[gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/

["Sven Vermeulen" <sven.vermeulen@siphos.be>]

commit:     5e3c2053b7b3c2728f0a4d12653ea5f550edf495
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri May 20 19:32:03 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri May 20 19:32:03 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=5e3c2053

Add roadmap, improve wording

---
 xml/selinux/index.xml |  264 ++++++++++++++++++++++++++++++-------------------
 1 files changed, 160 insertions(+), 104 deletions(-)

diff --git a/xml/selinux/index.xml b/xml/selinux/index.xml
index 41535f8..049baa5 100644
--- a/xml/selinux/index.xml
+++ b/xml/selinux/index.xml
@@ -9,108 +9,163 @@
 <longname>SELinux</longname>
 
 <description>
-  SELinux is a system of mandatory access controls.  SELinux can enforce
-  the security policy over all processes and objects in the system.
+SELinux is a system of mandatory access controls.  SELinux can enforce
+the security policy over all processes and objects in the system.
 </description>
 
-<longdescription><p>
-	This project manages SELinux support in Gentoo.  This includes providing
-	kernels with SELinux support, providing patches to userland utilities, writing
-	strong Gentoo-specific default profiles, and deploying policies from Portage.
-</p></longdescription>
-
-<goals><p>
-  The intention of the project is to make SELinux available to more users, and
-  improving its integration.
-  Policy should be available for common daemons, and files merged in from Portage
-  should have the correct file context.  Currently we only work on servers, but
-  desktops will be supported in the future.
-</p></goals>
-
-<extrachapter position="goals">
-<title>What is SELinux?</title>
-<section><body>
+<longdescription>
 <p>
-  <uri link="http://www.nsa.gov/research/selinux/index.shtml">Security-Enhanced
-  Linux</uri> (SELinux) is a system of mandatory access control using type
-  enforcement and role-based access control. It is implemented as a <uri
-  link="http://lsm.immunix.org/">Linux Security Module</uri> (LSM). In addition
-  to the kernel portion, SELinux consists of a library (libselinux) and userland
-  utilities for compiling policy (checkpolicy), and loading policy
-  (policycoreutils), in addition to other user programs.
+This project manages SELinux support in Gentoo.  This includes providing
+kernels with SELinux support, providing patches to userland utilities, writing
+strong Gentoo-specific default profiles, and maintaining a good default set of
+policies.
 </p>
 <p>
-  One common misconception is that SELinux is a complete security solution,
-  however, it is not.  SELinux only provides one piece of a security
-  solution.  It can work well with other Hardened projects, such as PaX,
-  for a more complete solution.
+<uri link="http://www.nsa.gov/research/selinux/index.shtml">Security-Enhanced
+Linux</uri> (SELinux) is a Mandatory Access Control system using type
+enforcement and role-based access control. It is integrated within Linux as a 
+<uri link="http://lsm.immunix.org/">Linux Security Module</uri> (LSM) 
+implementation. In addition to the kernel portion, SELinux consists of a library
+(libselinux) and userland utilities for compiling policy (checkpolicy), and loading
+policy (policycoreutils), in addition to other user programs.
 </p>
-</body></section>
-</extrachapter>
+<p>
+One common misconception is that SELinux is a complete security solution. It is
+not.  SELinux only provides access control on system objects.  It can work well
+with other Hardened projects, such as PaX, for a more complete solution.
+</p>
+</longdescription>
+
+<goals>
+<p>
+Our goal is to make SELinux (with Gentoo Hardened) available to more users.
+As a result, we
+</p>
+
+<ul>
+  <li>
+    develop, improve and maintain the proper documentation and learning
+    material for end users to master SELinux
+  </li>
+  <li>
+    maintain a stable yet progressive set of userland tools that are needed
+    to interoperate with SELinux on a Linux system (such as the core utilities,
+    libselinux and more)
+  </li>
+  <li>
+    focus on the integration of SELinux and SELinux-awareness within the Gentoo
+    distribution, offering the necessary feedback on Portage and other utilities
+  </li>
+  <li>
+    develop, improve and maintain a good and secure default policy, based on the
+    reference policy, so that end users have no difficulties working with and
+    enhancing SELinux within their environment
+  </li>
+</ul>
+</goals>
 
 <dev role="lead" description="Policy, x86, AMD64">pebenito</dev>
-<dev role="Policy development, Proxy (non developer contributors)">blueness
-</dev>
+<dev role="Policy development, Proxy (non developer contributors)">blueness</dev>
 
-<extraproject name="Base Policy" lead="pebenito">
-  SELinux policy for the core system, including users, administrators, and
-  daemons in the system profile.
+<extraproject name="Policy" lead="pebenito">
+Develop and maintain a secure, default set of policies for the system, including
+user and role definitions, service policies and application policies.
 </extraproject>
-<extraproject name="Daemon Policy" lead="pebenito">
-  SELinux policies for common daemons.
+<extraproject name="Userland" lead="pebenito">
+Develop and maintain the packages for SELinux userland utilities and libraries,
+including SELinux-aware patches for more general applications and libraries.
 </extraproject>
-<extraproject name="x86" lead="pebenito">
-  Support for the x86 architecture.
+<extraproject name="Kernel" lead="pebenito">
+Integrate, improve and maintain SELinux patches in the Linux kernel for Gentoo
+Hardened.
 </extraproject>
-<extraproject name="AMD64" lead="pebenito">
-  Support for the AMD64 (x86-64) architecture.
+<extraproject name="Documentation" lead="pebenito">
+Develop and maintain SELinux documentation specific to the Gentoo distribution
 </extraproject>
 
-<!-- There's a difference between "nice-to-have" and "planned"
-<plannedproject name="non-x86 Support">
-  Profiles, installation guides, and support for non-x86 architectures.
-</plannedproject>
-<plannedproject name="Desktop">
-  SELinux support on destktops.  This involves enhancements to XFree&#39;s
-  security, and accompanying policy.
-</plannedproject>
--->
+<resource link="/proj/en/hardened/selinux/selinux-handbook.xml">Gentoo SELinux Handbook (including installation)</resource>
+<resource link="/proj/en/hardened/selinux-faq.xml">Gentoo SELinux FAQ</resource>
 
 <!--
-<resource link="http://selinux.dev.gentoo.org">SELinux Demonstration Machine</resource>
+     Roadmap
 -->
-<resource link="/proj/en/hardened/selinux/selinux-handbook.xml">Gentoo SELinux Handbook</resource>
-<resource link="/proj/en/hardened/selinux-faq.xml">Gentoo SELinux FAQ</resource>
-
-<extrachapter position="devs">
-<title>Contributors</title>
+<extrachapter>
+<title>Roadmap</title>
 <section>
 <body>
 
 <p>
-The following people although non-developer is actively contributing with the
-project:
+The following table depics the roadmap we have in mind for the Gentoo Hardened
+SELinux project:
 </p>
+
 <table>
-<tr><th>Contributor</th><th>Nickname</th><th>Role</th></tr>
-<tr><ti>Chris Richards</ti><ti>gizmo</ti>
-<ti>Policy development, support</ti></tr>
-<tr><ti>Sven Vermeulen</ti><ti>SwifT</ti>
-<ti>Documentation writing, policy development, support</ti></tr>
+<tr>
+  <th>Milestone</th>
+  <th>Progress</th>
+  <!--
+       Use <keyword>on track</keyword>
+       Use <comment>delayed</comment>
+  -->
+  <th>Description</th>
+  <th>ETA</th>
+</tr>
+<tr>
+  <ti>Userland stabilization</ti>
+  <ti><keyword>on track</keyword></ti>
+  <ti>
+    Stabilize the SELinux userland utilities currently available in ~arch.
+    These utilities (and libraries) are needed to cover recent SELinux policies
+    and improve user experience within Gentoo Hardened SELinux
+  </ti>
+  <ti>
+    2011-05-24
+  </ti>
+</tr>
+<tr>
+  <ti>Policy stabilization</ti>
+  <ti><keyword>on track</keyword></ti>
+  <ti>
+    Stabilize the SELinux policies based on upstream 2.20101213. The current
+    stable policies are not compatible with the current Gentoo stable state
+    (such as openrc support, networking/wireless and more.)
+  </ti>
+  <ti>
+    2011-06-07
+  </ti>
+</tr>
+<tr>
+  <ti>Profile stabilization</ti>
+  <ti><keyword>on track</keyword></ti>
+  <ti>
+    Stabilize the restructured Gentoo SELinux profiles. The existing profiles
+    have proved to be a bit more daunting to manage whereas the new profiles are
+    made to be flexible yet simple to maintain.
+  </ti>
+  <ti>
+    2011-06-28
+  </ti>
+</tr>
 </table>
 
 </body>
 </section>
 </extrachapter>
 
-
-<extrachapter position="resources">
-<title>How Do I Use This?</title>
+<extrachapter position="devs">
+<title>Contributors</title>
 <section>
 <body>
+
 <p>
-  SELinux can be installed on a new system by following the above install guide.
+The following people, although non-developer, are actively contributing to the project:
 </p>
+<table>
+<tr><th>Contributor</th><th>Nickname</th><th>Role</th></tr>
+<tr><ti>Chris Richards</ti><ti>gizmo</ti><ti>Policy development, support</ti></tr>
+<tr><ti>Sven Vermeulen</ti><ti>SwifT</ti><ti>Documentation writing, policy development, support</ti></tr>
+</table>
+
 </body>
 </section>
 </extrachapter>
@@ -120,51 +175,52 @@ project:
 <section>
 <body>
 <p>
-  To participate in the SELinux project first join the mailing list at
-  <c>gentoo-hardened@gentoo.org</c>. Then ask if there are plans to support
-  something that you are interested in, propose a new subproject that you are
-  interested in or choose one of the planned subprojects to work on. You may talk
-  to the developers and users in the IRC channel <c>#gentoo-hardened</c> on
-  <c>irc.freenode.net</c> for more information or just to chat about the project
-  or any subprojects. If you don't have the ability to actively help by
-  contributing work we will always need testers to use and audit the SELinux
-  policies. All development, testing, feedback, and productive comments will
-  be greatly appreciated.
+To participate in the SELinux project first join the mailing list at
+<c>gentoo-hardened@gentoo.org</c>. Then ask if there are plans to support
+something that you are interested in, propose a new subproject that you are
+interested in or choose one of the planned subprojects to work on. You may talk
+to the developers and users in the IRC channel <c>#gentoo-hardened</c> on
+<c>irc.freenode.net</c> for more information or just to chat about the project
+or any subprojects. If you don't have the ability to actively help by
+contributing work we will always need testers to use and audit the SELinux
+policies. All development, testing, feedback, and productive comments will
+be greatly appreciated.
 </p>
 </body>
 </section>
 <section><title>Policy Submissions</title>
 <body>
 <p>
-  The critical component of a SELinux system is having a strong policy.  The
-  team does its best to support as many daemons as possible.  However, we cannot
-  create policies for daemons with which we are unfamiliar.  But we are happy
-  to receive policy submissions for consideration.  There are a few requirements:
+The critical component of a SELinux system is having a strong policy.  The
+team does its best to support as many daemons as possible.  However, we cannot
+create policies for daemons with which we are unfamiliar.  But we are happy
+to receive policy submissions for consideration.  There are a few requirements:
 </p>
 <ul>
-<li>
-  Make comments (in the policy and/or bug), so we can understand changes
-  from the NSA example policy.
-</li>
-<li>
-  The policy should cover common installations.  Please do not submit policies
-  for odd or nonstandard daemon configurations.
-</li>
-<li>
-  We need to know if the policy is dependent on another policy (for example
-  rpcd is dependent on portmap) other than base-policy.
-</li>
-<li>
-  An ebuild for the policy can also be submitted to help the developers
-  integrate the policy into Portage more quickly, if it is accepted.  
-  See current daemon policies in Portage for example uses of the
-  selinux-policy eclass.
-</li>
+  <li>
+    Make comments (in the policy and/or bug), so we can understand changes
+    from the Reference Policy example policy.
+  </li>
+  <li>
+    The policy should cover common installations.  Please do not submit policies
+    for odd or nonstandard daemon configurations.
+  </li>
+  <li>
+    We need to know if the policy is dependent on another policy (for example
+    rpcd is dependent on portmap) other than base-policy.
+  </li>
+  <li>
+    An ebuild for the policy can also be submitted to help the developers
+    integrate the policy into Portage more quickly, if it is accepted.  
+    See current daemon policies in Portage for example uses of the
+    selinux-policy eclass.
+  </li>
 </ul>
 <p>
-  The policy should be submitted on <uri link="http://bugs.gentoo.org/">bugzilla</uri>.
-  Please attach the .te and .fc files separately to the bug, not as a tarball.
-  The bug should be assigned to <c>selinux@gentoo.org</c>.
+The policy should be submitted on <uri link="http://bugs.gentoo.org/">bugzilla</uri>.
+Please attach the .te and .fc files separately to the bug, not as a tarball.
+The bug should be Cc'ed to <c>selinux@gentoo.org</c> and will be properly
+reassigned by the team.
 </p>
 </body>
 </section>