From Fedora Project Wiki

Revision as of 00:01, 14 August 2008 by Mdious (talk | contribs)

Phase 1: Information Planning

Deliverables and Milestones

  • Information Plan: documents findings after the initial investigation is complete. Generates an idea about where the project is heading, and what it requires.
  • Project Plan: an estimation of the time and resources required to complete the project.

Information Plan

Information Sources

Purpose of the Documentation

  • Provide a short, simple introduction to access control (MAC, MLS, MCS), and SELinux.
  • Use examples to describe how SELinux operates (such as Apache HTTP server not reading user_home_t files).
  • Give users information needed to do what they want without turning SELinux off.
  • From the current SELinux documentation todo list, "Translate danwalsh.livejounal.com in to a beginner user guide".

Audience

  • Familiar with using a Linux computer and a command line.
  • No system administration experience is necessary; however, content may be geared towards system administration tasks.
  • No previous SELinux experience.
  • People who are never going to write their own SELinux policy.

What the Documentation Covers (in no particular order, and subject to change)

From the current SELinux documentation todo list:

  • "Explain how to interpret an AVC message and how to get additional information via SYSCALL audit, including how to add a simple syscall audit filter to enable collection of PATH information".
  • Document Confined Users".
  • "Update FC5 FAQ".
  • "Document the use of the mount command for overriding file context".
  • "Describe Audit2allow and how it can just Fix the machine".
  • "Update and organize the Fedora SELinux FAQ".

The following is a draft, and may contain spelling mistakes:

SELinux Introduction:

  • What SELinux can do
  • What SELinux can not do
  • Performance Impact (from running SELinux)
  • "A brief high-level user-oriented overview of SELinux which people can use to understand what SELinux does, how it's part of a defense in depth approach, the value it provides and what is involved in using it effectively (e.g. set expectations of benefit/cost).": <http://selinuxproject.org/page/Documentation_TODO>
  • Policy overview <http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5.2/html/Deployment_Guide/rhlcommon-chapter-0001.html> (SELinux framework enforces the policy, hooks in the kernel, and so on)
  • Example (compare to a submarine with compartments, if one has leaked, the water does not leak to the next compartment, and the submarine does not sink)
  • Example: Apache server has been compromised, but can not interact with other services, or read anything that is not labeled httpd_sys_content_t
  • Other Distributions (enabled by default on Fedora, not by default on Debian? (<http://wiki.debian.org/SELinux>))

SELinux Basics:

  • If you do not do anything else with SELinux at least do these things...

SELinux Contexts and Attributes:

  • Objects
  • SELinux security context triple
  • Categories (attribute for security level enforcement (MLS), or category enforcement (MCS))
  • Subjects
  • Object classes (brief)

Targeted Policy Overview:

Working with SELinux

  • Installing (selinux-policy-*) and Upgrading SELinux packages (missing SELinux users, upgrade problems on systems not running SELinux initially, required packages for other policies, MLS, MCS, etc. mcstransd is not installed by default on Fedora 9)
  • Important Files (/etc/selinux/, /selinux/)
  • Enabling and Disabling SELinux (is it enabled, temporarily and permanently turn it on and off, kernel boot options, etc, sestatus (reads from /etc/selinux/config), setenforce, getenforce)
  • semanage
    • system-config-selinux (GUI for semanage)
    • Booleans (allow you to configure certain parts of policies without recompiling, semanage boolean, also mention getsebool -a and setsebool -P. Mention man pages for targeted booleans)
    • Labeling Files and Objects (semanage fconnect -a, semanage Vs chcon)
    • Labeling Ports and Objects (semanage port -a, and how to close ports)
    • Explain each option: setting booleans, adding users, translations.
    • Translations and mcstransd (required mcstransd, examples from domg472)
    • restorecond and fixfiles
  • Managing and Maintaining SELinux Labels
    • Viewing Labels (ls -lZ)
    • Copying Vs Moving files (how it effects the SELinux context, moving files from one machine to another, eg, SSH authorized_keys file)
    • rpm
    • star and tar
    • mkdir, for example, mkdir -Z selinuxuser:role:type directory-name
    • Mislabeled Files
    • Relabeling an File System (/tmp will not be relabeled: <http://domg444.blogspot.com/2007/11/why-files-with-incompatible-types-in.html >. touch /.autorelabel; reboot easy, but should use restorecon -R -v /path/to/file, followed by restorecon -R -v /topleveldirectory-tofile)
    • Problems running in Permissive mode (allowed to use mislabeled files, change labels freely, etc)
  • Mounting (mnt_t, booleans, override contexts with mount command: <http://selinuxproject.org/page/Documentation_TODO>
  • Using newrole to...and newrole Vs sudo.

Managing Users:

  • Linux and SELinux user accounts (mappings, semanage login -l

and semanage user -l, usermod -Z, useradd -Z)

  • Users Categories (xguest, user_u, staff_u, etc)
  • Adding a Confined User
  • Adding an Unconfined User
  • Modifying Existing Users (usermode -Z, semanage login -m)

Working with System Services: ( link to man page for each, eg httpd_selinux(8) )

  • Transitions (maybe use httpd as an example)
  • Apache (contexts, sharing files to samba (public_content_t,

public_content_rw_t, then maybe setsebool -P allow_smbd_anon_write=on, using a different port, etc)

  • NFS
  • Samba
  • BIND (contexts to write to log files, read configuration files, and so on)

SELinux Log Files and Denials:

  • auditd and syslog (where are log files kept: /var/log/audit/audit.d and /var/log/messages)
  • Controlling where Log files are written to?
  • sealert -l \* and setroubleshootd (advantages, limitations, and

how they relate to audit.d Not running X, use setroubleshoot-server)

  • searching log files (/sbin/ausearch -m avc -ts today | grep search |

head -n 1, semanage -l \*. ausearch for common name (-c), certain hostname (-h), auditctl, aureport, ausearch, and setools-console)

  • What to check after a Denial/ Questions to ask when a denial occurs.
  • What if there are no denials, but actions are denied?
    • dontaudit, is DAC denying access?
  • Interpreting AVC Denials (refer todo item: <http://selinuxproject.org/page/Documentation_TODO>)
  • audit2allow
  • audit2why
  • Are SELinux log files too large? (size of logs in permissive mode Vs enforcing.)
  • Asking for help (the information an SELinux guru needs to help solve your problem)

Access Control:

  • Discretionary Access Control (DAC)
  • Mandatory Access Control (MAC)
  • Multi-Level Security (MLS)
  • Mutli-Category Security (MCS)
  • Type Enforcement (TE)
  • Role Based Access Control (RBAC)

Working with MCS and MLS:

Project Plan

Schedule

Information Plan: July 14 -> July 24 (9 days)

Deliverables: Information Project Plans

Content Specification: July 25 -> August 14 (15 days)

Deliverables:

  • Individual publications that are planned for the final document. These publications are done on the Wiki. This occurs after extensive research into topics.
  • Table of contents.
  • Phase review: subject matter experts approve the plan or request modifications to content.

Implementation: August 15 -> October 8 (39 days)

Designs for style, prototype sections, first, second, and approved drafts, weekly and monthly reports sent to <selinux@tycho.nsa.gov>.

Localization and Production: October 9 -> October 28 (14 days)

Translation, preparing final copies/PDFs.

Evaluation: October 29 -> October 30 (1 day)

  • Evaluate the project.
  • Plan maintenance cycles.
  • Plan next release.

Risks

Too many Red Hat Enterprise Linux errata :(

Subject Matter Experts

  • Daniel Walsh
  • James Morris
  • Eric Paris
  • domg472
  • Russell Coker
  • Steven Smalley
  • Karl MacMillan
  • Joshua Brindle
  • Christopher J. PeBenito