selinux documentation [was: Should selinux be standard?]
Manoj Srivastava wrote: I think we are have a low enough avc denial rates that unconfined/permissive already provides value. We are pretty close to achieving unconfined/enforcing fo Lenny, and with help from people I think we can be there. strict/permissive and strinct/enforcing should be doable for squeeze. One thing that I really miss is an documentation entry point. I think I know lots of things about admin, OS, kernel, ... I heard about SElinux, I know it should improve the security (at least for servers). From the beginning of this thread, I read carefully all messages. I saw the boot parameter (selinux=1) that I did not try yet. Today, I see the audit2allow tool and I mark it on my TODO/tips file. But, I looked into /usr/share/doc/selinux-policy-default/ and do not find any useful documentation: - README.Debian gives pointer about semodule and load_policy (that seem tools for more advanced selinux users than me) - README talk about make targets, so I suppose it applies to the source package or advanced selinux users with a copy of the sources/policies... I also looked into /usr/share/doc/setools - there is no README.Debian - README is a general selinux documentation (talking about downloading sources, compiling/installing them, ...). So, again, I think this document is targeting advanced selinux users (or selinux developers) And /etc/selinux/ has a lot of files that I do not know what to do with them. So, before reading this thread and finding the selinux=1 boot parameter, I did not know what to do to use selinux. I'm not sure that I only have to do that. I discovered in this thread audit2allow. It seems to me a great tool to workaround incomplete policy (until fixed in package or due to local configuration) but I do not know exactly how to add produced rules to my local config and to make the system use it (ie reload the config). I do not want answer here. I'm sure that if I'm interested enough in selinux (and with enough free time), I'm skilled enough to find internet/ manpage documentation and understand them. But if selinux is installed by default on all system, then I really thing that a basic documentation for Debian administrators (I mean people managing machines with the Debian distribution on it, not admin of official Debian machines) MUST be provided. In this documentation, I think that we should find: - what is selinux - what are the different modes (permissive, ...) - how to enable/disable selinux on Debian machines - how to change the mode - how to adjust the policy - ... ie all operations needed by a Debian admin to manage selinux on its machine. And this documentation must be very easy to find (pointer to it in the config directory, ...) Best regards, Vincent PS: and no, I'm not interested enough in selinux nor I've enough free time and knowledge to write this kind of documentation. -- Vincent Danjean GPG key ID 0x9D025E87 [EMAIL PROTECTED] GPG key fingerprint: FC95 08A6 854D DB48 4B9A 8A94 0BF7 7867 9D02 5E87 Unofficial pacakges: http://www-id.imag.fr/~danjean/deb.html#package APT repo: deb http://perso.debian.org/~vdanjean/debian unstable main -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: selinux documentation [was: Should selinux be standard?]
Vincent Danjean wrote: ... But if selinux is installed by default on all system, then I really thing that a basic documentation for Debian administrators (I mean people managing machines with the Debian distribution on it, not admin of official Debian machines) MUST be provided. +1 ... Best regards, Vincent Oh, and talking about man pages, it looks like there's only documentation about the commands and such but nothing else (like an intro) [1]. I know some basic stuff about SELinux, and I still consider shipping the packages by disabled and by default *and* without any pointer to a nice introduction is useless. I do agree that there are changes that need people to be educated first, but one can not just provide the stuff by default without any special reference to them an expect people to adopt and use them. Cheers, Raphael Geissert [1] $ apropos selinux avc_add_callback (3) - additional event notification for SELinux userspace object managers. avc_audit (3)- obtain and audit SELinux access decisions. avc_av_stats (3) - obtain userspace SELinux AVC statistics. avc_cache_stats (3) - obtain userspace SELinux AVC statistics. avc_cleanup (3) - userspace SELinux AVC setup and teardown. avc_compute_create (3) - obtain SELinux label for new object. avc_compute_member (3) - obtain SELinux label for new object. avc_context_to_sid (3) - obtain and manipulate SELinux security ID's. avc_destroy (3) - userspace SELinux AVC setup and teardown. avc_entry_ref_init (3) - obtain and audit SELinux access decisions. avc_get_initial_context (3) - obtain and manipulate SELinux security ID's. avc_has_perm (3) - obtain and audit SELinux access decisions. avc_has_perm_noaudit (3) - obtain and audit SELinux access decisions. avc_init (3) - userspace SELinux AVC setup and teardown. avc_reset (3)- userspace SELinux AVC setup and teardown. avc_sid_stats (3)- obtain userspace SELinux AVC statistics. avc_sid_to_context (3) - obtain and manipulate SELinux security ID's. checkPasswdAccess (3) - query the SELinux policy database in the kernel. context_free (3) - Routines to manipulate SELinux security contexts context_new (3) - Routines to manipulate SELinux security contexts context_range_get (3) - Routines to manipulate SELinux security contexts context_range_set (3) - Routines to manipulate SELinux security contexts context_role_get (3) - Routines to manipulate SELinux security contexts context_role_set (3) - Routines to manipulate SELinux security contexts context_type_get (3) - Routines to manipulate SELinux security contexts context_type_set (3) - Routines to manipulate SELinux security contexts context_user_get (3) - Routines to manipulate SELinux security contexts context_user_set (3) - Routines to manipulate SELinux security contexts freecon (3) - free memory associated with SELinux security contexts. freeconary (3) - free memory associated with SELinux security contexts. fsetfilecon (3) - set SELinux security context of a file get_default_context (3) - determine SELinux context(s) for user sessions get_default_context_with_level (3) - determine SELinux context(s) for user sessions get_default_context_with_role (3) - determine SELinux context(s) for user sessions get_default_context_with_rolelevel (3) - determine SELinux context(s) for user sessions get_ordered_context_list (3) - determine SELinux context(s) for user sessions get_ordered_context_list_with_level (3) - determine SELinux context(s) for user sessions getcon (3) - get SELinux security context of a process. getexeccon (3) - get or set the SELinux security context used for executing a new process. getfilecon (3) - get SELinux security context of a file getfscreatecon (3) - get or set the SELinux security context used for creating a new file system object. getpeercon (3) - get SELinux security context of a process. getpidcon (3)- get SELinux security context of a process. getprevcon (3) - get SELinux security context of a process. getseuserbyname (3) - get SELinux username and level for a given Linux username is_context_customizable (3) - check whether SELinux context type is customizable by the administrator. is_selinux_enabled (3) - check whether SELinux is enabled lsetfilecon (3) - set SELinux security context of a file manual_user_enter_context (3) - determine SELinux context(s) for user sessions matchmediacon (3)- get the default SELinux security context for the specified mediatype from the policy. matchpathcon (3) - get the default SELinux security context for the specified path from the file contexts... pam_selinux (8) - PAM module to set the default security context pam_sepermit (8) - PAM module to allow/deny login depending on SELinux enforcement state query_user_context (3) - determine SELinux context(s) for user sessions rpm_execcon (3) - get or set the SELinux security context used for
