From Fedora Project Wiki
Line 43: Line 43:


=== What the Documentation Covers (in no particular order, and subject to change) ===
=== What the Documentation Covers (in no particular order, and subject to change) ===
 
* [[Docs/Drafts/SELinux User Guide/Previous TOC Ideas| Previous TOC Ideas]]
* [[Docs/Drafts/SELinux User Guide/Draft TOC| Draft table of contents.]]
* [[Docs/Drafts/SELinux User Guide/Draft TOC| Draft table of contents.]]
From the current [http://selinuxproject.org/page/Documentation_TODO SELinux documentation todo list]:
From the current [http://selinuxproject.org/page/Documentation_TODO SELinux documentation todo list]:
Line 54: Line 54:


-----------------------------------------
-----------------------------------------
[[Docs/Drafts/SELinux User Guide/Previous TOC Ideas| Previous TOC Ideas]]
* Basic access control concepts.
* SELinux concepts:
** Domains and Types.
** Contexts.
** Targets/Processes/Files.
* How do I find out if SELinux is enabled on my system?
* Confined and unconfined processes (<code>ps auxZ</code>).
* Main files: <code>/selinux/</code> and <code>/etc/selinux/config</code>.
* How to correctly disable SELinux (not sure if we want this ;) )
* Maintaining correct labels:
** View labels using <code>ls -Z</code>
** Copying Vs moving files.
** Using user_home_t files on other machines, such as a user moving their <code>~/.ssh/authorized_keys</code> file to another machine.
** Relabeling an entire file system.
** Possible problems caused from running in permissive mode, such as having permissions to mislabel files.
** [https://www.redhat.com/archives/fedora-selinux-list/2008-July/msg00000.html mislabeled files], relabeled but still problems, <code>touch /.autorelabel</code> (Dans journal).
* Red Hat Enterprise Linux 5 Deployment Guide: [http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5.2/html/Deployment_Guide/rhlcommon-chapter-0017.html End User Control of SELinux].
* SELinux and virtualization (relabeling images if images are not in <code>/etc/xen/</code>).
* Logging:
** Are SELinux denials taking up too much space? This came from #selinux.
** Amount of denials in permissive mode Vs enforcing mode.
** Searching for specific denials (from #selinux, <code>"/sbin/ausearch -m avc -ts today | grep search | head -n 1", "sealert -l \*"</code>).
** Where are the log files kept? (<code>/var/log/audit/audit.d</code>, <code>/var/log/messages</code>, etc. Basic explanation of which one will be used).
* Basic interpretation of SELinux denials, and where to get help, (maybe mail <fedora-selinux-list@redhat.com>). From #selinux:
<pre>
(06:19:50 PM) hatty: Hi , I get this in my log audit(1216043069.444:37): avc: 
denied  { search } for  pid=726 comm="busybox" name="" , what is the meaning of name="" ?


"(08:58:22 PM) domg472: anyways hatty consider this: target objects can be any objects,  
'''SELinux Preface:'''
object arent just file object but there also other kimds of object that may not carry a  
* What SELinux does
name for example ports interfaces or the ojects of subject ( process objects )"
* What SELinux can not do
</pre>
* Performance Impact (from running SELinux)
* Controlling system daemons with booleans:
* "A brief high-level user-oriented overview of SELinux which people can use to understand what SELinux does, how it's part of a defense in depth approach, the value it provides and what is involved in using it effectively (e.g. set expectations of benefit/cost).": <http://selinuxproject.org/page/Documentation_TODO>
** <code>getsebool -a</code>, <code>setsebool -P</code>; how to find information about booleans listed from getsebool.
* Example (compare to a submarine with compartments, if one has leaked, the water does not leak to the next compartment, and the submarine does not sink)
** Common items people want to change.
* Other Distributions (enabled by default on Fedora, not by default on Debian? (<http://wiki.debian.org/SELinux>)
* [https://www.redhat.com/archives/fedora-selinux-list/2008-July/msg00061.html Installing and upgrading SELinux packages.]
 
** Upgrade problems if you start from a non-SELinux labeled file system?
'''SELinux Basics:'''
** Missing SELinux users (<code>semanage user -l</code>)
* If you don't do anything else with SELinux at least do these things...
* Not running X : <code>setroubleshoot-server</code>, run <code>sealert -l \*</code>, <https://www.redhat.com/archives/fedora-selinux-list/2008-July/msg00004.html>.
 
* Confining Users
'''Access Control:'''
** <http://www.redhatmagazine.com/2008/07/02/writing-policy-for-confined-selinux-users/>.
* Discretionary Access Control (DAC)
** <http://www.redhatmagazine.com/2008/04/17/fedora-9-and-summit-preview-confining-the-user-with-selinux>.
* Mandatory Access Control (MAC)
* Mounting:
* Multi-Level Security (MLS)
** Do mount points need to be <code>mnt_t</code>?
* Mutli-Category Security (MCS)
* Type Enforcement
* Role Based Access Control
 
'''SELinux Introduction:'''
* See 44.7. SELinux Policy Overview <http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5.2/html/Deployment_Guide/rhlcommon-chapter-0001.html>
* Overview of SELinux policy (SELinux framework is responsible for enforcing policy, hooks in the Linux kernel, etc)
* SELinux packages (selinux-policy-*)
* Important Files (<code>/etc/selinux/</code>, <code>/selinux/</code>)
 
'''Targeted Policy Overview:'''
<http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5.2/html/Deployment_Guide/sec-sel-policy-targeted-oview.html>
 
''' Multi-Category Security:'''
* <http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5.2/html/Deployment_Guide/sec-mcs-getstarted.html>
* <http://www.linuxjournal.com/article/9408>
 
'''SELinux Contexts and Attributes:'''
* The SELinux Security Context Tuple
* SELinux Users
* SELinux Role (attribute of Role Based Access Control)
* Type attribute (attribute of Type Enforcement)
* Categories (attribute for security level enforcement (MLS), or category enforcement (MCS))
 
'''Subjects and Objects:'''
* Objects on a Linux system (files, sockets, interfaces, and so on (<code>ls -lZ</code>)
* Subjects on a Linux system (processes (<code>ps auxZ</code>), and also that processes are represented as objects in /proc/)
* Classes and Attributes (Example file object class and attributes: file read, dir write, etc. These are statically defined
in the Linux kernel; however, users can assign types to subjects and objects, as well as defining a policy for these types, so that these types can interact using object classes and their attributes supplied by the Linux kernel)
* Domain Type (attribute of a process, user_t (user) domain type of "user")
* Object Type (attribute of an object or file. Do not mistake files with file objects/file types. A file is any object)
 
'''Working with SELinux'''
* Installing and Upgrading SELinux packages (missing SELinux users, upgrade problems on systems not running SELinux initially, required packages for other policies, MLS, MCS, etc. mcstransd is not installed by default on Fedora 9)
* Enabling and Disabling SELinux (is it enabled, temporarily and permanently turn it on and off, kernel boot options, etc, <code>sestatus</code>, <code>setenforce</code>, <code>getenforce</code>)
* Introduction to Tool and Commands (semanage, system-config-selinux, restorecon, etc.)
* semanage
* system-config-selinux (GUI for <code>semanage</code>)
* Booleans (allow you to configure certain parts of policies without recompiling, <code>semanage boolean</code>, also mention <code>getsebool -a</code> and <code>setsebool -P</code>. Mention man
pages for targeted booleans)
* Labeling Files and Objects (<code>semanage fconnect -a</code>, <code>semanage</code> Vs <code>chcon</code>)
* Labeling Ports and Objects (<code>semanage port -a</code>)
* Explain each option: setting booleans, adding users, translations.
* Translations and mcstransd (required mcstransd, examples from domg472)
* restorecond and <code>fixfiles</code>
* Managing SELinux Labels
* Viewing Labels (ls -lZ)
* Copying Vs Moving files (how it effects the SELinux context, moving files from one machine to another, eg, SSH authorized_keys file)
* <code>star</code> and <code>tar</code>
* Mislabeled Files
* Relabeling an File System (/tmp will not be relabeled: <http://domg444.blogspot.com/2007/11/why-files-with-incompatible-types-in.html >)
* Problems running in Permissive mode (allowed to use mislabeled files, change labels freely, etc)
* Mounting (mnt_t, booleans, override contexts with mount command: <http://selinuxproject.org/page/Documentation_TODO>
* Using <code>newrole</code> to...
 
'''Managing Users:'''
* Linux and SELinux user accounts (mappings, <code>semanage login -l</code> and <code>semanage user -l</code>
* Users Categories (xguest, user_u, staff_u, etc)
* Adding a Confined User
* Adding an Unconfined User
* Modifying Existing Users (<code>usermode -Z</code>, <code>semanage login -m</code>)
 
'''Working with System Services:'''
( link to man page for each, eg httpd_selinux(8) )
* Transitions (maybe use httpd as an example)
* Apache (contexts, sharing files to samba (public_content_t, public_content_rw_t, then maybe <code>setsebool -P allow_smbd_anon_write=on</code>, using a different port, etc)
* NFS
* Samba
* BIND (contexts to write to log files, read configuration files, and so on)
 
'''Working with MLS and MCS:'''
* refer to domg472 examples
* <http://www.linuxjournal.com/article/9408>


Commands:
'''SELinux Log Files and Denials:'''
<pre>
* auditd and syslog (where are log files kept: /var/log/audit/audit.d and /var/log/messages)
getsebool -a
* Controlling where Log files are written to?
setsebool -P
* <code>sealert -l \*</code> and setroubleshootd (advantages, limitations, and how they relate to audit.d Not running X, use setroubleshoot-server)
sestatus -v
* searching log files (<code>/sbin/ausearch -m avc -ts today | grep search | head -n 1</code>, <code>semanage -l \*</code>. ausearch for common name (-c), certain hostname (-h),
restorecon
* What to check after a Denial
fixfiles
* Interpreting AVC Denials (refer todo item: <http://selinuxproject.org/page/Documentation_TODO>)
newrole
* audit2allow
</pre>
* audit2why
* Are SELinux log files too large? (size of logs in permissive mode Vs enforcing.)
* Asking for help (the information an SELinux guru needs to help solve your problem)

Revision as of 06:08, 24 July 2008

Phase 1: Information Planning

Deliverables and Milestones

  • Information Plan: documents findings after the initial investigation is complete. Generates an idea about where the project is heading, and what it requires.
  • Project Plan: an estimation of the time and resources required to complete the project.

Information Sources

Purpose of the Documentation

  • Provide a short, simple introduction to access control (MAC, MLS, MCS), and SELinux.
  • Use examples to describe how SELinux operates (such as Apache HTTP server not reading user_home_t files).
  • Give users information needed to do what they want without turning SELinux off.
  • From the current SELinux documentation todo list, "Translate danwalsh.livejounal.com in to a beginner user guide".

Audience

  • Familiar with using a Linux computer and a command line.
  • No system administration experience is necessary; however, content may be geared towards system administration tasks.
  • No previous SELinux experience.
  • People who are never going to write their own SELinux policy.

What the Documentation Covers (in no particular order, and subject to change)

From the current SELinux documentation todo list:

  • "Explain how to interpret an AVC message and how to get additional information via SYSCALL audit, including how to add a simple syscall audit filter to enable collection of PATH information".
  • Document Confined Users".
  • "Update FC5 FAQ".
  • "Document the use of the mount command for overriding file context".
  • "Describe Audit2allow and how it can just Fix the machine".
  • "Update and organize the Fedora SELinux FAQ".

SELinux Preface:

  • What SELinux does
  • What SELinux can not do
  • Performance Impact (from running SELinux)
  • "A brief high-level user-oriented overview of SELinux which people can use to understand what SELinux does, how it's part of a defense in depth approach, the value it provides and what is involved in using it effectively (e.g. set expectations of benefit/cost).": <http://selinuxproject.org/page/Documentation_TODO>
  • Example (compare to a submarine with compartments, if one has leaked, the water does not leak to the next compartment, and the submarine does not sink)
  • Other Distributions (enabled by default on Fedora, not by default on Debian? (<http://wiki.debian.org/SELinux>)

SELinux Basics:

  • If you don't do anything else with SELinux at least do these things...

Access Control:

  • Discretionary Access Control (DAC)
  • Mandatory Access Control (MAC)
  • Multi-Level Security (MLS)
  • Mutli-Category Security (MCS)
  • Type Enforcement
  • Role Based Access Control

SELinux Introduction:

Targeted Policy Overview: <http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5.2/html/Deployment_Guide/sec-sel-policy-targeted-oview.html>

Multi-Category Security:

SELinux Contexts and Attributes:

  • The SELinux Security Context Tuple
  • SELinux Users
  • SELinux Role (attribute of Role Based Access Control)
  • Type attribute (attribute of Type Enforcement)
  • Categories (attribute for security level enforcement (MLS), or category enforcement (MCS))

Subjects and Objects:

  • Objects on a Linux system (files, sockets, interfaces, and so on (ls -lZ)
  • Subjects on a Linux system (processes (ps auxZ), and also that processes are represented as objects in /proc/)
  • Classes and Attributes (Example file object class and attributes: file read, dir write, etc. These are statically defined

in the Linux kernel; however, users can assign types to subjects and objects, as well as defining a policy for these types, so that these types can interact using object classes and their attributes supplied by the Linux kernel)

  • Domain Type (attribute of a process, user_t (user) domain type of "user")
  • Object Type (attribute of an object or file. Do not mistake files with file objects/file types. A file is any object)

Working with SELinux

  • Installing and Upgrading SELinux packages (missing SELinux users, upgrade problems on systems not running SELinux initially, required packages for other policies, MLS, MCS, etc. mcstransd is not installed by default on Fedora 9)
  • Enabling and Disabling SELinux (is it enabled, temporarily and permanently turn it on and off, kernel boot options, etc, sestatus, setenforce, getenforce)
  • Introduction to Tool and Commands (semanage, system-config-selinux, restorecon, etc.)
  • semanage
* system-config-selinux (GUI for semanage)
* Booleans (allow you to configure certain parts of policies without recompiling, semanage boolean, also mention getsebool -a and setsebool -P. Mention man

pages for targeted booleans) 

* Labeling Files and Objects (semanage fconnect -a, semanage Vs chcon)
* Labeling Ports and Objects (semanage port -a)
* Explain each option: setting booleans, adding users, translations.
* Translations and mcstransd (required mcstransd, examples from domg472)
* restorecond and fixfiles
  • Managing SELinux Labels
* Viewing Labels (ls -lZ)
* Copying Vs Moving files (how it effects the SELinux context, moving files from one machine to another, eg, SSH authorized_keys file)
* star and tar
* Mislabeled Files
* Relabeling an File System (/tmp will not be relabeled: <http://domg444.blogspot.com/2007/11/why-files-with-incompatible-types-in.html >)
* Problems running in Permissive mode (allowed to use mislabeled files, change labels freely, etc)
* Mounting (mnt_t, booleans, override contexts with mount command: <http://selinuxproject.org/page/Documentation_TODO>
* Using newrole to...

Managing Users:

  • Linux and SELinux user accounts (mappings, semanage login -l and semanage user -l
  • Users Categories (xguest, user_u, staff_u, etc)
  • Adding a Confined User
  • Adding an Unconfined User
  • Modifying Existing Users (usermode -Z, semanage login -m)

Working with System Services: ( link to man page for each, eg httpd_selinux(8) )

  • Transitions (maybe use httpd as an example)
  • Apache (contexts, sharing files to samba (public_content_t, public_content_rw_t, then maybe setsebool -P allow_smbd_anon_write=on, using a different port, etc)
  • NFS
  • Samba
  • BIND (contexts to write to log files, read configuration files, and so on)

Working with MLS and MCS:

SELinux Log Files and Denials:

  • auditd and syslog (where are log files kept: /var/log/audit/audit.d and /var/log/messages)
  • Controlling where Log files are written to?
  • sealert -l \* and setroubleshootd (advantages, limitations, and how they relate to audit.d Not running X, use setroubleshoot-server)
  • searching log files (/sbin/ausearch -m avc -ts today | grep search | head -n 1, semanage -l \*. ausearch for common name (-c), certain hostname (-h),
  • What to check after a Denial
  • Interpreting AVC Denials (refer todo item: <http://selinuxproject.org/page/Documentation_TODO>)
  • audit2allow
  • audit2why
  • Are SELinux log files too large? (size of logs in permissive mode Vs enforcing.)
  • Asking for help (the information an SELinux guru needs to help solve your problem)
Retrieved from "https://fedoraproject.org/w/index.php?title=Docs/Drafts/SELinux_User_Guide/SELinux_Information_Plan&oldid=41197"