From Fedora Project Wiki
Line 11: Line 11:


* [http://www.nsa.gov/selinux/ National Security Agency]
* [http://www.nsa.gov/selinux/ National Security Agency]
* Russell Coker: <http://www.coker.com.au/selinux/> and <http://www.linuxjournal.com/article/9408>.
* Russell Coker: <http://www.coker.com.au/selinux/>, [http://www.linuxjournal.com/article/9408 Multi-Category Security in SELinux in Fedora Core 5], <http://www.coker.com.au/selinux/talks/auug-2005/auug2005-paper.html>
* James Morris: [http://namei.org/ols-2008-selinux-paper.pdf Have You Driven an SELinux Lately?], [http://james-morris.livejournal.com/5020.html An Overview of Multilevel Security and LSPP under Linux].
* James Morris: [http://namei.org/ols-2008-selinux-paper.pdf Have You Driven an SELinux Lately?], [http://james-morris.livejournal.com/5020.html An Overview of Multilevel Security and LSPP under Linux].
* [http://selinux-symposium.org/ SELinux Symposium and Developer Summit]
* [http://selinux-symposium.org/ SELinux Symposium and Developer Summit]

Revision as of 23:18, 1 September 2008

Phase 1: Information Planning

Deliverables and Milestones

  • Information Plan: documents findings after the initial investigation is complete. Generates an idea about where the project is heading, and what it requires.
  • Project Plan: an estimation of the time and resources required to complete the project.

Information Plan

Information Sources

Purpose of the Documentation

  • Provide a short, simple introduction to access control (MAC, MLS, MCS), and SELinux.
  • Use examples to describe how SELinux operates (such as Apache HTTP server not reading user_home_t files).
  • Give users information needed to do what they want without turning SELinux off.
  • From the current SELinux documentation todo list, "Translate danwalsh.livejounal.com in to a beginner user guide".

Audience

  • Familiar with using a Linux computer and a command line.
  • No system administration experience is necessary; however, content may be geared towards system administration tasks.
  • No previous SELinux experience.
  • People who are never going to write their own SELinux policy.

What the Documentation Covers (in no particular order, and subject to change)

From the current SELinux documentation todo list:

  • "Explain how to interpret an AVC message and how to get additional information via SYSCALL audit, including how to add a simple syscall audit filter to enable collection of PATH information".
  • Document Confined Users".
  • "Update FC5 FAQ".
  • "Document the use of the mount command for overriding file context".
  • "Describe Audit2allow and how it can just Fix the machine".
  • "Update and organize the Fedora SELinux FAQ".

SELinux Introduction:

  • Brief overview.
  • What SELinux can and can't do.
  • Examples to explain how SELinux works (e.g., Apache HTTP).

SELinux Contexts and Attributes:

  • Brief overview of objects, subjects, and object classes.
  • Explain each part of SELinux labels.

Targeted Policy Overview:

  • Confined and Unconfined processes.
  • Confined system and user domains.

Working with SELinux:

  • Installing and Upgrading packages.
  • Configuration Files.
  • Enable and Disable SELinux.
  • semanage: booleans, labeling files, adding users, translations.
  • Managing and Maintaining SELinux Labels.

Managing Users:

  • Linux and SELinux user account mappings.
  • Adding confined and unconfined users.
  • Modifying existing users.

System Services:

  • Examples, sharing content between services.

SELinux Log Files and Denials:

  • auditd and setroubleshoot.
  • Searching log files (ausearch).
  • Interpreting AVC Denials.
  • sealeart -l \*
  • What to check for after a denial (DAC permissions...)
  • audit2allow and audit2why.

Access Control

  • Concepts of DAC, MAC, Type Enforcement®, etc.

Working with MCS and MLS

  • Examples from domg472.

Project Plan

Schedule

Information Plan: July 14 -> July 24 (9 days)

Deliverables: Information Project Plans

Content Specification: July 25 -> August 14 (15 days)

Deliverables:

  • Individual publications that are planned for the final document. These publications are done on the Wiki. This occurs after extensive research into topics.
  • Table of contents.
  • Phase review: subject matter experts approve the plan or request modifications to content.

Implementation: August 15 -> October 8 (39 days)

Designs for style, prototype sections, first, second, and approved drafts, weekly and monthly reports sent to <selinux@tycho.nsa.gov>.

Localization and Production: October 9 -> October 28 (14 days)

Translation, preparing final copies/PDFs.

Evaluation: October 29 -> October 30 (1 day)

  • Evaluate the project.
  • Plan maintenance cycles.
  • Plan next release.

Risks

Too many Red Hat Enterprise Linux errata :(

Subject Matter Experts

  • Daniel Walsh
  • James Morris
  • Eric Paris
  • domg472
  • Russell Coker
  • Stephen Smalley
  • Karl MacMillan
  • Joshua Brindle
  • Christopher J. PeBenito