From Fedora Project Wiki

< Docs‎ | Drafts‎ | SELinux User Guide

Revision as of 07:32, 18 July 2008 by Nigelj (talk | contribs) (Fix mismatched code tags)

Phase 1: Information Planning

Deliverables and Milestones

  • Information Plan: documents findings after the initial investigation is complete. Generates an idea about where the project is heading, and what it requires.
  • Project Plan: an estimation of the time and resources required to complete the project.

Information Sources

Purpose of the Documentation

  • Provide a short, simple introduction to access control (MAC, MLS, MCS), and SELinux.
  • Use examples to describe how SELinux operates (such as Apache HTTP server not reading user_home_t files).
  • Give users information needed to do what they want without turning SELinux off.
  • From the current SELinux documentation todo list, "Translate danwalsh.livejounal.com in to a beginner user guide".

Audience

  • Familiar with using a Linux computer and a command line.
  • No system administration experience is necessary; however, content may be geared towards system administration tasks.
  • No previous SELinux experience.
  • People who are never going to write their own SELinux policy.

What the Documentation Covers (in no particular order, and subject to change)

  • Basic access control concepts.
  • SELinux concepts:
    • Domains and Types.
    • Contexts.
    • Targets/Processes/Files.
  • How do I find out if SELinux is enabled on my system?
  • Confined and unconfined processes (ps auxZ).
  • Main files: /selinux/ and /etc/selinux/config.
  • How to correctly disable SELinux (not sure if we want this ;) )
  • Maintaining correct labels:
    • View labels using ls -Z
    • Copying Vs moving files.
    • Using user_home_t files on other machines, such as a user moving their ~/.ssh/authorized_keys file to another machine.
    • Relabeling an entire file system.
    • Possible problems caused from running in permissive mode, such as having permissions to mislabel files.
    • mislabeled files, relabeled but still problems, touch /.autorelabel (Dans journal).
  • Red Hat Enterprise Linux 5 Deployment Guide: End User Control of SELinux.
  • SELinux and virtualization (relabeling images if images are not in /etc/xen/).
  • Logging:
    • Are SELinux denials taking up too much space? This came from #selinux.
    • Amount of denials in permissive mode Vs enforcing mode.
    • Searching for specific denials (from #selinux, "/sbin/ausearch -m avc -ts today | grep search | head -n 1", "sealert -l \*").
    • Where are the log files kept? (/var/log/audit/audit.d, /var/log/messages, etc. Basic explanation of which one will be used).
  • Basic interpretation of SELinux denials, and where to get help, (maybe mail <fedora-selinux-list@redhat.com>). From #selinux:
(06:19:50 PM) hatty: Hi , I get this in my log audit(1216043069.444:37): avc:  
denied  { search } for  pid=726 comm="busybox" name="" , what is the meaning of name="" ?

"(08:58:22 PM) domg472: anyways hatty consider this: target objects can be any objects, 
object arent just file object but there also other kimds of object that may not carry a 
name for example ports interfaces or the ojects of subject ( process objects )"

Commands:

getsebool -a
setsebool -P
sestatus -v
restorecon
fixfiles
newrole

From the current SELinux documentation todo list:

  • "Explain how to interpret an AVC message and how to get additional information via SYSCALL audit, including how to add a simple syscall audit filter to enable collection of PATH information".
  • Document Confined Users".
  • "Update FC5 FAQ".
  • "Document the use of the mount command for overriding file context".
  • "Describe Audit2allow and how it can just Fix the machine".
  • "Update and organize the Fedora SELinux FAQ".