Docs/Drafts/SELinux User Guide/SELinux Information Plan

From FedoraProject

< Docs | Drafts | SELinux User Guide
Revision as of 00:48, 28 February 2009 by Laubersm (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Contents

Phase 1: Information Planning

Deliverables and Milestones

  • Information Plan: documents findings after the initial investigation is complete. Generates an idea about where the project is heading, and what it requires.
  • Project Plan: an estimation of the time and resources required to complete the project.

Information Plan

Information Sources

Purpose of the Documentation

  • Provide a short, simple introduction to access control (MAC, MLS, MCS), and SELinux.
  • Use examples to describe how SELinux operates (such as Apache HTTP server not reading user_home_t files).
  • Give users information needed to do what they want without turning SELinux off.
  • From the current SELinux documentation todo list, "Translate danwalsh.livejounal.com in to a beginner user guide".

Audience

  • Familiar with using a Linux computer and a command line.
  • No system administration experience is necessary; however, content may be geared towards system administration tasks.
  • No previous SELinux experience.
  • People who are never going to write their own SELinux policy.

What the Documentation Covers (in no particular order, and subject to change)

From the current SELinux documentation todo list:

  • "Explain how to interpret an AVC message and how to get additional information via SYSCALL audit, including how to add a simple syscall audit filter to enable collection of PATH information".
  • Document Confined Users".
  • "Update FC5 FAQ".
  • "Document the use of the mount command for overriding file context".
  • "Describe Audit2allow and how it can just Fix the machine".
  • "Update and organize the Fedora SELinux FAQ".

SELinux Introduction:

  • Brief overview.
  • What SELinux can and can't do.
  • Examples to explain how SELinux works (e.g., Apache HTTP).

SELinux Contexts and Attributes:

  • Brief overview of objects, subjects, and object classes.
  • Explain each part of SELinux labels.

Targeted Policy Overview:

  • Confined and Unconfined processes.
  • Confined system and user domains.

Working with SELinux:

  • Installing and Upgrading packages.
  • Configuration Files.
  • Enable and Disable SELinux.
  • semanage: booleans, labeling files, adding users, translations.
  • Managing and Maintaining SELinux Labels.

Managing Users:

  • Linux and SELinux user account mappings.
  • Adding confined and unconfined users.
  • Modifying existing users.

System Services:

  • Examples, sharing content between services.

SELinux Log Files and Denials:

  • auditd and setroubleshoot.
  • Searching log files (ausearch).
  • Interpreting AVC Denials.
  • sealeart -l \*
  • What to check for after a denial (DAC permissions...)
  • audit2allow and audit2why.

Access Control

  • Concepts of DAC, MAC, Type Enforcement®, etc.

Working with MCS and MLS

  • Examples from domg472.

Project Plan

Schedule

Updated 30 September 2008 to reflect slip in Fedora 10 schedule.

Information Plan: July 14 -> July 24 (9 days)

Deliverables: Information Project Plans

Content Specification: July 25 -> August 14 (15 days)

Deliverables:

  • Individual publications that are planned for the final document. These publications are done on the Wiki. This occurs after extensive research into topics.
  • Table of contents.
  • Phase review: subject matter experts approve the plan or request modifications to content.

Implementation: August 15 -> November 8 (70 days)

Designs for style, prototype sections, first, second, and approved drafts, weekly reports sent to <selinux@tycho.nsa.gov>.

Localization and Production: November 16 -> November 24 (9 days)

Translation, preparing final copies/PDFs.

Evaluation: October 29 -> October 30 (1 day)

  • Evaluate the project.
  • Plan maintenance cycles.
  • Plan next release.

Subject Matter Experts

  • Daniel Walsh
  • James Morris
  • Eric Paris
  • domg472
  • Russell Coker
  • Stephen Smalley
  • Karl MacMillan
  • Joshua Brindle
  • Christopher J. PeBenito