Documentation TODO

From SELinux Wiki

(Difference between revisions)
Jump to: navigation, search
Revision as of 12:02, 17 June 2008 (edit)
JamesMorris (Talk | contribs)
(New page: * How to upgrade a system from a previously SELinux-disabled system (e.g. how to ensure any restored data like /home is correctly labeled))
← Previous diff
Current revision (20:29, 27 November 2009) (edit) (undo)
JoshuaBrindle (Talk | contribs)

 
(7 intermediate revisions not shown.)
Line 1: Line 1:
 +This is the TODO list for documentation. The format should generally be short, consumable recipes for doing particular things, eg., letting apache talk to a database.
 +
 +When longer explanations are required (eg., locking down a machine) they should be broken in to small, reusable pages with each targeting a narrow part of the problem. Then a main page can be written that links all the documents together into something cohesive.
 +
 +
 +For those who have not used MediaWiki before you may need to read [http://www.mediawiki.org/wiki/Help:Formatting]
 +
 +
 +Below are some specific pieces of documentation we'd like written. Copy Editing/general cleanup is also appreciated.
 +
 +* Use Cases (examples):
 +** Building a Kiosk
 +** Locking down access to a backend database server using network access controls
 +** Using labeled networking to unify access control across multiple machines
 +** Using SVirt or sandbox to run untrusted apps in separate domains
 +** Any embedded/appliance work
 +** Building assured pipelines
 +** Anything with X access controls
 +* Vendor documentation (Why a vendor might choose SELinux for a solution, what it provides and finally how to use it effectively)
 +* Pull userspace object manager docs from online papers and make a concise howto
 +* Advanced recipes
 +** Lock down users
 +** Using roles
 +** Making new roles not based on others
 +** Locking down webapps by using CGI's (or FastCGI), separating CGI's from each other, user CGI's from system CGI's, etc
 +* Pull the guts out of the Fedora SELinux Docs and bringing them here (be sure to read licensing info)
 +* What is UBAC?
* How to upgrade a system from a previously SELinux-disabled system (e.g. how to ensure any restored data like /home is correctly labeled) * How to upgrade a system from a previously SELinux-disabled system (e.g. how to ensure any restored data like /home is correctly labeled)
 +* Explain how and when to use semanage fcontext, port, login and user.
 +* Explain how to interpret an AVC message and how to get additional information via SYSCALL audit, including how to add a simple syscall audit filter to enable collection of PATH information.
 +* Write a HOWTO for writing simple policy modules.
 +* Write a HOWTO for how to iteratively generate policy using audit2allow and permissive domains.
 +* A brief high-level user-oriented overview of SELinux which people can use to understand what SELinux does, how it's part of a defense in depth approach, the value it provides and what is involved in using it effectively (e.g. set expectations of benefit/cost).
 +* Translate danwalsh.livejounal.com in to a beginner user guide
 +* Document all major policy domains, apache, samba, bind, ftp ... Basically man httpd_selinux, What are the types/booleans available for a particular domain, and how do I assign them
 +* Document the use of the mount command for overriding file context.
 +* Describe Leaked File Descriptors
 +* Document Network Labeling
 +* Document Confined Users
 +* Document HOWTO write setroubleshoot plugins
 +* Explain least privilege and how you can consider it and SELinux during application development.
 +* Document some common tasks performed with apol that might be useful to users.

Current revision

This is the TODO list for documentation. The format should generally be short, consumable recipes for doing particular things, eg., letting apache talk to a database.

When longer explanations are required (eg., locking down a machine) they should be broken in to small, reusable pages with each targeting a narrow part of the problem. Then a main page can be written that links all the documents together into something cohesive.


For those who have not used MediaWiki before you may need to read [1]


Below are some specific pieces of documentation we'd like written. Copy Editing/general cleanup is also appreciated.

  • Use Cases (examples):
    • Building a Kiosk
    • Locking down access to a backend database server using network access controls
    • Using labeled networking to unify access control across multiple machines
    • Using SVirt or sandbox to run untrusted apps in separate domains
    • Any embedded/appliance work
    • Building assured pipelines
    • Anything with X access controls
  • Vendor documentation (Why a vendor might choose SELinux for a solution, what it provides and finally how to use it effectively)
  • Pull userspace object manager docs from online papers and make a concise howto
  • Advanced recipes
    • Lock down users
    • Using roles
    • Making new roles not based on others
    • Locking down webapps by using CGI's (or FastCGI), separating CGI's from each other, user CGI's from system CGI's, etc
  • Pull the guts out of the Fedora SELinux Docs and bringing them here (be sure to read licensing info)
  • What is UBAC?
  • How to upgrade a system from a previously SELinux-disabled system (e.g. how to ensure any restored data like /home is correctly labeled)
  • Explain how and when to use semanage fcontext, port, login and user.
  • Explain how to interpret an AVC message and how to get additional information via SYSCALL audit, including how to add a simple syscall audit filter to enable collection of PATH information.
  • Write a HOWTO for writing simple policy modules.
  • Write a HOWTO for how to iteratively generate policy using audit2allow and permissive domains.
  • A brief high-level user-oriented overview of SELinux which people can use to understand what SELinux does, how it's part of a defense in depth approach, the value it provides and what is involved in using it effectively (e.g. set expectations of benefit/cost).
  • Translate danwalsh.livejounal.com in to a beginner user guide
  • Document all major policy domains, apache, samba, bind, ftp ... Basically man httpd_selinux, What are the types/booleans available for a particular domain, and how do I assign them
  • Document the use of the mount command for overriding file context.
  • Describe Leaked File Descriptors
  • Document Network Labeling
  • Document Confined Users
  • Document HOWTO write setroubleshoot plugins
  • Explain least privilege and how you can consider it and SELinux during application development.
  • Document some common tasks performed with apol that might be useful to users.
Personal tools