Phase 1: Information Planning

Deliverables and Milestones

• Information Plan: documents findings after the initial investigation is complete. Generates an idea about where the project is heading, and what it requires.

• Project Plan: an estimation of the time and resources required to complete the project.

Information Sources

• RHS429 course.
• Current SELinux project documentation todo list.
• Red Hat Enterprise Linux 5 Deployment Guide:
  • End User Control of SELinux.
• Red Hat Enterprise Linux 4 SELinux Guide: Working with SELinux.
• Mailing lists: <selinux@tycho.nsa.gov> and <fedora-selinux-list@redhat.com>.
• IRC: #fedora-selinux and #selinux
• fedora-selinux-list archives.
• Fedora SELinux Wiki.
• Blogs: <http://danwalsh.livejournal.com/>, <http://planet.fedoraproject.org/>, and <http://etbe.coker.com.au/>.
• SELinux news.
• SELinux webcast.
• Confining Users.

Purpose of the Documentation

• Provide a short, simple introduction to access control (MAC, MLS, MCS), and SELinux.
• Use examples to describe how SELinux operates (such as Apache HTTP server not reading user_home_t files).
• Give users information needed to do what they want without turning SELinux off.
• From the current SELinux documentation todo list, "Translate danwalsh.livejounal.com in to a beginner user guide".

Audience

• Familiar with using a Linux computer and a command line.
• No system administration experience is necessary; however, content may be geared towards system administration tasks.
• No previous SELinux experience.
• People who are never going to write their own SELinux policy.

What the Documentation Covers (in no particular order, and subject to change)

• Basic access control concepts.
• SELinux concepts:
  • Domains and Types.
  • Contexts.
  • Targets/Processes/Files.
• How do I find out if SELinux is enabled on my system?
• Confined and unconfined processes (ps auxZ).
• Main files: /selinux/ and /etc/selinux/config.
• How to correctly disable SELinux (not sure if we want this ;) )
• Maintaining correct labels:
  • View labels using ls -Z
  • Copying Vs moving files.
  • Using user_home_t files on other machines, such as a user moving their ~/.ssh/authorized_keys file to another machine.
  • Relabeling an entire file system.
  • Possible problems caused from running in permissive mode, such as having permissions to mislabel files.
  • mislabeled files, relabeled but still problems, touch /.autorelabel (Dans journal).
• Red Hat Enterprise Linux 5 Deployment Guide: End User Control of SELinux.
• SELinux and virtualization (relabeling images if images are not in /etc/xen/).
• Logging:
  • Are SELinux denials taking up too much space? This came from #selinux.
  • Amount of denials in permissive mode Vs enforcing mode.
  • Searching for specific denials (from #selinux, "/sbin/ausearch -m avc -ts today | grep search | head -n 1", "sealert -l \*").
  • Where are the log files kept? (/var/log/audit/audit.d, /var/log/messages, etc. Basic explanation of which one will be used).
• Basic interpretation of SELinux denials, and where to get help, (maybe mail <fedora-selinux-list@redhat.com>). From #selinux:

(06:19:50 PM) hatty: Hi , I get this in my log audit(1216043069.444:37): avc:  
denied  { search } for  pid=726 comm="busybox" name="" , what is the meaning of name="" ?

"(08:58:22 PM) domg472: anyways hatty consider this: target objects can be any objects, 
object arent just file object but there also other kimds of object that may not carry a 
name for example ports interfaces or the ojects of subject ( process objects )"

• Controlling system daemons with booleans:
  • getsebool -a, setsebool -P; how to find information about booleans listed from getsebool.
  • Common items people want to change.
• Installing and upgrading SELinux packages.
  • Upgrade problems if you start from a non-SELinux labeled file system?
  • Missing SELinux users (semanage user -l)
• Not running X : setroubleshoot-server, run sealert -l \*, <https://www.redhat.com/archives/fedora-selinux-list/2008-July/msg00004.html>.
• Confining Users
  • <http://www.redhatmagazine.com/2008/07/02/writing-policy-for-confined-selinux-users/>.
  • <http://www.redhatmagazine.com/2008/04/17/fedora-9-and-summit-preview-confining-the-user-with-selinux>.
• Mounting:
  • Do mount points need to be mnt_t?

Commands:

getsebool -a
setsebool -P
sestatus -v
restorecon
fixfiles
newrole

From the current SELinux documentation todo list:

• "Explain how to interpret an AVC message and how to get additional information via SYSCALL audit, including how to add a simple syscall audit filter to enable collection of PATH information".
• Document Confined Users".
• "Update FC5 FAQ".
• "Document the use of the mount command for overriding file context".
• "Describe Audit2allow and how it can just Fix the machine".
• "Update and organize the Fedora SELinux FAQ".