Documentation TODO

From SELinux Wiki

(Difference between revisions)
Jump to: navigation, search
Revision as of 17:59, 30 June 2008 (edit)
DaveQuigley (Talk | contribs)

← Previous diff
Revision as of 20:20, 27 November 2009 (edit) (undo)
JoshuaBrindle (Talk | contribs)

Next diff →
Line 1: Line 1:
 +This is the TODO list for documentation. The format should generally be short, consumable recipes for doing particular things, eg., letting apache talk to a database.
 +
 +When longer explanations are required (eg., locking down a machine) they should be broken in to small, reusable pages with each targeting a narrow part of the problem. Then a main page can be written that links all the documents together into something cohesive.
 +
 +
 +For those who have not used MediaWiki before you may need to read [http://www.mediawiki.org/wiki/Help:Formatting]
 +
 +
 +Below are some specific pieces of documentation we'd like written. Copy Editing/general cleanup is also appreciated.
 +
 +
 +* Vendor documentation (Why a vendor might choose SELinux for a solution, what it provides and finally how to use it effectively)
 +* Pull userspace object manager docs from online papers and make a concise howto
 +* Advanced recipes
 +** Lock down users
 +** Using roles
 +** Making new roles not based on others
 +** Locking down webapps by using CGI's (or FastCGI), separating CGI's from each other, user CGI's from system CGI's, etc
 +* What is UBAC?
* How to upgrade a system from a previously SELinux-disabled system (e.g. how to ensure any restored data like /home is correctly labeled) * How to upgrade a system from a previously SELinux-disabled system (e.g. how to ensure any restored data like /home is correctly labeled)
-* Update and organize the Fedora SELinux FAQ. 
* Explain how and when to use semanage fcontext, port, login and user. * Explain how and when to use semanage fcontext, port, login and user.
* Explain how to interpret an AVC message and how to get additional information via SYSCALL audit, including how to add a simple syscall audit filter to enable collection of PATH information. * Explain how to interpret an AVC message and how to get additional information via SYSCALL audit, including how to add a simple syscall audit filter to enable collection of PATH information.
Line 6: Line 24:
* Write a HOWTO for how to iteratively generate policy using audit2allow and permissive domains. * Write a HOWTO for how to iteratively generate policy using audit2allow and permissive domains.
* A brief high-level user-oriented overview of SELinux which people can use to understand what SELinux does, how it's part of a defense in depth approach, the value it provides and what is involved in using it effectively (e.g. set expectations of benefit/cost). * A brief high-level user-oriented overview of SELinux which people can use to understand what SELinux does, how it's part of a defense in depth approach, the value it provides and what is involved in using it effectively (e.g. set expectations of benefit/cost).
-* Update FC5 FAQ 
* Translate danwalsh.livejounal.com in to a beginner user guide * Translate danwalsh.livejounal.com in to a beginner user guide
* Document all major policy domains, apache, samba, bind, ftp ... Basically man httpd_selinux, What are the types/booleans available for a particular domain, and how do I assign them * Document all major policy domains, apache, samba, bind, ftp ... Basically man httpd_selinux, What are the types/booleans available for a particular domain, and how do I assign them
* Document the use of the mount command for overriding file context. * Document the use of the mount command for overriding file context.
* Describe Leaked File Descriptors * Describe Leaked File Descriptors
-* Describe Audit2allow and how it can just Fix the machine 
* Document Network Labeling * Document Network Labeling
* Document Confined Users * Document Confined Users

Revision as of 20:20, 27 November 2009

This is the TODO list for documentation. The format should generally be short, consumable recipes for doing particular things, eg., letting apache talk to a database.

When longer explanations are required (eg., locking down a machine) they should be broken in to small, reusable pages with each targeting a narrow part of the problem. Then a main page can be written that links all the documents together into something cohesive.


For those who have not used MediaWiki before you may need to read [1]


Below are some specific pieces of documentation we'd like written. Copy Editing/general cleanup is also appreciated.


  • Vendor documentation (Why a vendor might choose SELinux for a solution, what it provides and finally how to use it effectively)
  • Pull userspace object manager docs from online papers and make a concise howto
  • Advanced recipes
    • Lock down users
    • Using roles
    • Making new roles not based on others
    • Locking down webapps by using CGI's (or FastCGI), separating CGI's from each other, user CGI's from system CGI's, etc
  • What is UBAC?
  • How to upgrade a system from a previously SELinux-disabled system (e.g. how to ensure any restored data like /home is correctly labeled)
  • Explain how and when to use semanage fcontext, port, login and user.
  • Explain how to interpret an AVC message and how to get additional information via SYSCALL audit, including how to add a simple syscall audit filter to enable collection of PATH information.
  • Write a HOWTO for writing simple policy modules.
  • Write a HOWTO for how to iteratively generate policy using audit2allow and permissive domains.
  • A brief high-level user-oriented overview of SELinux which people can use to understand what SELinux does, how it's part of a defense in depth approach, the value it provides and what is involved in using it effectively (e.g. set expectations of benefit/cost).
  • Translate danwalsh.livejounal.com in to a beginner user guide
  • Document all major policy domains, apache, samba, bind, ftp ... Basically man httpd_selinux, What are the types/booleans available for a particular domain, and how do I assign them
  • Document the use of the mount command for overriding file context.
  • Describe Leaked File Descriptors
  • Document Network Labeling
  • Document Confined Users
  • Document HOWTO write setroubleshoot plugins
  • Explain least privilege and how you can consider it and SELinux during application development.
  • Document some common tasks performed with apol that might be useful to users.
Personal tools