From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1PcPpM-0002rl-RB for garchives@archives.gentoo.org; Mon, 10 Jan 2011 22:03:01 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 059A5E083C for ; Mon, 10 Jan 2011 22:02:59 +0000 (UTC) Received: from mail-ew0-f53.google.com (mail-ew0-f53.google.com [209.85.215.53]) by pigeon.gentoo.org (Postfix) with ESMTP id D7EB8E0792 for ; Mon, 10 Jan 2011 21:23:22 +0000 (UTC) Received: by ewy6 with SMTP id 6so8946981ewy.40 for ; Mon, 10 Jan 2011 13:23:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:sender:date:from:to:subject :message-id:references:mime-version:content-type:content-disposition :in-reply-to:user-agent; bh=QbKY0+Fh0c0JD5Q9wbXJOTz2cUEqSH8WTsZo5Lvki28=; b=e1+qrxEsRD6p+cUWoH7GvIg9KAoiYE80PRO96pJxrZ0qQF/bX1kNxPIXHlxnMnCoyX BDQAy+DDe8BFTiQub6qL++DvPlbryokj20vNI6RVm6o+PiqZZJxNn3V7YHEMoJZSvyaU 5fU6/iKOOl5mBRlLfVaXp1vqPMfmAHC26Bqgo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:date:from:to:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:user-agent; b=kJEIujjKpI05VPPMDrYGeKtVOgjA3gsr9FWkRCR7uKbVVFRUSaop05sfkkjwBjccLa 0L4sww+A0OmqDeaTun+8nqd0Pxgv/m1OJtqYrA/4g/JaP7R9vFDUSsRfUEI5r7igLzk/ gBpP/Gh1jyxogAFGv+G+FjdLZQ5AB0kSxsXpk= Received: by 10.14.16.164 with SMTP id h36mr2201639eeh.37.1294694600918; Mon, 10 Jan 2011 13:23:20 -0800 (PST) Received: from siphos.be ([77.109.103.69]) by mx.google.com with ESMTPS id x54sm5089658eeh.11.2011.01.10.13.23.19 (version=TLSv1/SSLv3 cipher=RC4-MD5); Mon, 10 Jan 2011 13:23:19 -0800 (PST) Sender: Sven Vermeulen Date: Mon, 10 Jan 2011 22:23:14 +0100 From: Sven Vermeulen To: gentoo-hardened@lists.gentoo.org Subject: Re: [gentoo-hardened] SELinux documentation draft Message-ID: <20110110212313.GA8848@siphos.be> References: <20110106223208.GA29456@siphos.be> <4D2B0D26.3000601@gentoo.org> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@lists.gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <4D2B0D26.3000601@gentoo.org> User-Agent: Mutt/1.5.21 (2010-09-15) X-Archives-Salt: b978f0b7-89f6-46a5-b48b-029ab5f012d2 X-Archives-Hash: 6a0af9f7547a4f9afa7e1b6d7a116e23 On Mon, Jan 10, 2011 at 08:44:06AM -0500, Chris PeBenito wrote: > On 1/6/2011 5:32 PM, Sven Vermeulen wrote: > > I've been working on bringing the SELinux handbook as currently available on > > http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml more > > up2date. It's somewhat of a rewrite, but with all elements of the original > > SELinux handbook still inside it (apart from the troubleshooting as I guess > > those are quite outdated, being from 2006 and older). > > The troubleshooting is not outdated, though there could be a few additions. Yup, Chris Richards already mentioned that. It should be available in the current draft already. > I looked through section 1 and 2 of the pdf version, and here are my > notes so far: Thanks for the feedback, really appreciated. I've incorporated most (if not all) of your comments. > 1.2.2 I don't understand the point of this section [... Section on OS Security ...] > 1.2.3 I'd say this is not appropriate for this document. [... Section on security best practices ...] I wanted to give some pointers to the readers how they should position SELinux within security. Using SELinux isn't effective if other aspects of a secure system aren't looked at. The reason I put that in the first part was because it shouldn't be described further (users that are interested should then start looking for other resources), but (imho) gives users the impression where they should position SELinux within their own security strategy. I've commented out the two sections for now. Again, thanks for the feedback! Wkr, Sven Vermeulen