Difference between revisions of "Documentation TODO"
From SELinux Wiki
Line 9: | Line 9: | ||
Below are some specific pieces of documentation we'd like written. Copy Editing/general cleanup is also appreciated. | Below are some specific pieces of documentation we'd like written. Copy Editing/general cleanup is also appreciated. | ||
− | + | * Use Cases (examples): | |
+ | ** Building a Kiosk | ||
+ | ** Locking down access to a backend database server using network access controls | ||
+ | ** Using labeled networking to unify access control across multiple machines | ||
+ | ** Using SVirt or sandbox to run untrusted apps in separate domains | ||
+ | ** Any embedded/appliance work | ||
+ | ** Building assured pipelines | ||
+ | ** Anything with X access controls | ||
* Vendor documentation (Why a vendor might choose SELinux for a solution, what it provides and finally how to use it effectively) | * Vendor documentation (Why a vendor might choose SELinux for a solution, what it provides and finally how to use it effectively) | ||
* Pull userspace object manager docs from online papers and make a concise howto | * Pull userspace object manager docs from online papers and make a concise howto | ||
Line 17: | Line 24: | ||
** Making new roles not based on others | ** Making new roles not based on others | ||
** Locking down webapps by using CGI's (or FastCGI), separating CGI's from each other, user CGI's from system CGI's, etc | ** Locking down webapps by using CGI's (or FastCGI), separating CGI's from each other, user CGI's from system CGI's, etc | ||
+ | * Pull the guts out of the Fedora SELinux Docs and bringing them here (be sure to read licensing info) | ||
* What is UBAC? | * What is UBAC? | ||
* How to upgrade a system from a previously SELinux-disabled system (e.g. how to ensure any restored data like /home is correctly labeled) | * How to upgrade a system from a previously SELinux-disabled system (e.g. how to ensure any restored data like /home is correctly labeled) |
Latest revision as of 20:29, 27 November 2009
This is the TODO list for documentation. The format should generally be short, consumable recipes for doing particular things, eg., letting apache talk to a database.
When longer explanations are required (eg., locking down a machine) they should be broken in to small, reusable pages with each targeting a narrow part of the problem. Then a main page can be written that links all the documents together into something cohesive.
For those who have not used MediaWiki before you may need to read [1]
Below are some specific pieces of documentation we'd like written. Copy Editing/general cleanup is also appreciated.
- Use Cases (examples):
- Building a Kiosk
- Locking down access to a backend database server using network access controls
- Using labeled networking to unify access control across multiple machines
- Using SVirt or sandbox to run untrusted apps in separate domains
- Any embedded/appliance work
- Building assured pipelines
- Anything with X access controls
- Vendor documentation (Why a vendor might choose SELinux for a solution, what it provides and finally how to use it effectively)
- Pull userspace object manager docs from online papers and make a concise howto
- Advanced recipes
- Lock down users
- Using roles
- Making new roles not based on others
- Locking down webapps by using CGI's (or FastCGI), separating CGI's from each other, user CGI's from system CGI's, etc
- Pull the guts out of the Fedora SELinux Docs and bringing them here (be sure to read licensing info)
- What is UBAC?
- How to upgrade a system from a previously SELinux-disabled system (e.g. how to ensure any restored data like /home is correctly labeled)
- Explain how and when to use semanage fcontext, port, login and user.
- Explain how to interpret an AVC message and how to get additional information via SYSCALL audit, including how to add a simple syscall audit filter to enable collection of PATH information.
- Write a HOWTO for writing simple policy modules.
- Write a HOWTO for how to iteratively generate policy using audit2allow and permissive domains.
- A brief high-level user-oriented overview of SELinux which people can use to understand what SELinux does, how it's part of a defense in depth approach, the value it provides and what is involved in using it effectively (e.g. set expectations of benefit/cost).
- Translate danwalsh.livejounal.com in to a beginner user guide
- Document all major policy domains, apache, samba, bind, ftp ... Basically man httpd_selinux, What are the types/booleans available for a particular domain, and how do I assign them
- Document the use of the mount command for overriding file context.
- Describe Leaked File Descriptors
- Document Network Labeling
- Document Confined Users
- Document HOWTO write setroubleshoot plugins
- Explain least privilege and how you can consider it and SELinux during application development.
- Document some common tasks performed with apol that might be useful to users.