As we discussed at Linux Plumbers Conference during the 'Making SELinux Easier to Use" talk we have some document deficiencies in the SELinux project.
I volunteered to start an SELinux Documentation Project. The primary purpose of the project would be to get as much documentation as possible on the selinuxproject.org wiki, organized in a fashion that users can understand and consume easily.
As I admitted before, we, the developers, are not always the best people to judge what documentation users need and therefore am requesting users, hopefully from different backgrounds and environments, tell us what documentation they feel is lacking, what questions they've been asked or have asked themselves and couldn't find documentation for.
I think we need basic documentation that tells about SELinux (both beginner and advanced), howto's for specific things (using secmark, using netlabel, etc) and a set of short 'recipes' to accomplish simple tasks.
There are documents all over the place with various information, as well as blog entries and mailing list archives but the effort here is to consolidate all those resources onto selinuxproject.org.
I'd also like to see volunteers in the community to help out with the documentation effort, I know quite a few people already write things like this on blogs, etc and it would be great to see that information moved/copied onto selinuxproject.org.
Users:
Please, if you are a user and have run in to lack of documentation respond to this thread, or privately if you aren't comfortable talking on list so that we can collect what the biggest deficiencies are and get to writing documentation as soon as possible.
Thanks.
On Mon, Sep 28, 2009 at 03:48:29PM -0400, Joshua Brindle wrote:
As we discussed at Linux Plumbers Conference during the 'Making SELinux Easier to Use" talk we have some document deficiencies in the SELinux project.
I volunteered to start an SELinux Documentation Project. The primary purpose of the project would be to get as much documentation as possible on the selinuxproject.org wiki, organized in a fashion that users can understand and consume easily.
As I admitted before, we, the developers, are not always the best people to judge what documentation users need and therefore am requesting users, hopefully from different backgrounds and environments, tell us what documentation they feel is lacking, what questions they've been asked or have asked themselves and couldn't find documentation for.
I think we need basic documentation that tells about SELinux (both beginner and advanced), howto's for specific things (using secmark, using netlabel, etc) and a set of short 'recipes' to accomplish simple tasks.
There are documents all over the place with various information, as well as blog entries and mailing list archives but the effort here is to consolidate all those resources onto selinuxproject.org.
I'd also like to see volunteers in the community to help out with the documentation effort, I know quite a few people already write things like this on blogs, etc and it would be great to see that information moved/copied onto selinuxproject.org.
Users:
Please, if you are a user and have run in to lack of documentation respond to this thread, or privately if you aren't comfortable talking on list so that we can collect what the biggest deficiencies are and get to writing documentation as soon as possible.
Also a lot of frequently asked questions are answered really well on the maillists. Maybe we can pick the best from there and create a FAQ with a selection of those.
My blog posts, e-mails and etcetera can be used/modified/redistributed by anyone as far as i am concerned. There are no restrictions at all.
I have plenty things to talk about but i have alteast two problems: 1. my writing skills. 2. need specific topics, so that i can write "to the point" articles and not pages full of dull material where halfway i lost focus on the actual topic.
If there are people reading this that have experience with writing documentation etcetera and that want to help create documentation (and in the process learn a bit about SELinux), please let us know.
Thanks.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
On Mon, Sep 28, 2009 at 9:48 PM, Joshua Brindle method@manicmethod.comwrote:
As we discussed at Linux Plumbers Conference during the 'Making SELinux Easier to Use" talk we have some document deficiencies in the SELinux project.
I volunteered to start an SELinux Documentation Project. The primary purpose of the project would be to get as much documentation as possible on the selinuxproject.org wiki, organized in a fashion that users can understand and consume easily.
As I admitted before, we, the developers, are not always the best people to judge what documentation users need and therefore am requesting users, hopefully from different backgrounds and environments, tell us what documentation they feel is lacking, what questions they've been asked or have asked themselves and couldn't find documentation for.
I think we need basic documentation that tells about SELinux (both beginner and advanced), howto's for specific things (using secmark, using netlabel, etc) and a set of short 'recipes' to accomplish simple tasks.
There are documents all over the place with various information, as well as blog entries and mailing list archives but the effort here is to consolidate all those resources onto selinuxproject.org.
Great. This is probably one of the best things to do for Selinux.
I'd also like to see volunteers in the community to help out with the documentation effort, I know quite a few people already write things like this on blogs, etc and it would be great to see that information moved/copied onto selinuxproject.org.
Users:
Please, if you are a user and have run in to lack of documentation respond to this thread, or privately if you aren't comfortable talking on list so that we can collect what the biggest deficiencies are and get to writing documentation as soon as possible.
Thanks.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Starting a SELinux documentation project is a fantastic idea, and is truly much needed!
I am two months new to SELinux, and have literally put together an 8 inch binder of documentation from what I would estimate to be 50-70 different sources.
Areas of deficiencies that I think could use more documentation include:
1) Current description of all objects and classes supported by SELinux
2) Simple 'getting started' policy module examples to help explain things such as creating new types/domains and working with domain transitions, explanation of how testing through a SSH shell can give you different results than from testing at the console, and networking examples: restricting access to sockets, denying access to specific network interfaces, details explaining why one would use macros in policy, simple MLS getting started examples.
3) Explanation of how SELinux can be different between various Linux distros (such as how enabling the SELinux strict policy causes RHEL 5.3 not to boot, how MLS does not support X in Fedora and other distros, why Fedora is the latest development version, and how there seem to be a lot of older tools for SELinux that have been superseded by utilities such as semanage.
4) Tutorials showing how to use SLIDE
5) Explanation of when users and roles are used and not used (for example, how their use can be different between files and processes).
6) Examples of how to test the robustness of SELinux configurations. (for example, try to access files and processes as root to see permission denied errors)
On Mon, Sep 28, 2009 at 1:48 PM, Joshua Brindle method@manicmethod.comwrote:
As we discussed at Linux Plumbers Conference during the 'Making SELinux Easier to Use" talk we have some document deficiencies in the SELinux project.
I volunteered to start an SELinux Documentation Project. The primary purpose of the project would be to get as much documentation as possible on the selinuxproject.org wiki, organized in a fashion that users can understand and consume easily.
As I admitted before, we, the developers, are not always the best people to judge what documentation users need and therefore am requesting users, hopefully from different backgrounds and environments, tell us what documentation they feel is lacking, what questions they've been asked or have asked themselves and couldn't find documentation for.
I think we need basic documentation that tells about SELinux (both beginner and advanced), howto's for specific things (using secmark, using netlabel, etc) and a set of short 'recipes' to accomplish simple tasks.
There are documents all over the place with various information, as well as blog entries and mailing list archives but the effort here is to consolidate all those resources onto selinuxproject.org.
I'd also like to see volunteers in the community to help out with the documentation effort, I know quite a few people already write things like this on blogs, etc and it would be great to see that information moved/copied onto selinuxproject.org.
Users:
Please, if you are a user and have run in to lack of documentation respond to this thread, or privately if you aren't comfortable talking on list so that we can collect what the biggest deficiencies are and get to writing documentation as soon as possible.
Thanks.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
On Wed, Sep 30, 2009 at 08:13:42PM -0600, Jason Shaw wrote:
Starting a SELinux documentation project is a fantastic idea, and is truly much needed!
I am two months new to SELinux, and have literally put together an 8 inch binder of documentation from what I would estimate to be 50-70 different sources.
Areas of deficiencies that I think could use more documentation include:
- Current description of all objects and classes supported by SELinux
http://oss.tresys.com/projects/refpolicy/wiki/ObjectClassesPerms
This is for me the reference i use and google/maillists
- Simple 'getting started' policy module examples to help explain things
such as creating new types/domains and working with domain transitions, explanation of how testing through a SSH shell can give you different results than from testing at the console, and networking examples: restricting access to sockets, denying access to specific network interfaces, details explaining why one would use macros in policy, simple MLS getting started examples.
http://www.youtube.com/results?search_query=SELinux+confine+a+GUI+app&se...
Is a series of screencasts i created whilst creating a policy for google gadgets. it is far from perfect but it might help people get started.
I also have other screencasts:
http://www.youtube.com/results?search_query=domg4721&search_type=&aq...
and a blog with some stuff: Especially my series on locking down selinux hs some nice examples in my view. http://selinux-mac.blogspot.com/
- Explanation of how SELinux can be different between various Linux distros
(such as how enabling the SELinux strict policy causes RHEL 5.3 not to boot, how MLS does not support X in Fedora and other distros, why Fedora is the latest development version, and how there seem to be a lot of older tools for SELinux that have been superseded by utilities such as semanage.
Good idea.
- Tutorials showing how to use SLIDE
http://www.youtube.com/watch?v=x2soA3CD2pY
A very small intro on slide. But agreed we should do more. good idea Although it is best to know how it works witouth slides help first
- Explanation of when users and roles are used and not used (for example,
how their use can be different between files and processes).
good idea. noted.
- Examples of how to test the robustness of SELinux configurations. (for
example, try to access files and processes as root to see permission denied errors)
Good idea i think one or some of my videos touched on confining root and it impact.
Great ideas , thanks for your feedback. i will use this to create some new documentation in the near future.
On Mon, Sep 28, 2009 at 1:48 PM, Joshua Brindle method@manicmethod.comwrote:
As we discussed at Linux Plumbers Conference during the 'Making SELinux Easier to Use" talk we have some document deficiencies in the SELinux project.
I volunteered to start an SELinux Documentation Project. The primary purpose of the project would be to get as much documentation as possible on the selinuxproject.org wiki, organized in a fashion that users can understand and consume easily.
As I admitted before, we, the developers, are not always the best people to judge what documentation users need and therefore am requesting users, hopefully from different backgrounds and environments, tell us what documentation they feel is lacking, what questions they've been asked or have asked themselves and couldn't find documentation for.
I think we need basic documentation that tells about SELinux (both beginner and advanced), howto's for specific things (using secmark, using netlabel, etc) and a set of short 'recipes' to accomplish simple tasks.
There are documents all over the place with various information, as well as blog entries and mailing list archives but the effort here is to consolidate all those resources onto selinuxproject.org.
I'd also like to see volunteers in the community to help out with the documentation effort, I know quite a few people already write things like this on blogs, etc and it would be great to see that information moved/copied onto selinuxproject.org.
Users:
Please, if you are a user and have run in to lack of documentation respond to this thread, or privately if you aren't comfortable talking on list so that we can collect what the biggest deficiencies are and get to writing documentation as soon as possible.
Thanks.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Joshua Brindle wrote:
As we discussed at Linux Plumbers Conference during the 'Making SELinux Easier to Use" talk we have some document deficiencies in the SELinux project.
<snip>
We have gotten some good contributions to the documentation project over the last couple months but there is always more to do. I've updated the Documentation TODO at:
http://selinuxproject.org/page/Documentation_TODO
with some docs we'd like written and some guidance on what the format should be. Use cases would be particularly appreciated.
If you haven't gone to the documentation wiki lately take a look at
http://selinuxproject.org/page/Main_Page
and see what's been added.
Thanks for the help of the contributors and hopefully this effort will go a long way toward gaining users and keeping SELinux enabled.
On 11/27/2009 09:31 PM, Joshua Brindle wrote:
Joshua Brindle wrote:
As we discussed at Linux Plumbers Conference during the 'Making SELinux Easier to Use" talk we have some document deficiencies in the SELinux project.
<snip>
We have gotten some good contributions to the documentation project over the last couple months but there is always more to do. I've updated the Documentation TODO at:
http://selinuxproject.org/page/Documentation_TODO
with some docs we'd like written and some guidance on what the format should be. Use cases would be particularly appreciated.
If you haven't gone to the documentation wiki lately take a look at
http://selinuxproject.org/page/Main_Page
and see what's been added.
Thanks for the help of the contributors and hopefully this effort will go a long way toward gaining users and keeping SELinux enabled.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Attached is a concept i wrote today about Locking down webapps with CGI. This was a topic in the todo list.
Would be nice if someone could proof-read this and when modified/accepted publish it.
Dominick Grift wrote:
On 11/27/2009 09:31 PM, Joshua Brindle wrote:
Joshua Brindle wrote:
As we discussed at Linux Plumbers Conference during the 'Making SELinux Easier to Use" talk we have some document deficiencies in the SELinux project.
<snip>
We have gotten some good contributions to the documentation project over the last couple months but there is always more to do. I've updated the Documentation TODO at:
http://selinuxproject.org/page/Documentation_TODO
with some docs we'd like written and some guidance on what the format should be. Use cases would be particularly appreciated.
If you haven't gone to the documentation wiki lately take a look at
http://selinuxproject.org/page/Main_Page
and see what's been added.
Thanks for the help of the contributors and hopefully this effort will go a long way toward gaining users and keeping SELinux enabled.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Attached is a concept i wrote today about Locking down webapps with CGI. This was a topic in the todo list.
Would be nice if someone could proof-read this and when modified/accepted publish it.
It's a wiki :) Just put it up there and others can make modifications. There are actually a couple people who are decent at copy editing that have done some work on the wiki so if we get technical content up there they can do what they do to clean it up.
Quoting Joshua Brindle (method@manicmethod.com):
Dominick Grift wrote:
On 11/27/2009 09:31 PM, Joshua Brindle wrote:
Joshua Brindle wrote:
As we discussed at Linux Plumbers Conference during the 'Making SELinux Easier to Use" talk we have some document deficiencies in the SELinux project.
<snip>
We have gotten some good contributions to the documentation project over the last couple months but there is always more to do. I've updated the Documentation TODO at:
http://selinuxproject.org/page/Documentation_TODO
with some docs we'd like written and some guidance on what the format should be. Use cases would be particularly appreciated.
If you haven't gone to the documentation wiki lately take a look at
http://selinuxproject.org/page/Main_Page
and see what's been added.
Thanks for the help of the contributors and hopefully this effort will go a long way toward gaining users and keeping SELinux enabled.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Attached is a concept i wrote today about Locking down webapps with CGI. This was a topic in the todo list.
Would be nice if someone could proof-read this and when modified/accepted publish it.
It's a wiki :) Just put it up there and others can make
How are we to create an account to edit a page? The 'Log in/Create Account' page doesn't seem to let me create an account?
I'd like to add the recipe
useradd xa semanage user -a -R user_r xa semanage login -a -s xa xa
to lock user xa into its own selinux context to the recipes page. If someone else is willing to post it, all the better.
modifications. There are actually a couple people who are decent at copy editing that have done some work on the wiki so if we get technical content up there they can do what they do to clean it up.
thanks, -serge
On Mon, Dec 14, 2009 at 11:49:15AM -0600, Serge E. Hallyn wrote:
Quoting Joshua Brindle (method@manicmethod.com):
Dominick Grift wrote:
On 11/27/2009 09:31 PM, Joshua Brindle wrote:
Joshua Brindle wrote:
As we discussed at Linux Plumbers Conference during the 'Making SELinux Easier to Use" talk we have some document deficiencies in the SELinux project.
<snip>
We have gotten some good contributions to the documentation project over the last couple months but there is always more to do. I've updated the Documentation TODO at:
http://selinuxproject.org/page/Documentation_TODO
with some docs we'd like written and some guidance on what the format should be. Use cases would be particularly appreciated.
If you haven't gone to the documentation wiki lately take a look at
http://selinuxproject.org/page/Main_Page
and see what's been added.
Thanks for the help of the contributors and hopefully this effort will go a long way toward gaining users and keeping SELinux enabled.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Attached is a concept i wrote today about Locking down webapps with CGI. This was a topic in the todo list.
Would be nice if someone could proof-read this and when modified/accepted publish it.
It's a wiki :) Just put it up there and others can make
How are we to create an account to edit a page? The 'Log in/Create Account' page doesn't seem to let me create an account?
I'd like to add the recipe
useradd xa
semanage user -a -R user_r xa semanage login -a -s xa xa
You would probably also need:
cd /etc/selinux/targeted/contexts/users; cp user_u xa;
To make that work.
Easier would probably be: useradd -Z user_u xa
or
useradd xa semanage login -m -s user_u -r s0-s0 xa
You should send an e-mail to james morris. He maintains the site and will add a login if you ask him.
to lock user xa into its own selinux context to the recipes page. If someone else is willing to post it, all the better.
modifications. There are actually a couple people who are decent at copy editing that have done some work on the wiki so if we get technical content up there they can do what they do to clean it up.
thanks, -serge
Quoting Dominick Grift (domg472@gmail.com):
On Mon, Dec 14, 2009 at 11:49:15AM -0600, Serge E. Hallyn wrote:
Quoting Joshua Brindle (method@manicmethod.com):
Dominick Grift wrote:
On 11/27/2009 09:31 PM, Joshua Brindle wrote:
Joshua Brindle wrote:
As we discussed at Linux Plumbers Conference during the 'Making SELinux Easier to Use" talk we have some document deficiencies in the SELinux project.
<snip>
We have gotten some good contributions to the documentation project over the last couple months but there is always more to do. I've updated the Documentation TODO at:
http://selinuxproject.org/page/Documentation_TODO
with some docs we'd like written and some guidance on what the format should be. Use cases would be particularly appreciated.
If you haven't gone to the documentation wiki lately take a look at
http://selinuxproject.org/page/Main_Page
and see what's been added.
Thanks for the help of the contributors and hopefully this effort will go a long way toward gaining users and keeping SELinux enabled.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Attached is a concept i wrote today about Locking down webapps with CGI. This was a topic in the todo list.
Would be nice if someone could proof-read this and when modified/accepted publish it.
It's a wiki :) Just put it up there and others can make
How are we to create an account to edit a page? The 'Log in/Create Account' page doesn't seem to let me create an account?
I'd like to add the recipe
useradd xa
semanage user -a -R user_r xa semanage login -a -s xa xa
You would probably also need:
cd /etc/selinux/targeted/contexts/users; cp user_u xa;
To make that work.
Hmm - I didn't think in f10 or f11 I needed to, but good to know, thanks!
Easier would probably be: useradd -Z user_u xa
Excellent, didn't know about it and I like it :)
or
useradd xa semanage login -m -s user_u -r s0-s0 xa
I don't have a fedora system handy at the moment - is the help documentation in semanage now context-sensitive (so 'semanage login help' and 'semanage user help' give different, briefer, more meaningful help)?
You should send an e-mail to james morris. He maintains the site and will add a login if you ask him.
to lock user xa into its own selinux context to the recipes page. If someone else is willing to post it, all the better.
modifications. There are actually a couple people who are decent at copy editing that have done some work on the wiki so if we get technical content up there they can do what they do to clean it up.
thanks, -serge
thanks, -serge
On Mon, Dec 14, 2009 at 12:32:01PM -0600, Serge E. Hallyn wrote:
Quoting Dominick Grift (domg472@gmail.com):
On Mon, Dec 14, 2009 at 11:49:15AM -0600, Serge E. Hallyn wrote:
Quoting Joshua Brindle (method@manicmethod.com):
Dominick Grift wrote:
On 11/27/2009 09:31 PM, Joshua Brindle wrote:
Joshua Brindle wrote: >As we discussed at Linux Plumbers Conference during the 'Making SELinux >Easier to Use" talk we have some document deficiencies in the SELinux >project. >
<snip>
We have gotten some good contributions to the documentation project over the last couple months but there is always more to do. I've updated the Documentation TODO at:
http://selinuxproject.org/page/Documentation_TODO
with some docs we'd like written and some guidance on what the format should be. Use cases would be particularly appreciated.
If you haven't gone to the documentation wiki lately take a look at
http://selinuxproject.org/page/Main_Page
and see what's been added.
Thanks for the help of the contributors and hopefully this effort will go a long way toward gaining users and keeping SELinux enabled.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Attached is a concept i wrote today about Locking down webapps with CGI. This was a topic in the todo list.
Would be nice if someone could proof-read this and when modified/accepted publish it.
It's a wiki :) Just put it up there and others can make
How are we to create an account to edit a page? The 'Log in/Create Account' page doesn't seem to let me create an account?
I'd like to add the recipe
useradd xa
semanage user -a -R user_r xa semanage login -a -s xa xa
You would probably also need:
cd /etc/selinux/targeted/contexts/users; cp user_u xa;
To make that work.
Hmm - I didn't think in f10 or f11 I needed to, but good to know, thanks!
Easier would probably be: useradd -Z user_u xa
Excellent, didn't know about it and I like it :)
or
useradd xa semanage login -m -s user_u -r s0-s0 xa
I don't have a fedora system handy at the moment - is the help documentation in semanage now context-sensitive (so 'semanage login help' and 'semanage user help' give different, briefer, more meaningful help)?
less meaningful i would say:
[root@localhost etc]# semanage login help /usr/sbin/semanage: Invalid command: semanage login help
[root@localhost etc]# semanage user help /usr/sbin/semanage: Invalid command: semanage user help
You should send an e-mail to james morris. He maintains the site and will add a login if you ask him.
to lock user xa into its own selinux context to the recipes page. If someone else is willing to post it, all the better.
modifications. There are actually a couple people who are decent at copy editing that have done some work on the wiki so if we get technical content up there they can do what they do to clean it up.
thanks, -serge
thanks, -serge
selinux@lists.fedoraproject.org