selinux documentation [was: Should selinux be standard?]

2008-09-17 Thread Vincent Danjean
Manoj Srivastava wrote:
 I think we are have a low enough avc denial rates that
  unconfined/permissive already provides value. We are pretty close to
  achieving unconfined/enforcing fo Lenny, and with help from people I
  think we can be there. strict/permissive and strinct/enforcing should
  be doable for squeeze.

  One thing that I really miss is an documentation entry point.
I think I know lots of things about admin, OS, kernel, ... I heard about
SElinux, I know it should improve the security (at least for servers).
  From the beginning of this thread, I read carefully all messages.
I saw the boot parameter (selinux=1) that I did not try yet. Today, I see
the audit2allow tool and I mark it on my TODO/tips file.
  But, I looked into /usr/share/doc/selinux-policy-default/ and do not find
any useful documentation:
- README.Debian gives pointer about semodule and load_policy (that seem
  tools for more advanced selinux users than me)
- README talk about make targets, so I suppose it applies to the source
  package or advanced selinux users with a copy of the sources/policies...

  I also looked into /usr/share/doc/setools
- there is no README.Debian
- README is a general selinux documentation (talking about downloading
  sources, compiling/installing them, ...). So, again, I think this document
  is targeting advanced selinux users (or selinux developers)

  And /etc/selinux/ has a lot of files that I do not know what to do with
them.

  So, before reading this thread and finding the selinux=1 boot parameter,
I did not know what to do to use selinux. I'm not sure that I only have to
do that. I discovered in this thread audit2allow. It seems to me a great
tool to workaround incomplete policy (until fixed in package or due to
local configuration) but I do not know exactly how to add produced rules
to my local config and to make the system use it (ie reload the config).

  I do not want answer here. I'm sure that if I'm interested enough in
selinux (and with enough free time), I'm skilled enough to find internet/
manpage documentation and understand them.
  But if selinux is installed by default on all system, then I really thing
that a basic documentation for Debian administrators (I mean people managing
machines with the Debian distribution on it, not admin of official Debian
machines) MUST be provided.
  In this documentation, I think that we should find:
- what is selinux
- what are the different modes (permissive, ...)
- how to enable/disable selinux on Debian machines
- how to change the mode
- how to adjust the policy
- ...
ie all operations needed by a Debian admin to manage selinux on its machine.
And this documentation must be very easy to find (pointer to it in the
config directory, ...)

  Best regards,
Vincent

PS: and no, I'm not interested enough in selinux nor I've enough free time
and knowledge to write this kind of documentation.

-- 
Vincent Danjean   GPG key ID 0x9D025E87 [EMAIL PROTECTED]
GPG key fingerprint: FC95 08A6 854D DB48 4B9A  8A94 0BF7 7867 9D02 5E87
Unofficial pacakges: http://www-id.imag.fr/~danjean/deb.html#package
APT repo:  deb http://perso.debian.org/~vdanjean/debian unstable main


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]



Re: selinux documentation [was: Should selinux be standard?]

2008-09-17 Thread Raphael Geissert
Vincent Danjean wrote:
...
   But if selinux is installed by default on all system, then I really
   thing
 that a basic documentation for Debian administrators (I mean people
 managing machines with the Debian distribution on it, not admin of
 official Debian machines) MUST be provided.

+1

...
 
   Best regards,
 Vincent
 

Oh, and talking about man pages, it looks like there's only documentation
about the commands and such but nothing else (like an intro) [1].

I know some basic stuff about SELinux, and I still consider shipping the
packages by disabled and by default *and* without any pointer to a nice
introduction is useless. I do agree that there are changes that need people
to be educated first, but one can not just provide the stuff by default
without any special reference to them an expect people to adopt and use
them.

Cheers,
Raphael Geissert

[1] $ apropos selinux
avc_add_callback (3) - additional event notification for SELinux userspace
object managers.
avc_audit (3)- obtain and audit SELinux access decisions.
avc_av_stats (3) - obtain userspace SELinux AVC statistics.
avc_cache_stats (3)  - obtain userspace SELinux AVC statistics.
avc_cleanup (3)  - userspace SELinux AVC setup and teardown.
avc_compute_create (3) - obtain SELinux label for new object.
avc_compute_member (3) - obtain SELinux label for new object.
avc_context_to_sid (3) - obtain and manipulate SELinux security ID's.
avc_destroy (3)  - userspace SELinux AVC setup and teardown.
avc_entry_ref_init (3) - obtain and audit SELinux access decisions.
avc_get_initial_context (3) - obtain and manipulate SELinux security ID's.
avc_has_perm (3) - obtain and audit SELinux access decisions.
avc_has_perm_noaudit (3) - obtain and audit SELinux access decisions.
avc_init (3) - userspace SELinux AVC setup and teardown.
avc_reset (3)- userspace SELinux AVC setup and teardown.
avc_sid_stats (3)- obtain userspace SELinux AVC statistics.
avc_sid_to_context (3) - obtain and manipulate SELinux security ID's.
checkPasswdAccess (3) - query the SELinux policy database in the kernel.
context_free (3) - Routines to manipulate SELinux security contexts
context_new (3)  - Routines to manipulate SELinux security contexts
context_range_get (3) - Routines to manipulate SELinux security contexts
context_range_set (3) - Routines to manipulate SELinux security contexts
context_role_get (3) - Routines to manipulate SELinux security contexts
context_role_set (3) - Routines to manipulate SELinux security contexts
context_type_get (3) - Routines to manipulate SELinux security contexts
context_type_set (3) - Routines to manipulate SELinux security contexts
context_user_get (3) - Routines to manipulate SELinux security contexts
context_user_set (3) - Routines to manipulate SELinux security contexts
freecon (3)  - free memory associated with SELinux security
contexts.
freeconary (3)   - free memory associated with SELinux security
contexts.
fsetfilecon (3)  - set SELinux security context of a file
get_default_context (3) - determine SELinux context(s) for user sessions
get_default_context_with_level (3) - determine SELinux context(s) for user
sessions
get_default_context_with_role (3) - determine SELinux context(s) for user
sessions
get_default_context_with_rolelevel (3) - determine SELinux context(s) for
user sessions
get_ordered_context_list (3) - determine SELinux context(s) for user
sessions
get_ordered_context_list_with_level (3) - determine SELinux context(s) for
user sessions
getcon (3)   - get SELinux security context of a process.
getexeccon (3)   - get or set the SELinux security context used for
executing a new process.
getfilecon (3)   - get SELinux security context of a file
getfscreatecon (3)   - get or set the SELinux security context used for
creating a new file system object.
getpeercon (3)   - get SELinux security context of a process.
getpidcon (3)- get SELinux security context of a process.
getprevcon (3)   - get SELinux security context of a process.
getseuserbyname (3)  - get SELinux username and level for a given Linux
username
is_context_customizable (3) - check whether SELinux context type is
customizable by the administrator.
is_selinux_enabled (3) - check whether SELinux is enabled
lsetfilecon (3)  - set SELinux security context of a file
manual_user_enter_context (3) - determine SELinux context(s) for user
sessions
matchmediacon (3)- get the default SELinux security context for the
specified mediatype from the policy.
matchpathcon (3) - get the default SELinux security context for the
specified path from the file contexts...
pam_selinux (8)  - PAM module to set the default security context
pam_sepermit (8) - PAM module to allow/deny login depending on SELinux
enforcement state
query_user_context (3) - determine SELinux context(s) for user sessions
rpm_execcon (3)  - get or set the SELinux security context used for