selinux documentation [was: Should selinux be standard?]
Manoj Srivastava wrote:
> I think we are have a low enough avc denial rates that
> unconfined/permissive already provides value. We are pretty close to
> achieving unconfined/enforcing fo Lenny, and with help from people I
> think we can be there. strict/permissive and strinct/enforcing should
> be doable for squeeze.
One thing that I really miss is an documentation entry point.
I think I know lots of things about admin, OS, kernel, ... I heard about
SElinux, I know it should improve the security (at least for servers).
From the beginning of this thread, I read carefully all messages.
I saw the boot parameter (selinux=1) that I did not try yet. Today, I see
the audit2allow tool and I mark it on my TODO/tips file.
But, I looked into /usr/share/doc/selinux-policy-default/ and do not find
any useful documentation:
- README.Debian gives pointer about semodule and load_policy (that seem
tools for more advanced selinux users than me)
- README talk about make targets, so I suppose it applies to the source
package or advanced selinux users with a copy of the sources/policies...
I also looked into /usr/share/doc/setools
- there is no README.Debian
- README is a general selinux documentation (talking about downloading
sources, compiling/installing them, ...). So, again, I think this document
is targeting advanced selinux users (or selinux developers)
And /etc/selinux/ has a lot of files that I do not know what to do with
So, before reading this thread and finding the selinux=1 boot parameter,
I did not know what to do to use selinux. I'm not sure that I only have to
do that. I discovered in this thread audit2allow. It seems to me a great
tool to workaround incomplete policy (until fixed in package or due to
local configuration) but I do not know exactly how to add produced rules
to my local config and to make the system use it (ie reload the config).
I do not want answer here. I'm sure that if I'm interested enough in
selinux (and with enough free time), I'm skilled enough to find internet/
manpage documentation and understand them.
But if selinux is installed by default on all system, then I really thing
that a basic documentation for Debian administrators (I mean people managing
machines with the Debian distribution on it, not admin of official Debian
machines) MUST be provided.
In this documentation, I think that we should find:
- what is selinux
- what are the different modes (permissive, ...)
- how to enable/disable selinux on Debian machines
- how to change the mode
- how to adjust the policy
ie all operations needed by a Debian admin to manage selinux on its machine.
And this documentation must be very easy to find (pointer to it in the
config directory, ...)
PS: and no, I'm not interested enough in selinux nor I've enough free time
and knowledge to write this kind of documentation.
Vincent Danjean GPG key ID 0x9D025E87 email@example.com
GPG key fingerprint: FC95 08A6 854D DB48 4B9A 8A94 0BF7 7867 9D02 5E87
Unofficial pacakges: http://www-id.imag.fr/~danjean/deb.html#package
APT repo: deb http://perso.debian.org/~vdanjean/debian unstable main