From Fedora Project Wiki
(→Information Sources: adding link to NSA - thanks domg472) |
m (→What the Documentation Covers (in no particular order, and subject to change): moving current selinux project goals to the top so they do not get lost) |
||
| Line 39: | Line 39: | ||
=== What the Documentation Covers (in no particular order, and subject to change) === | === What the Documentation Covers (in no particular order, and subject to change) === | ||
From the current [http://selinuxproject.org/page/Documentation_TODO SELinux documentation todo list]: | |||
* "Explain how to interpret an AVC message and how to get additional information via SYSCALL audit, including how to add a simple syscall audit filter to enable collection of PATH information". | |||
* Document Confined Users". | |||
* "Update FC5 FAQ". | |||
* "Document the use of the mount command for overriding file context". | |||
* "Describe Audit2allow and how it can just Fix the machine". | |||
* "Update and organize the Fedora SELinux FAQ". | |||
----------------------------------------- | |||
* Basic access control concepts. | * Basic access control concepts. | ||
| Line 94: | Line 104: | ||
newrole | newrole | ||
</pre> | </pre> | ||
Revision as of 09:53, 19 July 2008
Phase 1: Information Planning
Deliverables and Milestones
- Information Plan: documents findings after the initial investigation is complete. Generates an idea about where the project is heading, and what it requires.
- Project Plan: an estimation of the time and resources required to complete the project.
Information Sources
- National Security Agency
- RHS429 course.
- Current SELinux project documentation todo list.
- Red Hat Enterprise Linux 5 Deployment Guide:
- Red Hat Enterprise Linux 4 SELinux Guide: Working with SELinux.
- Mailing lists: <selinux@tycho.nsa.gov> and <fedora-selinux-list@redhat.com>.
- IRC: #fedora-selinux and #selinux
- fedora-selinux-list archives.
- Fedora SELinux Wiki.
- Blogs: <http://danwalsh.livejournal.com/>, <http://planet.fedoraproject.org/>, and <http://etbe.coker.com.au/>.
- SELinux news.
- SELinux webcast.
- Confining Users.
Purpose of the Documentation
- Provide a short, simple introduction to access control (MAC, MLS, MCS), and SELinux.
- Use examples to describe how SELinux operates (such as Apache HTTP server not reading user_home_t files).
- Give users information needed to do what they want without turning SELinux off.
- From the current SELinux documentation todo list, "Translate danwalsh.livejounal.com in to a beginner user guide".
Audience
- Familiar with using a Linux computer and a command line.
- No system administration experience is necessary; however, content may be geared towards system administration tasks.
- No previous SELinux experience.
- People who are never going to write their own SELinux policy.
What the Documentation Covers (in no particular order, and subject to change)
From the current SELinux documentation todo list:
- "Explain how to interpret an AVC message and how to get additional information via SYSCALL audit, including how to add a simple syscall audit filter to enable collection of PATH information".
- Document Confined Users".
- "Update FC5 FAQ".
- "Document the use of the mount command for overriding file context".
- "Describe Audit2allow and how it can just Fix the machine".
- "Update and organize the Fedora SELinux FAQ".
- Basic access control concepts.
- SELinux concepts:
- Domains and Types.
- Contexts.
- Targets/Processes/Files.
- How do I find out if SELinux is enabled on my system?
- Confined and unconfined processes (
ps auxZ). - Main files:
/selinux/and/etc/selinux/config. - How to correctly disable SELinux (not sure if we want this ;) )
- Maintaining correct labels:
- View labels using
ls -Z - Copying Vs moving files.
- Using user_home_t files on other machines, such as a user moving their
~/.ssh/authorized_keysfile to another machine. - Relabeling an entire file system.
- Possible problems caused from running in permissive mode, such as having permissions to mislabel files.
- mislabeled files, relabeled but still problems,
touch /.autorelabel(Dans journal).
- View labels using
- Red Hat Enterprise Linux 5 Deployment Guide: End User Control of SELinux.
- SELinux and virtualization (relabeling images if images are not in
/etc/xen/). - Logging:
- Are SELinux denials taking up too much space? This came from #selinux.
- Amount of denials in permissive mode Vs enforcing mode.
- Searching for specific denials (from #selinux,
"/sbin/ausearch -m avc -ts today | grep search | head -n 1", "sealert -l \*"). - Where are the log files kept? (
/var/log/audit/audit.d,/var/log/messages, etc. Basic explanation of which one will be used).
- Basic interpretation of SELinux denials, and where to get help, (maybe mail <fedora-selinux-list@redhat.com>). From #selinux:
(06:19:50 PM) hatty: Hi , I get this in my log audit(1216043069.444:37): avc:
denied { search } for pid=726 comm="busybox" name="" , what is the meaning of name="" ?
"(08:58:22 PM) domg472: anyways hatty consider this: target objects can be any objects,
object arent just file object but there also other kimds of object that may not carry a
name for example ports interfaces or the ojects of subject ( process objects )"
- Controlling system daemons with booleans:
getsebool -a,setsebool -P; how to find information about booleans listed from getsebool.- Common items people want to change.
- Installing and upgrading SELinux packages.
- Upgrade problems if you start from a non-SELinux labeled file system?
- Missing SELinux users (
semanage user -l)
- Not running X :
setroubleshoot-server, runsealert -l \*, <https://www.redhat.com/archives/fedora-selinux-list/2008-July/msg00004.html>. - Confining Users
- Mounting:
- Do mount points need to be
mnt_t?
- Do mount points need to be
Commands:
getsebool -a setsebool -P sestatus -v restorecon fixfiles newrole