[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

selinux documentation [was: Should selinux be standard?]

Manoj Srivastava wrote:
>         I think we are have a low enough avc denial rates that
>  unconfined/permissive already provides value. We are pretty close to
>  achieving unconfined/enforcing fo Lenny, and with help from people I
>  think we can be there. strict/permissive and strinct/enforcing should
>  be doable for squeeze.

  One thing that I really miss is an documentation entry point.
I think I know lots of things about admin, OS, kernel, ... I heard about
SElinux, I know it should improve the security (at least for servers).
  From the beginning of this thread, I read carefully all messages.
I saw the boot parameter (selinux=1) that I did not try yet. Today, I see
the audit2allow tool and I mark it on my TODO/tips file.
  But, I looked into /usr/share/doc/selinux-policy-default/ and do not find
any useful documentation:
- README.Debian gives pointer about semodule and load_policy (that seem
  tools for more advanced selinux users than me)
- README talk about make targets, so I suppose it applies to the source
  package or advanced selinux users with a copy of the sources/policies...

  I also looked into /usr/share/doc/setools
- there is no README.Debian
- README is a general selinux documentation (talking about downloading
  sources, compiling/installing them, ...). So, again, I think this document
  is targeting advanced selinux users (or selinux developers)

  And /etc/selinux/ has a lot of files that I do not know what to do with
them.

  So, before reading this thread and finding the selinux=1 boot parameter,
I did not know what to do to use selinux. I'm not sure that I only have to
do that. I discovered in this thread audit2allow. It seems to me a great
tool to workaround incomplete policy (until fixed in package or due to
local configuration) but I do not know exactly how to add produced rules
to my local config and to make the system use it (ie reload the config).

  I do not want answer here. I'm sure that if I'm interested enough in
selinux (and with enough free time), I'm skilled enough to find internet/
manpage documentation and understand them.
  But if selinux is installed by default on all system, then I really thing
that a basic documentation for Debian administrators (I mean people managing
machines with the Debian distribution on it, not admin of official Debian
machines) MUST be provided.
  In this documentation, I think that we should find:
- what is selinux
- what are the different modes (permissive, ...)
- how to enable/disable selinux on Debian machines
- how to change the mode
- how to adjust the policy
- ...
ie all operations needed by a Debian admin to manage selinux on its machine.
And this documentation must be very easy to find (pointer to it in the
config directory, ...)

  Best regards,
    Vincent

PS: and no, I'm not interested enough in selinux nor I've enough free time
and knowledge to write this kind of documentation.

-- 
Vincent Danjean       GPG key ID 0x9D025E87         vdanjean@debian.org
GPG key fingerprint: FC95 08A6 854D DB48 4B9A  8A94 0BF7 7867 9D02 5E87
Unofficial pacakges: http://www-id.imag.fr/~danjean/deb.html#package
APT repo:  deb http://perso.debian.org/~vdanjean/debian unstable main
Reply to: