From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1QOyNv-0003MC-HS for garchives@archives.gentoo.org; Tue, 24 May 2011 20:39:24 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 6D6A81C004; Tue, 24 May 2011 20:39:16 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id D32291C004 for ; Tue, 24 May 2011 20:39:15 +0000 (UTC) Received: from pelican.gentoo.org (unknown [66.219.59.40]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 0E3781B4025 for ; Tue, 24 May 2011 20:39:15 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by pelican.gentoo.org (Postfix) with ESMTP id 8FD3A80505 for ; Tue, 24 May 2011 20:39:14 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <3e160946c1c040608a82ccb115c198cbdbc297b2.SwifT@gentoo> Subject: [gentoo-commits] proj/hardened-docs:master commit in: html/, html/selinux/ X-VCS-Repository: proj/hardened-docs X-VCS-Files: html/index.html html/index2.html html/roadmap.html html/selinux-policy.html html/selinux/hb-intro-enhancingsecurity.html html/selinux/index.html html/support-state.html X-VCS-Directories: html/ html/selinux/ X-VCS-Committer: SwifT X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: 3e160946c1c040608a82ccb115c198cbdbc297b2 Date: Tue, 24 May 2011 20:39:14 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: quoted-printable X-Archives-Salt: X-Archives-Hash: d48c42121305e18eeaff9882f2d4dcca commit: 3e160946c1c040608a82ccb115c198cbdbc297b2 Author: Sven Vermeulen siphos be> AuthorDate: Tue May 24 20:36:34 2011 +0000 Commit: Sven Vermeulen siphos be> CommitDate: Tue May 24 20:36:34 2011 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=3Dproj/hardened-docs= .git;a=3Dcommit;h=3D3e160946 Update previews --- html/index.html | 5 +- html/index2.html | 5 +- html/roadmap.html | 590 +++++++++++---------= ------ html/selinux-policy.html | 7 +- html/selinux/hb-intro-enhancingsecurity.html | 4 +- html/selinux/index.html | 242 +++++++---- html/support-state.html | 264 ++++++++++++ 7 files changed, 676 insertions(+), 441 deletions(-) diff --git a/html/index.html b/html/index.html index 9f5561b..8cbf79a 100644 --- a/html/index.html +++ b/html/index.html @@ -271,6 +271,9 @@ GNU Stack Quickstart
  • Gentoo SELinux= Handbook
    • +
  • + Gentoo SELinux FAQ +
    • @@ -287,7 +290,7 @@ GNU Stack Quickstart hardened - battousai, blueness, chainsaw, drago= nheart, gengor, nixnut, pebenito, solar, zorry + battousai, blueness, chainsaw, drago= nheart, gengor, klondike, nixnut, pebenito, solar, zorry Hardened Gentoo project packages and= policy diff --git a/html/index2.html b/html/index2.html index 883f517..1f8776e 100644 --- a/html/index2.html +++ b/html/index2.html @@ -240,6 +240,9 @@ GNU Stack Quickstart
  • Gentoo SELinux= Handbook
    • +
  • + Gentoo SELinux FAQ +
    • @@ -256,7 +259,7 @@ GNU Stack Quickstart hardened - battousai, blueness, chainsaw, drago= nheart, gengor, nixnut, pebenito, solar, zorry + battousai, blueness, chainsaw, drago= nheart, gengor, klondike, nixnut, pebenito, solar, zorry Hardened Gentoo project packages and= policy diff --git a/html/roadmap.html b/html/roadmap.html index e2d38b8..1f74223 100644 --- a/html/roadmap.html +++ b/html/roadmap.html @@ -11,395 +11,295 @@ Gentoo Linux Documentation -- - Hardened Gentoo Roadmap + Gentoo Hardened Roadmap
    3D"Gentoo
    <= tr>
    -

    Hardened Gentoo Roadmap

    +

    Disclaimer : + This document is a work in progress and should not be considered off= icial yet. +

    +

    Gentoo Hardened Roadmap

    Content: - + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    DescriptionCoordinator(s)Status
    x86 SupportzorryComplete
    amd64 SupportzorryComplete
    sparc32 SupportUnassigned
    sparc64 SupportUnassigned
    ppc Supportnixnut,zorry,bluenessComplete
    ppc64 SupportbluenessComplete
    s390 SupportUnassigned
    hppa SupportNot supported
    arm SupportbluenessIn progress
    mips SupportbluenessIn progress
    ia64 Supportzorry,bluenessComplete
    -

    Hardened GCC

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    GCC versionSupport PIESupport SSPArch
    3.6.XYesYesx86 amd64
    4.3.XYesYesx86 amd64
    4.4.XYesYesx86 amd64 arm ppc ppc64 ia64
    4.5.XYesYesx86 amd64 arm ppc ppc64 ia64
    -

    Hardened Toolchain=

    - - - - - - - - - - - - - - - - - - - - - -
    DescriptionCoordinator(s)Status
    Document the feature setnoneIn Progress
    Describe the RBAC systemnoneUnassigned
    Release hardened-sources-2.6.37bluenessComplete
    -

    Hardened Sources +

    Goals and Milestones

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    DescriptionCoordinator(s)Status
    x86 SupportbluenessComplete
    amd64 SupportbluenessComplete
    sparc32 SupportUnassigned
    sparc64 SupportUnassigned
    ppc SupportbluenessIn Progress
    ppc64 SupportbluenessComplete
    s390 SupportUnassigned
    hppa SupportNot supported
    arm SupportbluenessIn testing
    mips SupportbluenessIn testing
    ia64 SupportbluenessComplete
    DescriptionETAStatusCoordinator(s)Related Bugs
    Document the Hardened ToolchainIn ProgressZorry
    Comparative analysis of security approaches ta= ken by distributionsUnassigned=
    Rework grSecurity documentationUnassigned=
    Update/rewrite propolice documentationUnassigned=
    -

    SELinux

    +

    = 4. + Hardened Toolchain Goals and Milestones

    +

    Current State

    +

    +Our toolchain so far has seen a tremendous evolution. Some of the integr= ated +patches have been accepted upstream (like SSP), but work can still impro= ve. +To allow changes to be pushed upstream more easily, we might need improv= ements +on the ways to strengthen the current implementation, and work on the ar= eas of +code that need clean-up. +

    +

    +Our next steps are to take a step backwards and examine the work that ha= s been +done so far. We need to improve our existing documents, but also review = the +packages available in the Portage tree and help out the package maintain= ers in +handling CFLAG filters for a hardened toolchain in a proper way. +

    +

    Goals and Milestones

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    DescriptionCoordinator(s)Status
    Strengthen and extend the current policies -pebenitoIn Progress
    Extend support to more architecturespebenitoIn Progress
    Policy module supportpebenitoIn Progress
    Additional Daemon PoliciespebenitoIn Progress
    Updated documentationSwifTIn Progress
    DescriptionETAStatusCoordinator(s)Related Bugs
    En= hance documentation
    Document the toolchain feature setIn progress
    Describe the grSecurity RBAC systemUnassigned=
    Ke= rnel development and maintenance
    Release hardened-sources-2.6.37Doneblueness
    -

    RSBAC

    +

    = 5. + grSecurity Goals and Milestones

    +

    Current State

    +

    +grSecurity is well integrated within Gentoo Hardened (patch- and softwar= e wise +as well as knowledge). However, the documentation is lagging behind a lo= t and +is in need for attention. +

    +

    Goals and Milestones

    - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    DescriptionCoordinator(s)Status
    Bring policy support tool to Gentoo packages= .Unassigned
    Enhance RSBAC DocumentationUnassigned
    DescriptionETAStatusCoordinator(s)Related Bugs
    + the existing grSecurity2 document needs to be converted to Handbook = XML + Unassigned=
    + the features of PAX and grSecurity need to be described and document= ed + Unassigned=
    + the RBAC system needs to be covered documentation-wise in much more = detail + Unassigned=
    -

    Documentation

    +

    = 6. + SELinux Goals and Milestones

    +

    Current State

    +

    +The Gentoo Hardened SELinux state is, within the ~arch branches, up to d= ate and +fully supported (except MCS/MLS which is not supported yet). The documen= tation +is being updated as the state evolves, but can still improve.=20 +

    +

    Goals and Milestones

    - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + +
    DescriptionCoordinator(s)Status
    Comparative analysis of security approaches = taken by distributions.Unassigned
    Rework Grsecurity DocumentationUnassigned
    Update/Rewrite Propolice DocumentationUnassigned
    Document the Hardened ToolchainzorryIn Progress
    DescriptionETAStatusCoordinator(s)Related Bugs
    Stabilize the userland tools and libraries + 2011-05-24Slight delayblueness, SwifT
    + Stabilize the ~arch SELinux policies based on 2.20101213 upstream br= anch + 2011-06-07On track + blueness, SwifT#36= 8199
    Stabilize the new SELinux profile structure + 2011-06-28On track + blueness#36= 5483


    		 - +

    Print

    Updated F= ebruary 2, 2011

    Updated M= ay 22, 2011

    Summary:= A roadmap that plots current needs and goals of the Hardened Gentoo project. diff --git a/html/selinux-policy.html b/html/selinux-policy.html index f9af9d5..e7ce30a 100644 --- a/html/selinux-policy.html +++ b/html/selinux-policy.html @@ -11,16 +11,13 @@ Gentoo Linux Documentation -- - Gentoo Hardened SELinux Policy + Gentoo Hardened SELinux Development Policy
    3D"Gentoo
    <= tr> diff --git a/html/support-state.html b/html/support-state.html new file mode 100644 index 0000000..45c51bd --- /dev/null +++ b/html/support-state.html @@ -0,0 +1,264 @@ + + + + + + + + + + + +Gentoo Linux Documentation +-- + Gentoo Hardened Support State + +
    -

    Disclaimer : - This document is a work in progress and should not be considered off= icial yet. -

    -

    Gentoo Hardened SELinux Policy

    +

    Gentoo Hardened SELinux Development Policy

    Content:     		- + - + - + - + - +

    Updated J= anuary 10, 2011

    Updated M= ay 25, 2011

    Donate to support our development efforts.

    diff --git a/html/selinux/index.html b/html/selinux/index.html index e1de71a..1cd3b3f 100644 --- a/html/selinux/index.html +++ b/html/selinux/index.html @@ -22,47 +22,62 @@ Content: + + + + + +

    = 1. Project Description

    - This project manages SELinux support in Gentoo. This includes providin= g - kernels with SELinux support, providing patches to userland utilities, = writing - strong Gentoo-specific default profiles, and deploying policies from Po= rtage. +This project manages SELinux support in Gentoo. This includes providing +kernels with SELinux support, providing patches to userland utilities, w= riting +strong Gentoo-specific default profiles, and maintaining a good default = set of +policies.

    -

    = 2. - Project Goals

    - The intention of the project is to make SELinux available to more user= s, and - improving its integration. - Policy should be available for common daemons, and files merged in fro= m Portage - should have the correct file context. Currently we only work on serve= rs, but - desktops will be supported in the future. +Security-Enh= anced +Linux (SELinux) is a Mandatory Access Control system using type +enforcement and role-based access control. It is integrated within Linux= as a=20 +Linux Security Module (LSM)=20 +implementation. In addition to the kernel portion, SELinux consists of a= library +(libselinux) and userland utilities for compiling policy (checkpolicy), = and loading +policy (policycoreutils), in addition to other user programs.

    -

    = 3. - What is SELinux?

    - Security-E= nhanced - Linux (SELinux) is a system of mandatory access control using type - enforcement and role-based access control. It is implemented as a Linux Security Module (LSM). In addit= ion - to the kernel portion, SELinux consists of a library (libselinux) and = userland - utilities for compiling policy (checkpolicy), and loading policy - (policycoreutils), in addition to other user programs. +One common misconception is that SELinux is a complete security solution= . It is +not. SELinux only provides access control on system objects. It can wo= rk well +with other Hardened projects, such as PaX, for a more complete solution.

    +

    = 2. + Project Goals

    - One common misconception is that SELinux is a complete security soluti= on, - however, it is not. SELinux only provides one piece of a security - solution. It can work well with other Hardened projects, such as PaX, - for a more complete solution. +Our goal is to make SELinux (with Gentoo Hardened) available to more use= rs. +As a result, we

    -

    = 4. +

      +
    • + develop, improve and maintain the proper documentation and learning + material for end users to master SELinux +
      • +
    • + maintain a stable yet progressive set of userland tools that are nee= ded + to interoperate with SELinux on a Linux system (such as the core uti= lities, + libselinux and more) +
      • +
    • + focus on the integration of SELinux and SELinux-awareness within the= Gentoo + distribution, offering the necessary feedback on Portage and other u= tilities +
      • +
    • + develop, improve and maintain a good and secure default policy, base= d on the + reference policy, so that end users have no difficulties working wit= h and + enhancing SELinux within their environment +
      • +
    +

    = 3. Developers

    @@ -77,19 +92,17 @@ - +
    blueness -blueness Policy development, Proxy (non devel= oper contributors)

    All developers can be reached by e-mail using nickname@gentoo.org.

    -

    = 5. +

    = 4. Contributors

    -The following people although non-developer is actively contributing wit= h the -project: +The following people, although non-developer, are actively contributing = to the project:

    @@ -108,7 +121,7 @@ project:
    Documentation writing, policy development, suppo= rt
    -

    = 6. +

    = 5. Subprojects

    The SELinux project has the following subprojects: @@ -120,98 +133,153 @@ project:

    		Description
    Base PolicyPolicy pebenito - SELinux policy for the core system, including users, administrators, a= nd - daemons in the system profile. +Develop and maintain a secure, default set of policies for the system, i= ncluding +user and role definitions, service policies and application policies.
    Daemon PolicyUserland pebenito - SELinux policies for common daemons. +Develop and maintain the packages for SELinux userland utilities and lib= raries, +including SELinux-aware patches for more general applications and librar= ies.
    x86Kernel pebenito - Support for the x86 architecture. +Integrate, improve and maintain SELinux patches in the Linux kernel for = Gentoo +Hardened.
    AMD64Documentation pebenito - Support for the AMD64 (x86-64) architecture. +Develop and maintain SELinux documentation specific to the Gentoo distri= bution
    -

    = 7. +

    = 6. Resources

    Resources offered by the SELinux project are:

    -

    = 8. - How Do I Use This?

    +

    = 7. + Roadmap

    - SELinux can be installed on a new system by following the above instal= l guide. +The following table depics the roadmap we have in mind for the Gentoo Ha= rdened +SELinux project:

    -

    = 9. + + + + + =20 + + + + + + + + + + + + + + + + + + +
    MilestoneProgressDescriptionETA
    Userland stabilizationon track + + Stabilize the SELinux userland utilities currently available in ~arc= h. + These utilities (and libraries) are needed to cover recent SELinux p= olicies + and improve user experience within Gentoo Hardened SELinux + + 2011-05-24 +
    Policy stabilizationon track + + Stabilize the SELinux policies based on upstream 2.20101213. The cur= rent + stable policies are not compatible with the current Gentoo stable st= ate + (such as openrc support, networking/wireless and more.) + + 2011-06-07 +
    Profile stabilizationon track + + Stabilize the restructured Gentoo SELinux profiles. The existing pro= files + have proved to be a bit more daunting to manage whereas the new prof= iles are + made to be flexible yet simple to maintain. + + 2011-06-28 +
    +

    = 8. I Want to Participate

    - To participate in the SELinux project first join the mailing list at - gentoo-hardened@gentoo.org. Th= en ask if there are plans to support - something that you are interested in, propose a new subproject that yo= u are - interested in or choose one of the planned subprojects to work on. You= may talk - to the developers and users in the IRC channel #gentoo-hardened on - irc.freenode.net for more info= rmation or just to chat about the project - or any subprojects. If you don't have the ability to actively help by - contributing work we will always need testers to use and audit the SEL= inux - policies. All development, testing, feedback, and productive comments = will - be greatly appreciated. +To participate in the SELinux project first join the mailing list at +gentoo-hardened@gentoo.org. Then= ask if there are plans to support +something that you are interested in, propose a new subproject that you = are +interested in or choose one of the planned subprojects to work on. You m= ay talk +to the developers and users in the IRC channel #gentoo-hardened on +irc.freenode.net for more inform= ation or just to chat about the project +or any subprojects. If you don't have the ability to actively help by +contributing work we will always need testers to use and audit the SELin= ux +policies. All development, testing, feedback, and productive comments wi= ll +be greatly appreciated.

    -

    Policy Submissions=

    +

    Policy Submissions=

    - The critical component of a SELinux system is having a strong policy. = The - team does its best to support as many daemons as possible. However, w= e cannot - create policies for daemons with which we are unfamiliar. But we are = happy - to receive policy submissions for consideration. There are a few requ= irements: +The critical component of a SELinux system is having a strong policy. T= he +team does its best to support as many daemons as possible. However, we = cannot +create policies for daemons with which we are unfamiliar. But we are ha= ppy +to receive policy submissions for consideration. There are a few requir= ements:

      -
    • - Make comments (in the policy and/or bug), so we can understand changes - from the NSA example policy. -
      • -
    • - The policy should cover common installations. Please do not submit po= licies - for odd or nonstandard daemon configurations. -
      • -
    • - We need to know if the policy is dependent on another policy (for exam= ple - rpcd is dependent on portmap) other than base-policy. -
      • -
    • - An ebuild for the policy can also be submitted to help the developers - integrate the policy into Portage more quickly, if it is accepted. =20 - See current daemon policies in Portage for example uses of the - selinux-policy eclass. -
      • +
    • + Make comments (in the policy and/or bug), so we can understand chang= es + from the Reference Policy example policy. +
      • +
    • + The policy should cover common installations. Please do not submit = policies + for odd or nonstandard daemon configurations. +
      • +
    • + We need to know if the policy is dependent on another policy (for ex= ample + rpcd is dependent on portmap) other than base-policy. +
      • +
    • + An ebuild for the policy can also be submitted to help the developer= s + integrate the policy into Portage more quickly, if it is accepted. =20 + See current daemon policies in Portage for example uses of the + selinux-policy eclass. +

    - The policy should be submitted on = bugzilla. - Please attach the .te and .fc files separately to the bug, not as a ta= rball. - The bug should be assigned to selinux= @gentoo.org. +The policy should be submitted on bu= gzilla. +Please attach the .te and .fc files separately to the bug, not as a tarb= all. +The bug should be Cc'ed to selinux@gent= oo.org and will be properly +reassigned by the team.



    + + + +
    3D"Gentoo
    <= tr> + + +
    +

    Disclaimer : + This document is a work in progress and should not be considered off= icial yet. +

    +

    Gentoo Hardened Support State

    +
    +Content: + +
    +

    = 1. + Introduction

    +

    +The Gentoo Hardened project aims to support as many platforms as possibl= e. +However, this aim is restrained as we do not have access to as many plat= forms +that we want (nor do we have the resources to work on all these platform= s). As a +result, support for the individual subprojects becomes limited to those +platforms that we have access and resources to. +

    +

    +This document gives an overview of the supported platforms and, if neces= sary, +elaborates on the specific requirements in order to work with one of Gen= too +Hardened's subprojects. Note that each subproject has its own support ma= trix, +based on upstream support (which platforms are supported by the technolo= gy) and +Gentoo Hardened (for which platforms can we run tests and validate users= ' +reports and feedback). +

    +

    = 2. + Support Matrices

    +

    Hardened Toolchain=

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    ArchitectureSupportAdditional notes
    x86In place +
    amd64 / x86_64In place +
    ppcIn place +
    ppc64In place +
    ia64In place +
    armIn progressContact blueness for more information
    mipsIn progressContact blueness for more information
    sparc32Unsupported
    sparc64Unsupported
    s390Unsupported
    hppaUnsupported
    +

    grSecurity (incl. PAX)=

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    ArchitectureSupportAdditional notes
    x86Yet to be determ= ined
    amd64 / x86_64Yet to be determ= ined
    ppcYet to be determ= ined
    ppc64Yet to be determ= ined
    ia64Yet to be determ= ined
    armYet to be determ= ined
    mipsYet to be determ= ined
    sparc32Yet to be determ= ined
    sparc64Yet to be determ= ined
    s390Yet to be determ= ined
    hppaYet to be determ= ined
    +

    SELinux

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    ArchitectureSupportAdditional notes
    x86In place + Still ~arch for the time being
    amd64 / x86_64In place + Still ~arch for the time being
    ppcUnsupported
    ppc64Unsupported
    ia64Unsupported
    armUnsupported
    mipsUnsupported
    sparc32Unsupported
    sparc64Unsupported
    s390Unsupported
    hppaUnsupported
    +

    +    		 + + + + + + +

    Print

    Updated M= ay 25, 2011

    Summary:= +The support state of the Gentoo Hardened project describes the supported +platforms, setups and additional requirements for each of the subproject= s +involved.=20 +

    + Sven = Vermeulen +
    Author

    +

    Donate to support our development efforts. +

    +
    + +
    +
    +Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? Contac= t us. +
    +