From Fedora Project Wiki
m (internal link cleaning)
 
(13 intermediate revisions by 2 users not shown)
Line 11: Line 11:


* [http://www.nsa.gov/selinux/ National Security Agency]
* [http://www.nsa.gov/selinux/ National Security Agency]
* Russell Coker: <http://www.coker.com.au/selinux/> and <http://www.linuxjournal.com/article/9408>.
* Russell Coker: <http://www.coker.com.au/selinux/>, [http://www.linuxjournal.com/article/9408 Multi-Category Security in SELinux in Fedora Core 5], <http://www.coker.com.au/selinux/talks/auug-2005/auug2005-paper.html>
* James Morris: [http://namei.org/ols-2008-selinux-paper.pdf Have You Driven an SELinux Lately?]
* James Morris: [http://namei.org/ols-2008-selinux-paper.pdf Have You Driven an SELinux Lately?], [http://james-morris.livejournal.com/5020.html An Overview of Multilevel Security and LSPP under Linux].
* [http://selinux-symposium.org/ SELinux Symposium and Developer Summit]
* [http://selinux-symposium.org/ SELinux Symposium and Developer Summit]
* [http://docs.fedoraproject.org/selinux-apache-fc3/ Fedora Core 3: Understanding and Customizing the Apache HTTP SELinux Policy (Beta Document)]
* [http://www.redhat.com/magazine/001nov04/features/selinux/ What is Security-Enhanced Linux?]
* [http://www.redhat.com/magazine/001nov04/features/selinux/ What is Security-Enhanced Linux?]
* [https://www.redhat.com/training/security/courses/rhs429.html RHS429 course].
* [https://www.redhat.com/training/security/courses/rhs429.html RHS429 course].
Line 20: Line 21:
* [http://gentoo-wiki.com/HOWTO_Understand_SELinux Gentoo Wiki HOWTO Understand SELinux]
* [http://gentoo-wiki.com/HOWTO_Understand_SELinux Gentoo Wiki HOWTO Understand SELinux]
* [http://oss.tresys.com/projects/refpolicy SELinux Reference Policy]
* [http://oss.tresys.com/projects/refpolicy SELinux Reference Policy]
* [http://www.cs.stthomas.edu/faculty/resmith/r/mls/index.html Introduction to Multilevel Security, Dr. Rick Smith].
* Red Hat Enterprise Linux 5 Deployment Guide:
* Red Hat Enterprise Linux 5 Deployment Guide:
** [http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5.2/html/Deployment_Guide/rhlcommon-chapter-0017.html End User Control of SELinux].
** [http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5.2/html/Deployment_Guide/rhlcommon-chapter-0017.html End User Control of SELinux].
* [http://docs.fedoraproject.org/selinux-faq-fc5/ Fedora Core 5 SELinux FAQ]
* [http://docs.fedoraproject.org/selinux-faq-fc5/ Fedora Core 5 SELinux FAQ]
* [http://fedoraproject.org/wiki/SELinux/FAQ Fedora SELinux/FAQ]
* [[SELinux/FAQ|Fedora SELinux/FAQ]]
* Red Hat Enterprise Linux 4 SELinux Guide: [http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/selg-part-0062.html Working with SELinux].
* Red Hat Enterprise Linux 4 SELinux Guide: [http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/selg-part-0062.html Working with SELinux].
* Mailing lists: <selinux@tycho.nsa.gov> and <fedora-selinux-list@redhat.com>.
* Mailing lists: <selinux@tycho.nsa.gov> and <fedora-selinux-list@redhat.com>.
Line 34: Line 36:
* [http://www.redhatmagazine.com/2008/07/02/writing-policy-for-confined-selinux-users Confining Users.]
* [http://www.redhatmagazine.com/2008/07/02/writing-policy-for-confined-selinux-users Confining Users.]
* [http://www.niap-ccevs.org/cc-scheme/st/st_vid10286-vr.pdf Common Criteria Evaluation and Validation Scheme Validation Report]
* [http://www.niap-ccevs.org/cc-scheme/st/st_vid10286-vr.pdf Common Criteria Evaluation and Validation Scheme Validation Report]
* [http://www.redhatmagazine.com/2008/02/26/risk-report-three-years-of-red-hat-enterprise-linux-4/ Risk report: Three years of Red Hat Enterprise Linux 4]
* [http://www.tresys.com/innovation.php Tresys (Mitigation News).]
* [http://www.nsa.gov/selinux/papers/freenix01/freenix01.html Integrating Flexible Support for Security Policies into the Linux Operating System.]
* [http://www.nsa.gov/selinux/papers/ottawa01/index.html Meeting Critical Security Objectives with Security-Enhanced Linux.]


=== Purpose of the Documentation ===
=== Purpose of the Documentation ===
Line 106: Line 112:
'''Access Control'''
'''Access Control'''


* Concepts of DAC, MAC, Type Enforcement, etc.
* Concepts of DAC, MAC, Type Enforcement®, etc.


'''Working with MCS and MLS'''
'''Working with MCS and MLS'''
Line 115: Line 121:


== Schedule ==
== Schedule ==
Updated 30 September 2008 to reflect slip in Fedora 10 schedule.


==='''Information Plan:''' July 14 -> July 24 (9 days)===
==='''Information Plan:''' July 14 -> July 24 (9 days)===
Line 125: Line 133:
* Phase review: subject matter experts approve the plan or request modifications to content.
* Phase review: subject matter experts approve the plan or request modifications to content.


==='''Implementation:''' August 15 -> October 8 (39 days)===
==='''Implementation:''' August 15 -> November 8 (70 days) ===
Designs for style, prototype sections, first, second, and approved drafts, weekly and monthly reports sent to <selinux@tycho.nsa.gov>.
Designs for style, prototype sections, first, second, and approved drafts, weekly reports sent to <selinux@tycho.nsa.gov>.


==='''Localization and Production:''' October 9 -> October 28 (14 days)===
==='''<strike>Localization and</strike> Production:''' November 16 -> November 24 (9 days)===
Translation, preparing final copies/PDFs.
<strike>Translation</strike>, preparing final copies/PDFs.


==='''Evaluation:''' October 29 -> October 30 (1 day)===
==='''Evaluation:''' <strike>October 29 -> October 30 (1 day)</strike>===
* Evaluate the project.
* Evaluate the project.
* Plan maintenance cycles.
* Plan maintenance cycles.
* Plan next release.
* Plan next release.
= Risks =
Too many Red Hat Enterprise Linux errata :(


= Subject Matter Experts =
= Subject Matter Experts =
Line 146: Line 150:
* domg472
* domg472
* Russell Coker
* Russell Coker
* Steven Smalley
* Stephen Smalley
* Karl MacMillan
* Karl MacMillan
* Joshua Brindle
* Joshua Brindle
* Christopher J. PeBenito
* Christopher J. PeBenito
[[Category:SELinux docs]]

Latest revision as of 13:50, 18 September 2016

Phase 1: Information Planning

Deliverables and Milestones

  • Information Plan: documents findings after the initial investigation is complete. Generates an idea about where the project is heading, and what it requires.
  • Project Plan: an estimation of the time and resources required to complete the project.

Information Plan

Information Sources

Purpose of the Documentation

  • Provide a short, simple introduction to access control (MAC, MLS, MCS), and SELinux.
  • Use examples to describe how SELinux operates (such as Apache HTTP server not reading user_home_t files).
  • Give users information needed to do what they want without turning SELinux off.
  • From the current SELinux documentation todo list, "Translate danwalsh.livejounal.com in to a beginner user guide".

Audience

  • Familiar with using a Linux computer and a command line.
  • No system administration experience is necessary; however, content may be geared towards system administration tasks.
  • No previous SELinux experience.
  • People who are never going to write their own SELinux policy.

What the Documentation Covers (in no particular order, and subject to change)

From the current SELinux documentation todo list:

  • "Explain how to interpret an AVC message and how to get additional information via SYSCALL audit, including how to add a simple syscall audit filter to enable collection of PATH information".
  • Document Confined Users".
  • "Update FC5 FAQ".
  • "Document the use of the mount command for overriding file context".
  • "Describe Audit2allow and how it can just Fix the machine".
  • "Update and organize the Fedora SELinux FAQ".

SELinux Introduction:

  • Brief overview.
  • What SELinux can and can't do.
  • Examples to explain how SELinux works (e.g., Apache HTTP).

SELinux Contexts and Attributes:

  • Brief overview of objects, subjects, and object classes.
  • Explain each part of SELinux labels.

Targeted Policy Overview:

  • Confined and Unconfined processes.
  • Confined system and user domains.

Working with SELinux:

  • Installing and Upgrading packages.
  • Configuration Files.
  • Enable and Disable SELinux.
  • semanage: booleans, labeling files, adding users, translations.
  • Managing and Maintaining SELinux Labels.

Managing Users:

  • Linux and SELinux user account mappings.
  • Adding confined and unconfined users.
  • Modifying existing users.

System Services:

  • Examples, sharing content between services.

SELinux Log Files and Denials:

  • auditd and setroubleshoot.
  • Searching log files (ausearch).
  • Interpreting AVC Denials.
  • sealeart -l \*
  • What to check for after a denial (DAC permissions...)
  • audit2allow and audit2why.

Access Control

  • Concepts of DAC, MAC, Type Enforcement®, etc.

Working with MCS and MLS

  • Examples from domg472.

Project Plan

Schedule

Updated 30 September 2008 to reflect slip in Fedora 10 schedule.

Information Plan: July 14 -> July 24 (9 days)

Deliverables: Information Project Plans

Content Specification: July 25 -> August 14 (15 days)

Deliverables:

  • Individual publications that are planned for the final document. These publications are done on the Wiki. This occurs after extensive research into topics.
  • Table of contents.
  • Phase review: subject matter experts approve the plan or request modifications to content.

Implementation: August 15 -> November 8 (70 days)

Designs for style, prototype sections, first, second, and approved drafts, weekly reports sent to <selinux@tycho.nsa.gov>.

Localization and Production: November 16 -> November 24 (9 days)

Translation, preparing final copies/PDFs.

Evaluation: October 29 -> October 30 (1 day)

  • Evaluate the project.
  • Plan maintenance cycles.
  • Plan next release.

Subject Matter Experts

  • Daniel Walsh
  • James Morris
  • Eric Paris
  • domg472
  • Russell Coker
  • Stephen Smalley
  • Karl MacMillan
  • Joshua Brindle
  • Christopher J. PeBenito