From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1RSwdq-0007un-0q for garchives@archives.gentoo.org; Tue, 22 Nov 2011 20:08:30 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id AC90221C0BF; Tue, 22 Nov 2011 20:08:15 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id 5974B21C0BF for ; Tue, 22 Nov 2011 20:08:15 +0000 (UTC) Received: from pelican.gentoo.org (unknown [66.219.59.40]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 78F981B402A for ; Tue, 22 Nov 2011 20:08:14 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by pelican.gentoo.org (Postfix) with ESMTP id E2C1B8004C for ; Tue, 22 Nov 2011 20:08:13 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: Subject: [gentoo-commits] proj/hardened-docs:master commit in: xml/ X-VCS-Repository: proj/hardened-docs X-VCS-Files: xml/selinux-bugreporting.xml X-VCS-Directories: xml/ X-VCS-Committer: SwifT X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: cf4aaf2bf53d3dd358a54e3253796d23a0f33395 Date: Tue, 22 Nov 2011 20:08:13 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: quoted-printable X-Archives-Salt: de261a9c-b200-4c87-8cd2-eec112a46888 X-Archives-Hash: 5919e550d1a0a5c27b088dd49a3e87a7 commit: cf4aaf2bf53d3dd358a54e3253796d23a0f33395 Author: Sven Vermeulen siphos be> AuthorDate: Tue Nov 22 20:05:18 2011 +0000 Commit: Sven Vermeulen siphos be> CommitDate: Tue Nov 22 20:05:18 2011 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=3Dproj/hardened-docs= .git;a=3Dcommit;h=3Dcf4aaf2b Adding SELinux bugreporting guide --- xml/selinux-bugreporting.xml | 171 ++++++++++++++++++++++++++++++++++++= ++++++ 1 files changed, 171 insertions(+), 0 deletions(-) diff --git a/xml/selinux-bugreporting.xml b/xml/selinux-bugreporting.xml new file mode 100644 index 0000000..bfc13ad --- /dev/null +++ b/xml/selinux-bugreporting.xml @@ -0,0 +1,171 @@ + + + + + +Gentoo Hardened SELinux Development Policy + + + + + + +This guide helps users to create a properly filled out bug report for SE= Linux +policy updates. + + + + + + +1 +2011-11-22 + + +So you got a bug? +
+Introduction + + +

+When working with a SELinux-enabled system, you will notice that some po= licies +are far from perfect. That is to be expected, since there are a lot more +policies and SELinux policy modules than we can thoroughly test. That is= why bug +reports are very important for us as they give us much-needed feedback o= n the +state of the policies. Also, since we follow the reference policy closel= y, +patches are also sent upstream so that other distributions can benefit f= rom the +updates. +

+ +

+However, debugging and fixing SELinux policies also means that we need t= o +identify a proper policy failure, find the root cause of this failure an= d have +an optimal solution. Since we are talking about security policies= , much +attention goes into details, but also in the many eyes paradigm t= o +validate if a policy fix is correct or not. +

+ +

+That is one of the reasons why we created this bugreport as it helps you= , as the +feedback-providing user, to both properly figure out why a failure occur= s and +how to fix it, but also why we are quite strict in the acceptance of pat= ches. +

+ + +
+
+Short version + + +

+When reporting SELinux policy fixes based on AVC denials, +

+ +
    +
  • + structure the denials and try to create one bug report per logically + coherent set of denials. Don't push all your AVC denials onto us. +
    • +
  • + make sure you can reproduce the issue and that you have the ability = to + reproduce while we work on the fix. We cannot test all policies ours= elves. +
    • +
  • + report the application failure output as well, not only the AVC deni= al. We + need to know what the application is trying to do (and failing to do= ) to fix + the problem. +
    • +
+ + +
+ + + +Bugs related to AVC denials (and non-functional applications)</ti= tle> +<section> +<title>About + + +

+In this section, we'll go into the details of creating a helpful bug rep= ort for +SELinux policies in case you have an AVC denial (which means SELinux is +prohibiting a certain privilege request) that results in the failure of = the +application. +

+ + + +
+Structure the denials + + +

+When you get one or more AVC denials, try to structure them into logical= ly +coherent sets. We cannot easily deal with several dozen denials. Most of= the +time, you either get multiple denials of the same cause, or the denials = are not +truely related. +

+ +

+When we need to fix the SELinux policy, nine out of ten times we focus o= n one or +a few related denials and come up with a proper fix. When there is an ab= undance +of AVC denials, we need to skim through them (which we usually then do o= ne at a +time) which puts a lot of stress on you (the reporter) as we will ask yo= u +hundred-and-one questions and requests for testing. +

+ + +
+
+Prepare for testing + + +

+When you report a SELinux policy related bug, make sure you are ready to= test +the results that we want to put in. We cannot test out all applications +ourselves. Sometimes, a failure is even only reproducable on a specific = setup. +

+ + +
+
+Report the application failure + + +

+More than once, we get bug reports on SELinux policy denials where the u= ser is +still running in permissive mode. He is reporting the denials because he= is +afraid that he will not be able to run it in enforcing mode without the = denials +being fixed. +

+ +

+However, denials can be cosmetic, in which case we should actuall= y hide +the denials rather than allow their requests. Also, when you run in perm= issive +mode, it is very much possible that the denials would never be reached w= hen +running in enforcing mode because of earlier denials (which, coincidenta= lly, +might be wrongly hidden from your logs). +

+ +

+For this reason, we urge you to give us not only the AVC denial informat= ion, but +also the application failure log output when running in enforcing mode. +

+ +

+The Gentoo Hardened SELinux +Handbook will guide you through the process of migrating from a pe= rmissive +system into an enforcing mode. If you believe that booting in enforcing = is not +possible yet, just boot in permissive, log on as root, run setenforce= 1 +and only then log on as user(s) to reproduce your situation. There is al= so a +Trouble= shooting +SELinux section that helps you identify common bottlenecks or issu= es while +trying to get SELinux running on your system. +

+ + +
+ + +