fc3/ Fedora Core 3: Understanding and Customizing the Apache HTTP SELinux Policy (Beta Document)]
 * [http://www.redhat.com/magazine/001nov04/features/selinux/ What is Security-Enhanced Linux?]
 * [https://www.redhat.com/training/security/courses/rhs429.html RHS429 course].
@@ Line 20: / Line 21: @@
 * [http://gentoo-wiki.com/HOWTO_Understand_SELinux Gentoo Wiki HOWTO Understand SELinux]
 * [http://oss.tresys.com/projects/refpolicy SELinux Reference Policy]
+* [http://www.cs.stthomas.edu/faculty/resmith/r/mls/index.html Introduction to Multilevel Security, Dr. Rick Smith].
 * Red Hat Enterprise Linux 5 Deployment Guide:
 ** [http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5.2/html/Deployment_Guide/rhlcommon-chapter-0017.html End User Control of SELinux].
 * [http://docs.fedoraproject.org/selinux-faq-fc5/ Fedora Core 5 SELinux FAQ]
-* [http://fedoraproject.org/wiki/SELinux/FAQ Fedora SELinux/FAQ]
+* [[SELinux/FAQ|Fedora SELinux/FAQ]]
 * Red Hat Enterprise Linux 4 SELinux Guide: [http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/selg-part-0062.html Working with SELinux].
 * Mailing lists: <selinux@tycho.nsa.gov> and <fedora-selinux-list@redhat.com>.
@@ Line 34: / Line 36: @@
 * [http://www.redhatmagazine.com/2008/07/02/writing-policy-for-confined-selinux-users Confining Users.]
 * [http://www.niap-ccevs.org/cc-scheme/st/st_vid10286-vr.pdf Common Criteria Evaluation and Validation Scheme Validation Report]
+* [http://www.redhatmagazine.com/2008/02/26/risk-report-three-years-of-red-hat-enterprise-linux-4/ Risk report: Three years of Red Hat Enterprise Linux 4]
+* [http://www.tresys.com/innovation.php Tresys (Mitigation News).]
+* [http://www.nsa.gov/selinux/papers/freenix01/freenix01.html Integrating Flexible Support for Security Policies into the Linux Operating System.]
+* [http://www.nsa.gov/selinux/papers/ottawa01/index.html Meeting Critical Security Objectives with Security-Enhanced Linux.]
 === Purpose of the Documentation ===
@@ Line 106: / Line 112: @@
 '''Access Control'''
-* Concepts of DAC, MAC, Type Enforcement, etc.
+* Concepts of DAC, MAC, Type Enforcement®, etc.
 '''Working with MCS and MLS'''
@@ Line 115: / Line 121: @@
 == Schedule ==
+Updated 30 September 2008 to reflect slip in Fedora 10 schedule.
 ==='''Information Plan:''' July 14 -> July 24 (9 days)===
@@ Line 125: / Line 133: @@
 * Phase review: subject matter experts approve the plan or request modifications to content.
-==='''Implementation:''' August 15 -> October 8 (39 days)===
+==='''Implementation:''' August 15 -> November 8 (70 days) ===
-Designs for style, prototype sections, first, second, and approved drafts, weekly and monthly reports sent to <selinux@tycho.nsa.gov>.
+Designs for style, prototype sections, first, second, and approved drafts, weekly reports sent to <selinux@tycho.nsa.gov>.
-==='''Localization and Production:''' October 9 -> October 28 (14 days)===
+==='''<strike>Localization and</strike> Production:''' November 16 -> November 24 (9 days)===
-Translation, preparing final copies/PDFs.
+<strike>Translation</strike>, preparing final copies/PDFs.
-==='''Evaluation:''' October 29 -> October 30 (1 day)===
+==='''Evaluation:''' <strike>October 29 -> October 30 (1 day)</strike>===
 * Evaluate the project.
 * Plan maintenance cycles.
 * Plan next release.
-= Risks =
-Too many Red Hat Enterprise Linux errata :(
 = Subject Matter Experts =
@@ Line 146: / Line 150: @@
 * domg472
 * Russell Coker
-* Steven Smalley
+* Stephen Smalley
 * Karl MacMillan
 * Joshua Brindle
 * Christopher J. PeBenito
+[[Category:SELinux docs]]

Search

Docs/Drafts/SELinux User Guide/SELinux Information Plan: Difference between revisions