[gentoo-hardened] SELinux documentation draft

[gentoo-hardened] SELinux documentation draft

[Sven Vermeulen]

[-- Attachment #1: Type: text/plain, Size: 1981 bytes --]

Hi everyone,

I've been working on bringing the SELinux handbook as currently available on
http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml more
up2date. It's somewhat of a rewrite, but with all elements of the original
SELinux handbook still inside it (apart from the troubleshooting as I guess
those are quite outdated, being from 2006 and older).

The draft is currently available in the hardened-docs.git repository. In
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=tree;f=html/selinux;hb=HEAD
you should be able to select individual chapters (HTML format) in the "raw"
tree to view them somewhat like they would on the Gentoo site, but for your
convenience there's also a PDF available at
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=tree;f=pdf;hb=HEAD

The new draft is structed in three parts:

Part A - Introduction to Gentoo/Hardened SELinux
  Chapter 1. Enhancing Linux Security
  Chapter 2. SELinux Concepts
  Chapter 3. The SELinux (Reference) Policy
Part B - Using Gentoo/Hardened SELinux
  Chapter 1. Gentoo SELinux Installation / Conversion
  Chapter 2. SELinux Commands
  Chapter 3. Running in Permissive Mode
  Chapter 4. Switching to Enforcing Mode
  Chapter 5. Adding SELinux Policy Modules
Part C - Appendices
  Chapter 1. Troubleshooting SELinux
  Chapter 2. SELinux Reference Material

If time permits, part A will have a fourth chapter on virtualization and
SELinux, but I gather that's more for the next update on the documentation.

The document is currently written with the ebuilds in hardened-development
overlay in mind, so everyone interested in giving Gentoo Hardened with
SELinux a try can use the draft documentation with the
"hardened-development" overlay.

For the time being the document only supports the type enforcement features
of SELinux. MLS/MCS has not been touched yet.

Feedback is always welcome, including language mistakes, typos or just plain
lies.

Wkr,
  Sven Vermeulen

[-- Attachment #2: Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-hardened] SELinux documentation draft

[klondike]

Thanks for the hard work Sven, I was surprised of how much changed
with my last pull of the tree :D

Re: [gentoo-hardened] SELinux documentation draft

[Chris Richards]

Indeed, Sven has put a lot of work into the new manual.  It is very much 
appreciated.

On 01/06/2011 06:43 PM, klondike wrote:
> Thanks for the hard work Sven, I was surprised of how much changed
> with my last pull of the tree :D
>
>

Re: [gentoo-hardened] SELinux documentation draft

[Asaf Gery]

[-- Attachment #1: Type: text/plain, Size: 2195 bytes --]

Thanks Sven,
I appreciate your dedication.

Asaf

On Fri, Jan 7, 2011 at 00:32, Sven Vermeulen <sven.vermeulen@siphos.be>wrote:

> Hi everyone,
>
> I've been working on bringing the SELinux handbook as currently available
> on
> http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml more
> up2date. It's somewhat of a rewrite, but with all elements of the original
> SELinux handbook still inside it (apart from the troubleshooting as I guess
> those are quite outdated, being from 2006 and older).
>
> The draft is currently available in the hardened-docs.git repository. In
>
> http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=tree;f=html/selinux;hb=HEAD
> you should be able to select individual chapters (HTML format) in the "raw"
> tree to view them somewhat like they would on the Gentoo site, but for your
> convenience there's also a PDF available at
>
> http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=tree;f=pdf;hb=HEAD
>
> The new draft is structed in three parts:
>
> Part A - Introduction to Gentoo/Hardened SELinux
>  Chapter 1. Enhancing Linux Security
>  Chapter 2. SELinux Concepts
>  Chapter 3. The SELinux (Reference) Policy
> Part B - Using Gentoo/Hardened SELinux
>  Chapter 1. Gentoo SELinux Installation / Conversion
>  Chapter 2. SELinux Commands
>  Chapter 3. Running in Permissive Mode
>  Chapter 4. Switching to Enforcing Mode
>  Chapter 5. Adding SELinux Policy Modules
> Part C - Appendices
>  Chapter 1. Troubleshooting SELinux
>  Chapter 2. SELinux Reference Material
>
> If time permits, part A will have a fourth chapter on virtualization and
> SELinux, but I gather that's more for the next update on the documentation.
>
> The document is currently written with the ebuilds in hardened-development
> overlay in mind, so everyone interested in giving Gentoo Hardened with
> SELinux a try can use the draft documentation with the
> "hardened-development" overlay.
>
> For the time being the document only supports the type enforcement features
> of SELinux. MLS/MCS has not been touched yet.
>
> Feedback is always welcome, including language mistakes, typos or just
> plain
> lies.
>
> Wkr,
>   Sven Vermeulen
>

[-- Attachment #2: Type: text/html, Size: 3055 bytes --]

Re: [gentoo-hardened] SELinux documentation draft

[Chris PeBenito]

On 1/6/2011 5:32 PM, Sven Vermeulen wrote:
> I've been working on bringing the SELinux handbook as currently available on
> http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml more
> up2date. It's somewhat of a rewrite, but with all elements of the original
> SELinux handbook still inside it (apart from the troubleshooting as I guess
> those are quite outdated, being from 2006 and older).

The troubleshooting is not outdated, though there could be a few additions.

> The draft is currently available in the hardened-docs.git repository. In
> http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=tree;f=html/selinux;hb=HEAD
> you should be able to select individual chapters (HTML format) in the "raw"
> tree to view them somewhat like they would on the Gentoo site, but for your
> convenience there's also a PDF available at
> http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=tree;f=pdf;hb=HEAD

I looked through section 1 and 2 of the pdf version, and here are my 
notes so far:

1.2.1 The best way to look at security is by defining your security 
goals.  An example would be protecting critical system files, such as 
the kernel image, shadow passwords, and SELinux policy binary from being 
written except by trusted processes.

1.2.2 I don't understand the point of this section

1.2.3 I'd say this is not appropriate for this document.

1.2.4 This has problems; authentication is related to access control, 
but not part of it.  Also, "discretionary" in the sense of access 
control means that users can change the policy.  Contrast that with 
mandatory access control, where the security admin sets the policy.

1.3.1 SELinux has been included in the kernel for years, we can drop the 
"kernel patch" part.

2.2.1 This should be users, roles, and types.  "Domain" used in SELinux 
refers to a type that labels a process.  The amount of access to 
unlabeled processes is defined by the policy, not by the SELinux 
mechanisms.  I also think that the newrole example is out of scope for 
this section.

2.2.2 "Contexts for permission rules" doesn't make sense.  "Rules" or 
"Access control policy" or something similar makes more sense.  You also 
jump into rules with no discussion of object classes.  The part where 
you say that if access is denied by DAC, then SELinux isn't checked 
should be earlier in the intro.

2.3.1 same thing about domain vs. type.  A type is not a state, it is a 
security attribute.

2.3.2 I think discussion of the specific rules required for a successful 
domain transition are not relevant for this part of the doc.

2.4.1 You say what can be technically done by using a role, but you 
don't discuss what the concept of a role is.

2.4.2 Technically, the only default role is object_r.  The remainder are 
just common ones that you see if you use refpolicy.

2.4.3 The key reason for having a SELinux user id that is separate from 
the Linux user id is that the seuser doesn't change during a login 
session, but the Linux uid can be changed, eg by setuid or su.

2.5.1 The purpose of MLS is to provide a hierarchical confidentiality 
policy.  "This allows administrators to ensure that
information flow is more closely governed" is incorrect.  MLS can be 
implemented in TE, but it causes an explosion of types, so its easier to 
have an additional mechanism.

2.6.1 The discussion on why an access is allowed or denied always starts 
with TE.  In this case, user_t can't alter the clock, nor can it reach 
the hwclock_t domain since there is no domain transition.

-- 
Chris PeBenito
<pebenito@gentoo.org>
Developer,
Hardened Gentoo Linux

Re: [gentoo-hardened] SELinux documentation draft

[Sven Vermeulen]

On Mon, Jan 10, 2011 at 08:44:06AM -0500, Chris PeBenito wrote:
> On 1/6/2011 5:32 PM, Sven Vermeulen wrote:
> > I've been working on bringing the SELinux handbook as currently available on
> > http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml more
> > up2date. It's somewhat of a rewrite, but with all elements of the original
> > SELinux handbook still inside it (apart from the troubleshooting as I guess
> > those are quite outdated, being from 2006 and older).
> 
> The troubleshooting is not outdated, though there could be a few additions.

Yup, Chris Richards already mentioned that. It should be available in the
current draft already.

> I looked through section 1 and 2 of the pdf version, and here are my 
> notes so far:

Thanks for the feedback, really appreciated. I've incorporated most (if not
all) of your comments. 

> 1.2.2 I don't understand the point of this section
[... Section on OS Security ...]
> 1.2.3 I'd say this is not appropriate for this document.
[... Section on security best practices ...]

I wanted to give some pointers to the readers how they should position
SELinux within security. Using SELinux isn't effective if other aspects of a
secure system aren't looked at. 

The reason I put that in the first part was because it shouldn't be
described further (users that are interested should then start looking for
other resources), but (imho) gives users the impression where they
should position SELinux within their own security strategy.

I've commented out the two sections for now.

Again, thanks for the feedback!

Wkr,
	Sven Vermeulen