From Fedora Project Wiki
(→Information Sources: adding another link) |
(→What the Documentation Covers (in no particular order, and subject to change): link to new page) |
||
Line 44: | Line 44: | ||
=== What the Documentation Covers (in no particular order, and subject to change) === | === What the Documentation Covers (in no particular order, and subject to change) === | ||
* [[Docs/Drafts/SELinux User Guide/Draft TOC| Draft table of contents.]] | |||
From the current [http://selinuxproject.org/page/Documentation_TODO SELinux documentation todo list]: | From the current [http://selinuxproject.org/page/Documentation_TODO SELinux documentation todo list]: | ||
* "Explain how to interpret an AVC message and how to get additional information via SYSCALL audit, including how to add a simple syscall audit filter to enable collection of PATH information". | * "Explain how to interpret an AVC message and how to get additional information via SYSCALL audit, including how to add a simple syscall audit filter to enable collection of PATH information". |
Revision as of 06:39, 22 July 2008
Phase 1: Information Planning
Deliverables and Milestones
- Information Plan: documents findings after the initial investigation is complete. Generates an idea about where the project is heading, and what it requires.
- Project Plan: an estimation of the time and resources required to complete the project.
Information Sources
- National Security Agency
- Russell Coker: <http://www.coker.com.au/selinux/> and <http://www.linuxjournal.com/article/9408>.
- James Morris: Have You Driven an SELinux Lately?
- What is Security-Enhanced Linux?
- RHS429 course.
- Current SELinux project documentation todo list.
- Red Hat Enterprise Linux 5 Deployment Guide:
- Red Hat Enterprise Linux 4 SELinux Guide: Working with SELinux.
- Mailing lists: <selinux@tycho.nsa.gov> and <fedora-selinux-list@redhat.com>.
- IRC: #fedora-selinux and #selinux
- fedora-selinux-list archives.
- Fedora SELinux Wiki.
- Blogs: <http://danwalsh.livejournal.com/>, <http://planet.fedoraproject.org/>, and <http://etbe.coker.com.au/>.
- SELinux news.
- SELinux webcast.
- Confining Users.
- Common Criteria Evaluation and Validation Scheme Validation Report
Purpose of the Documentation
- Provide a short, simple introduction to access control (MAC, MLS, MCS), and SELinux.
- Use examples to describe how SELinux operates (such as Apache HTTP server not reading user_home_t files).
- Give users information needed to do what they want without turning SELinux off.
- From the current SELinux documentation todo list, "Translate danwalsh.livejounal.com in to a beginner user guide".
Audience
- Familiar with using a Linux computer and a command line.
- No system administration experience is necessary; however, content may be geared towards system administration tasks.
- No previous SELinux experience.
- People who are never going to write their own SELinux policy.
What the Documentation Covers (in no particular order, and subject to change)
From the current SELinux documentation todo list:
- "Explain how to interpret an AVC message and how to get additional information via SYSCALL audit, including how to add a simple syscall audit filter to enable collection of PATH information".
- Document Confined Users".
- "Update FC5 FAQ".
- "Document the use of the mount command for overriding file context".
- "Describe Audit2allow and how it can just Fix the machine".
- "Update and organize the Fedora SELinux FAQ".
- suggestions from domg472.
- Basic access control concepts.
- SELinux concepts:
- Domains and Types.
- Contexts.
- Targets/Processes/Files.
- How do I find out if SELinux is enabled on my system?
- Confined and unconfined processes (
ps auxZ
). - Main files:
/selinux/
and/etc/selinux/config
. - How to correctly disable SELinux (not sure if we want this ;) )
- Maintaining correct labels:
- View labels using
ls -Z
- Copying Vs moving files.
- Using user_home_t files on other machines, such as a user moving their
~/.ssh/authorized_keys
file to another machine. - Relabeling an entire file system.
- Possible problems caused from running in permissive mode, such as having permissions to mislabel files.
- mislabeled files, relabeled but still problems,
touch /.autorelabel
(Dans journal).
- View labels using
- Red Hat Enterprise Linux 5 Deployment Guide: End User Control of SELinux.
- SELinux and virtualization (relabeling images if images are not in
/etc/xen/
). - Logging:
- Are SELinux denials taking up too much space? This came from #selinux.
- Amount of denials in permissive mode Vs enforcing mode.
- Searching for specific denials (from #selinux,
"/sbin/ausearch -m avc -ts today | grep search | head -n 1", "sealert -l \*"
). - Where are the log files kept? (
/var/log/audit/audit.d
,/var/log/messages
, etc. Basic explanation of which one will be used).
- Basic interpretation of SELinux denials, and where to get help, (maybe mail <fedora-selinux-list@redhat.com>). From #selinux:
(06:19:50 PM) hatty: Hi , I get this in my log audit(1216043069.444:37): avc: denied { search } for pid=726 comm="busybox" name="" , what is the meaning of name="" ? "(08:58:22 PM) domg472: anyways hatty consider this: target objects can be any objects, object arent just file object but there also other kimds of object that may not carry a name for example ports interfaces or the ojects of subject ( process objects )"
- Controlling system daemons with booleans:
getsebool -a
,setsebool -P
; how to find information about booleans listed from getsebool.- Common items people want to change.
- Installing and upgrading SELinux packages.
- Upgrade problems if you start from a non-SELinux labeled file system?
- Missing SELinux users (
semanage user -l
)
- Not running X :
setroubleshoot-server
, runsealert -l \*
, <https://www.redhat.com/archives/fedora-selinux-list/2008-July/msg00004.html>. - Confining Users
- Mounting:
- Do mount points need to be
mnt_t
?
- Do mount points need to be
Commands:
getsebool -a setsebool -P sestatus -v restorecon fixfiles newrole