From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from <gentoo-commits+bounces-346388-garchives=archives.gentoo.org@lists.gentoo.org>) id 1QNVRH-0003y2-Rh for garchives@archives.gentoo.org; Fri, 20 May 2011 19:32:48 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id C87831C0A1; Fri, 20 May 2011 19:32:40 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id 764811C0A1 for <gentoo-commits@lists.gentoo.org>; Fri, 20 May 2011 19:32:40 +0000 (UTC) Received: from pelican.gentoo.org (unknown [66.219.59.40]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id B78512AC001 for <gentoo-commits@lists.gentoo.org>; Fri, 20 May 2011 19:32:39 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by pelican.gentoo.org (Postfix) with ESMTP id DEE098001E for <gentoo-commits@lists.gentoo.org>; Fri, 20 May 2011 19:32:38 +0000 (UTC) From: "Sven Vermeulen" <sven.vermeulen@siphos.be> To: gentoo-commits@lists.gentoo.org Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" <sven.vermeulen@siphos.be> Message-ID: <5e3c2053b7b3c2728f0a4d12653ea5f550edf495.SwifT@gentoo> Subject: [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/ X-VCS-Repository: proj/hardened-docs X-VCS-Files: xml/selinux/index.xml X-VCS-Directories: xml/selinux/ X-VCS-Committer: SwifT X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: 5e3c2053b7b3c2728f0a4d12653ea5f550edf495 Date: Fri, 20 May 2011 19:32:38 +0000 (UTC) Precedence: bulk List-Post: <mailto:gentoo-commits@lists.gentoo.org> List-Help: <mailto:gentoo-commits+help@lists.gentoo.org> List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org> List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org> List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org> X-BeenThere: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: quoted-printable X-Archives-Salt: X-Archives-Hash: 824f7341235a47c07f4be82dc514dacd commit: 5e3c2053b7b3c2728f0a4d12653ea5f550edf495 Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> AuthorDate: Fri May 20 19:32:03 2011 +0000 Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> CommitDate: Fri May 20 19:32:03 2011 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=3Dproj/hardened-docs= .git;a=3Dcommit;h=3D5e3c2053 Add roadmap, improve wording --- xml/selinux/index.xml | 264 ++++++++++++++++++++++++++++++-------------= ------ 1 files changed, 160 insertions(+), 104 deletions(-) diff --git a/xml/selinux/index.xml b/xml/selinux/index.xml index 41535f8..049baa5 100644 --- a/xml/selinux/index.xml +++ b/xml/selinux/index.xml @@ -9,108 +9,163 @@ <longname>SELinux</longname> =20 <description> - SELinux is a system of mandatory access controls. SELinux can enforce - the security policy over all processes and objects in the system. +SELinux is a system of mandatory access controls. SELinux can enforce +the security policy over all processes and objects in the system. </description> =20 -<longdescription><p> - This project manages SELinux support in Gentoo. This includes providin= g - kernels with SELinux support, providing patches to userland utilities, = writing - strong Gentoo-specific default profiles, and deploying policies from Po= rtage. -</p></longdescription> - -<goals><p> - The intention of the project is to make SELinux available to more user= s, and - improving its integration. - Policy should be available for common daemons, and files merged in fro= m Portage - should have the correct file context. Currently we only work on serve= rs, but - desktops will be supported in the future. -</p></goals> - -<extrachapter position=3D"goals"> -<title>What is SELinux?</title> -<section><body> +<longdescription> <p> - <uri link=3D"http://www.nsa.gov/research/selinux/index.shtml">Security= -Enhanced - Linux</uri> (SELinux) is a system of mandatory access control using ty= pe - enforcement and role-based access control. It is implemented as a <uri - link=3D"http://lsm.immunix.org/">Linux Security Module</uri> (LSM). In= addition - to the kernel portion, SELinux consists of a library (libselinux) and = userland - utilities for compiling policy (checkpolicy), and loading policy - (policycoreutils), in addition to other user programs. +This project manages SELinux support in Gentoo. This includes providing +kernels with SELinux support, providing patches to userland utilities, w= riting +strong Gentoo-specific default profiles, and maintaining a good default = set of +policies. </p> <p> - One common misconception is that SELinux is a complete security soluti= on, - however, it is not. SELinux only provides one piece of a security - solution. It can work well with other Hardened projects, such as PaX, - for a more complete solution. +<uri link=3D"http://www.nsa.gov/research/selinux/index.shtml">Security-E= nhanced +Linux</uri> (SELinux) is a Mandatory Access Control system using type +enforcement and role-based access control. It is integrated within Linux= as a=20 +<uri link=3D"http://lsm.immunix.org/">Linux Security Module</uri> (LSM)=20 +implementation. In addition to the kernel portion, SELinux consists of a= library +(libselinux) and userland utilities for compiling policy (checkpolicy), = and loading +policy (policycoreutils), in addition to other user programs. </p> -</body></section> -</extrachapter> +<p> +One common misconception is that SELinux is a complete security solution= . It is +not. SELinux only provides access control on system objects. It can wo= rk well +with other Hardened projects, such as PaX, for a more complete solution. +</p> +</longdescription> + +<goals> +<p> +Our goal is to make SELinux (with Gentoo Hardened) available to more use= rs. +As a result, we +</p> + +<ul> + <li> + develop, improve and maintain the proper documentation and learning + material for end users to master SELinux + </li> + <li> + maintain a stable yet progressive set of userland tools that are nee= ded + to interoperate with SELinux on a Linux system (such as the core uti= lities, + libselinux and more) + </li> + <li> + focus on the integration of SELinux and SELinux-awareness within the= Gentoo + distribution, offering the necessary feedback on Portage and other u= tilities + </li> + <li> + develop, improve and maintain a good and secure default policy, base= d on the + reference policy, so that end users have no difficulties working wit= h and + enhancing SELinux within their environment + </li> +</ul> +</goals> =20 <dev role=3D"lead" description=3D"Policy, x86, AMD64">pebenito</dev> -<dev role=3D"Policy development, Proxy (non developer contributors)">blu= eness -</dev> +<dev role=3D"Policy development, Proxy (non developer contributors)">blu= eness</dev> =20 -<extraproject name=3D"Base Policy" lead=3D"pebenito"> - SELinux policy for the core system, including users, administrators, a= nd - daemons in the system profile. +<extraproject name=3D"Policy" lead=3D"pebenito"> +Develop and maintain a secure, default set of policies for the system, i= ncluding +user and role definitions, service policies and application policies. </extraproject> -<extraproject name=3D"Daemon Policy" lead=3D"pebenito"> - SELinux policies for common daemons. +<extraproject name=3D"Userland" lead=3D"pebenito"> +Develop and maintain the packages for SELinux userland utilities and lib= raries, +including SELinux-aware patches for more general applications and librar= ies. </extraproject> -<extraproject name=3D"x86" lead=3D"pebenito"> - Support for the x86 architecture. +<extraproject name=3D"Kernel" lead=3D"pebenito"> +Integrate, improve and maintain SELinux patches in the Linux kernel for = Gentoo +Hardened. </extraproject> -<extraproject name=3D"AMD64" lead=3D"pebenito"> - Support for the AMD64 (x86-64) architecture. +<extraproject name=3D"Documentation" lead=3D"pebenito"> +Develop and maintain SELinux documentation specific to the Gentoo distri= bution </extraproject> =20 -<!-- There's a difference between "nice-to-have" and "planned" -<plannedproject name=3D"non-x86 Support"> - Profiles, installation guides, and support for non-x86 architectures. -</plannedproject> -<plannedproject name=3D"Desktop"> - SELinux support on destktops. This involves enhancements to XFree'= ;s - security, and accompanying policy. -</plannedproject> ---> +<resource link=3D"/proj/en/hardened/selinux/selinux-handbook.xml">Gentoo= SELinux Handbook (including installation)</resource> +<resource link=3D"/proj/en/hardened/selinux-faq.xml">Gentoo SELinux FAQ<= /resource> =20 <!-- -<resource link=3D"http://selinux.dev.gentoo.org">SELinux Demonstration M= achine</resource> + Roadmap --> -<resource link=3D"/proj/en/hardened/selinux/selinux-handbook.xml">Gentoo= SELinux Handbook</resource> -<resource link=3D"/proj/en/hardened/selinux-faq.xml">Gentoo SELinux FAQ<= /resource> - -<extrachapter position=3D"devs"> -<title>Contributors</title> +<extrachapter> +<title>Roadmap</title> <section> <body> =20 <p> -The following people although non-developer is actively contributing wit= h the -project: +The following table depics the roadmap we have in mind for the Gentoo Ha= rdened +SELinux project: </p> + <table> -<tr><th>Contributor</th><th>Nickname</th><th>Role</th></tr> -<tr><ti>Chris Richards</ti><ti>gizmo</ti> -<ti>Policy development, support</ti></tr> -<tr><ti>Sven Vermeulen</ti><ti>SwifT</ti> -<ti>Documentation writing, policy development, support</ti></tr> +<tr> + <th>Milestone</th> + <th>Progress</th> + <!-- + Use <keyword>on track</keyword> + Use <comment>delayed</comment> + --> + <th>Description</th> + <th>ETA</th> +</tr> +<tr> + <ti>Userland stabilization</ti> + <ti><keyword>on track</keyword></ti> + <ti> + Stabilize the SELinux userland utilities currently available in ~arc= h. + These utilities (and libraries) are needed to cover recent SELinux p= olicies + and improve user experience within Gentoo Hardened SELinux + </ti> + <ti> + 2011-05-24 + </ti> +</tr> +<tr> + <ti>Policy stabilization</ti> + <ti><keyword>on track</keyword></ti> + <ti> + Stabilize the SELinux policies based on upstream 2.20101213. The cur= rent + stable policies are not compatible with the current Gentoo stable st= ate + (such as openrc support, networking/wireless and more.) + </ti> + <ti> + 2011-06-07 + </ti> +</tr> +<tr> + <ti>Profile stabilization</ti> + <ti><keyword>on track</keyword></ti> + <ti> + Stabilize the restructured Gentoo SELinux profiles. The existing pro= files + have proved to be a bit more daunting to manage whereas the new prof= iles are + made to be flexible yet simple to maintain. + </ti> + <ti> + 2011-06-28 + </ti> +</tr> </table> =20 </body> </section> </extrachapter> =20 - -<extrachapter position=3D"resources"> -<title>How Do I Use This?</title> +<extrachapter position=3D"devs"> +<title>Contributors</title> <section> <body> + <p> - SELinux can be installed on a new system by following the above instal= l guide. +The following people, although non-developer, are actively contributing = to the project: </p> +<table> +<tr><th>Contributor</th><th>Nickname</th><th>Role</th></tr> +<tr><ti>Chris Richards</ti><ti>gizmo</ti><ti>Policy development, support= </ti></tr> +<tr><ti>Sven Vermeulen</ti><ti>SwifT</ti><ti>Documentation writing, poli= cy development, support</ti></tr> +</table> + </body> </section> </extrachapter> @@ -120,51 +175,52 @@ project: <section> <body> <p> - To participate in the SELinux project first join the mailing list at - <c>gentoo-hardened@gentoo.org</c>. Then ask if there are plans to supp= ort - something that you are interested in, propose a new subproject that yo= u are - interested in or choose one of the planned subprojects to work on. You= may talk - to the developers and users in the IRC channel <c>#gentoo-hardened</c>= on - <c>irc.freenode.net</c> for more information or just to chat about the= project - or any subprojects. If you don't have the ability to actively help by - contributing work we will always need testers to use and audit the SEL= inux - policies. All development, testing, feedback, and productive comments = will - be greatly appreciated. +To participate in the SELinux project first join the mailing list at +<c>gentoo-hardened@gentoo.org</c>. Then ask if there are plans to suppor= t +something that you are interested in, propose a new subproject that you = are +interested in or choose one of the planned subprojects to work on. You m= ay talk +to the developers and users in the IRC channel <c>#gentoo-hardened</c> o= n +<c>irc.freenode.net</c> for more information or just to chat about the p= roject +or any subprojects. If you don't have the ability to actively help by +contributing work we will always need testers to use and audit the SELin= ux +policies. All development, testing, feedback, and productive comments wi= ll +be greatly appreciated. </p> </body> </section> <section><title>Policy Submissions</title> <body> <p> - The critical component of a SELinux system is having a strong policy. = The - team does its best to support as many daemons as possible. However, w= e cannot - create policies for daemons with which we are unfamiliar. But we are = happy - to receive policy submissions for consideration. There are a few requ= irements: +The critical component of a SELinux system is having a strong policy. T= he +team does its best to support as many daemons as possible. However, we = cannot +create policies for daemons with which we are unfamiliar. But we are ha= ppy +to receive policy submissions for consideration. There are a few requir= ements: </p> <ul> -<li> - Make comments (in the policy and/or bug), so we can understand changes - from the NSA example policy. -</li> -<li> - The policy should cover common installations. Please do not submit po= licies - for odd or nonstandard daemon configurations. -</li> -<li> - We need to know if the policy is dependent on another policy (for exam= ple - rpcd is dependent on portmap) other than base-policy. -</li> -<li> - An ebuild for the policy can also be submitted to help the developers - integrate the policy into Portage more quickly, if it is accepted. =20 - See current daemon policies in Portage for example uses of the - selinux-policy eclass. -</li> + <li> + Make comments (in the policy and/or bug), so we can understand chang= es + from the Reference Policy example policy. + </li> + <li> + The policy should cover common installations. Please do not submit = policies + for odd or nonstandard daemon configurations. + </li> + <li> + We need to know if the policy is dependent on another policy (for ex= ample + rpcd is dependent on portmap) other than base-policy. + </li> + <li> + An ebuild for the policy can also be submitted to help the developer= s + integrate the policy into Portage more quickly, if it is accepted. =20 + See current daemon policies in Portage for example uses of the + selinux-policy eclass. + </li> </ul> <p> - The policy should be submitted on <uri link=3D"http://bugs.gentoo.org/= ">bugzilla</uri>. - Please attach the .te and .fc files separately to the bug, not as a ta= rball. - The bug should be assigned to <c>selinux@gentoo.org</c>. +The policy should be submitted on <uri link=3D"http://bugs.gentoo.org/">= bugzilla</uri>. +Please attach the .te and .fc files separately to the bug, not as a tarb= all. +The bug should be Cc'ed to <c>selinux@gentoo.org</c> and will be properl= y +reassigned by the team. </p> </body> </section>