hardened/selinux/selinux-handbook.xml

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE book SYSTEM "/dtd/book.dtd">

<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/selinux-handbook.xml,v 1.15 2012/04/10 20:19:19 swift Exp $ -->

<book>
<title>Gentoo SELinux Handbook</title>

<author title="Author">
  <mail link="pebenito@gentoo.org">Chris PeBenito</mail>
</author>
<author title="Author">
  <mail link="sven.vermeulen@siphos.be">Sven Vermeulen</mail>
</author>
<author title="Author">
  Chris Richards
</author>

<abstract>
This is the Gentoo SELinux Handbook.
</abstract>

<!-- The content of this document is licensed under the CC-BY-SA license -->
<!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
<license/>

<version>4</version>
<date>2011-09-18</date>

<part>
<title>Introduction to Gentoo/Hardened SELinux</title>
<abstract>
In this part we cover what SELinux is and how it is positioned within the
Gentoo/Hardened project.
</abstract>

<chapter>
<title>Enhancing Linux Security</title>
<abstract>
Security is more than enabling a certain framework or installing a different
Linux kernel. It is a way of working / administrating your Gentoo Linux system.
We cover a few (generic) best practices, and then elaborate on what Mandatory 
Access Control is and how SELinux fills in this gap.
</abstract>
  <include href="hb-intro-enhancingsecurity.xml"/>
</chapter>

<chapter>
<title>SELinux Concepts</title>
<abstract>
To be able to properly work with SELinux, it is vital that you understand a few
of its concepts like domains, domain transitions and file contexts. Without 
a basic understanding of these aspects, it will be difficult to understand
how SELinux policies work and how to troubleshoot if things go wrong.
</abstract>
  <include href="hb-intro-concepts.xml"/>
</chapter>

<chapter>
<title>SELinux Resources</title>
<abstract>
To get more acquainted with SELinux, many resources exist on the Internet.
In this chapter we give a quick overview of the various resources as well
as places where you can get more help when you are fighting with SELinux.
</abstract>
  <include href="hb-intro-resources.xml"/>
</chapter>

<!-- 
<chapter>
<title>The SELinux (Reference) Policy</title>
<abstract>
To streamline SELinux policy development, a reference policy is being developed
that is used by all SELinux-supporting distributions. In this chapter we give 
some intel on what this reference policy is and why it is brought to life, but
also how this policy functions and how its development is progressing. We also
cover the basics on SELinux policies in general.
</abstract>
  <include href="hb-intro-referencepolicy.xml"/>
</chapter>

<chapter>
<title>SELinux Virtual Machine Support</title>
<abstract>
SELinux support is being actively integrated in libvirt and other
virtualization frameworks to elevate the security of virtualized
environments. Within this chapter we give you a first introduction
on how this is done for libvirt managed environments and what you need to take
into account if you wish to use SELinux within your virtualized environment.
</abstract>
  <include href="hb-intro-virtualization.xml"/>
</chapter>
-->
</part>

<part>
<title>Using Gentoo/Hardened SELinux</title>
<abstract>
With the theoretic stuff behind us, let us start by installing Gentoo/Hardened
with a SELinux kernel as well as the SELinux tools.
</abstract>

<chapter>
<title>Gentoo SELinux Installation / Conversion</title>
<abstract>
To set up SELinux within Gentoo/Hardened, you first need to install Gentoo with
the correct Hardened profile (or convert to the Hardened profile) and then
update your system to become a SELinux-managed system. This chapter will guide
you through this process.
</abstract>
  <include href="hb-using-install.xml"/>
</chapter>

<chapter>
<title>Configuring SELinux For Your Needs</title>
<abstract>
With SELinux now "installed" and enabled (although in permissive mode), we now
configure it to suit your particular needs. After all, SELinux is a Mandatory
Access Control system where you, as security administrator, define what is
allowed and what not.
</abstract>
  <include href="hb-using-configuring.xml"/>
</chapter>

<chapter>
<title>SELinux Commands</title>
<abstract>
Let's take a step back and get to know a few more commands. We covered most of
them in the previous section, but we will now dive a bit deeper in its
syntax, features and potential pitfalls.
</abstract>
  <include href="hb-using-commands.xml"/>
</chapter>

<chapter>
<title>Permissive, Unconfined, Disabled or What Not...</title>
<abstract>
Your system can be in many SELinux states. In this chapter, we help you switch
between the various states / policies.
</abstract>
  <include href="hb-using-states.xml"/>
</chapter>

<chapter>
<title>Modifying the Gentoo Hardened SELinux Policy</title>
<abstract>
Gentoo Hardened offers a default policy, but this might not allow what you want
(or allows too much). In this chapter we tell you how you can tweak Gentoo's
policy, or even run your own.
</abstract>
  <include href="hb-using-policies.xml"/>
</chapter>

<chapter>
<title>Troubleshooting SELinux</title>
<abstract>
Everything made by a human can and will fail. In this chapter we will try to
keep track of all potential issues you might come across and how to resolve
them. 
</abstract>
  <include href="hb-using-troubleshoot.xml"/>
</chapter>

<chapter>
<title>Change History</title>
<abstract>
As documentation evolves with the technology, this handbook too sees its fair
share of changes. To allow users, who are already on SELinux, to verify if there
are any changes they need to be aware off, this chapter lists the changes in
chronological order.
</abstract>
  <include href="hb-using-changes.xml"/>
</chapter>
</part>

<!--
<part>
<title>Advanced SELinux</title>
<abstract>
SELinux can be much more integrated in the system. In this part, we describe how
to enhance SELinux configurations, tuning and securing your system even more.
</abstract>

<chapter>
<title>Working with MLS</title>
<abstract>
...
</abstract>
  <include href="hb-advanced-mls.xml"/>
</chapter>

<chapter>
<title>Using s(ecure) Virt(ualization)</title>
<abstract>
...
</abstract>
  <include href="hb-advanced-svirt.xml"/>
</chapter>

<chapter>
<title>Using Netlabel</title>
<abstract>
...
</abstract>
  <include href="hb-advanced-netlabel.xml"/>
</chapter>
</part>
-->

</book>
1	pebenito	1.1	<?xml version='1.0' encoding='UTF-8'?>
2			<!DOCTYPE book SYSTEM "/dtd/book.dtd">
3
4	swift	1.16	<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/selinux-handbook.xml,v 1.15 2012/04/10 20:19:19 swift Exp $ -->
5	pebenito	1.1
6	nimiux	1.13	<book>
7	pebenito	1.1	<title>Gentoo SELinux Handbook</title>
8
9			<author title="Author">
10			<mail link="pebenito@gentoo.org">Chris PeBenito</mail>
11			</author>
12	zorry	1.10	<author title="Author">
13			<mail link="sven.vermeulen@siphos.be">Sven Vermeulen</mail>
14			</author>
15	pebenito	1.9	<author title="Author">
16			Chris Richards
17			</author>
18
19	pebenito	1.1	<abstract>
20	pebenito	1.5	This is the Gentoo SELinux Handbook.
21	pebenito	1.1	</abstract>
22
23			<!-- The content of this document is licensed under the CC-BY-SA license -->
24			<!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
25			<license/>
26
27	swift	1.12	<version>4</version>
28			<date>2011-09-18</date>
29	pebenito	1.1
30			<part>
31	zorry	1.10	<title>Introduction to Gentoo/Hardened SELinux</title>
32	pebenito	1.1	<abstract>
33	zorry	1.10	In this part we cover what SELinux is and how it is positioned within the
34			Gentoo/Hardened project.
35	pebenito	1.1	</abstract>
36
37			<chapter>
38	zorry	1.10	<title>Enhancing Linux Security</title>
39	pebenito	1.1	<abstract>
40	zorry	1.10	Security is more than enabling a certain framework or installing a different
41			Linux kernel. It is a way of working / administrating your Gentoo Linux system.
42			We cover a few (generic) best practices, and then elaborate on what Mandatory
43			Access Control is and how SELinux fills in this gap.
44	pebenito	1.1	</abstract>
45	zorry	1.10	<include href="hb-intro-enhancingsecurity.xml"/>
46	pebenito	1.1	</chapter>
47
48			<chapter>
49	zorry	1.10	<title>SELinux Concepts</title>
50	pebenito	1.1	<abstract>
51	zorry	1.10	To be able to properly work with SELinux, it is vital that you understand a few
52			of its concepts like domains, domain transitions and file contexts. Without
53			a basic understanding of these aspects, it will be difficult to understand
54			how SELinux policies work and how to troubleshoot if things go wrong.
55	pebenito	1.1	</abstract>
56	zorry	1.10	<include href="hb-intro-concepts.xml"/>
57	pebenito	1.1	</chapter>
58	zorry	1.10
59	pebenito	1.1	<chapter>
60	swift	1.12	<title>SELinux Resources</title>
61			<abstract>
62			To get more acquainted with SELinux, many resources exist on the Internet.
63			In this chapter we give a quick overview of the various resources as well
64			as places where you can get more help when you are fighting with SELinux.
65			</abstract>
66			<include href="hb-intro-resources.xml"/>
67			</chapter>
68
69			<!--
70			<chapter>
71	zorry	1.10	<title>The SELinux (Reference) Policy</title>
72	pebenito	1.1	<abstract>
73	zorry	1.10	To streamline SELinux policy development, a reference policy is being developed
74			that is used by all SELinux-supporting distributions. In this chapter we give
75			some intel on what this reference policy is and why it is brought to life, but
76			also how this policy functions and how its development is progressing. We also
77			cover the basics on SELinux policies in general.
78	pebenito	1.1	</abstract>
79	zorry	1.10	<include href="hb-intro-referencepolicy.xml"/>
80	pebenito	1.1	</chapter>
81	zorry	1.10
82	pebenito	1.1	<chapter>
83	zorry	1.10	<title>SELinux Virtual Machine Support</title>
84	pebenito	1.1	<abstract>
85	zorry	1.10	SELinux support is being actively integrated in libvirt and other
86			virtualization frameworks to elevate the security of virtualized
87			environments. Within this chapter we give you a first introduction
88			on how this is done for libvirt managed environments and what you need to take
89			into account if you wish to use SELinux within your virtualized environment.
90	pebenito	1.1	</abstract>
91	zorry	1.10	<include href="hb-intro-virtualization.xml"/>
92	pebenito	1.1	</chapter>
93	zorry	1.10	-->
94	pebenito	1.1	</part>
95
96			<part>
97	zorry	1.10	<title>Using Gentoo/Hardened SELinux</title>
98	pebenito	1.1	<abstract>
99	zorry	1.10	With the theoretic stuff behind us, let us start by installing Gentoo/Hardened
100			with a SELinux kernel as well as the SELinux tools.
101	pebenito	1.1	</abstract>
102	zorry	1.10
103	pebenito	1.1	<chapter>
104	zorry	1.10	<title>Gentoo SELinux Installation / Conversion</title>
105	pebenito	1.1	<abstract>
106	zorry	1.10	To set up SELinux within Gentoo/Hardened, you first need to install Gentoo with
107			the correct Hardened profile (or convert to the Hardened profile) and then
108			update your system to become a SELinux-managed system. This chapter will guide
109			you through this process.
110	pebenito	1.1	</abstract>
111	zorry	1.10	<include href="hb-using-install.xml"/>
112	pebenito	1.1	</chapter>
113	zorry	1.10
114	pebenito	1.1	<chapter>
115	swift	1.12	<title>Configuring SELinux For Your Needs</title>
116			<abstract>
117			With SELinux now "installed" and enabled (although in permissive mode), we now
118			configure it to suit your particular needs. After all, SELinux is a Mandatory
119			Access Control system where you, as security administrator, define what is
120			allowed and what not.
121			</abstract>
122			<include href="hb-using-configuring.xml"/>
123			</chapter>
124
125			<chapter>
126	zorry	1.10	<title>SELinux Commands</title>
127	pebenito	1.1	<abstract>
128	swift	1.12	Let's take a step back and get to know a few more commands. We covered most of
129			them in the previous section, but we will now dive a bit deeper in its
130			syntax, features and potential pitfalls.
131	pebenito	1.1	</abstract>
132	zorry	1.10	<include href="hb-using-commands.xml"/>
133	pebenito	1.1	</chapter>
134	zorry	1.10
135	pebenito	1.1	<chapter>
136	swift	1.12	<title>Permissive, Unconfined, Disabled or What Not...</title>
137	pebenito	1.1	<abstract>
138	swift	1.12	Your system can be in many SELinux states. In this chapter, we help you switch
139			between the various states / policies.
140	pebenito	1.1	</abstract>
141	swift	1.12	<include href="hb-using-states.xml"/>
142	pebenito	1.1	</chapter>
143	zorry	1.10
144	pebenito	1.4	<chapter>
145	swift	1.12	<title>Modifying the Gentoo Hardened SELinux Policy</title>
146	pebenito	1.8	<abstract>
147	swift	1.12	Gentoo Hardened offers a default policy, but this might not allow what you want
148			(or allows too much). In this chapter we tell you how you can tweak Gentoo's
149			policy, or even run your own.
150	pebenito	1.8	</abstract>
151	swift	1.12	<include href="hb-using-policies.xml"/>
152	pebenito	1.8	</chapter>
153	zorry	1.10
154	pebenito	1.8	<chapter>
155	swift	1.12	<title>Troubleshooting SELinux</title>
156	pebenito	1.8	<abstract>
157	swift	1.12	Everything made by a human can and will fail. In this chapter we will try to
158			keep track of all potential issues you might come across and how to resolve
159			them.
160	pebenito	1.8	</abstract>
161	swift	1.12	<include href="hb-using-troubleshoot.xml"/>
162	pebenito	1.4	</chapter>
163	swift	1.16
164			<chapter>
165			<title>Change History</title>
166			<abstract>
167			As documentation evolves with the technology, this handbook too sees its fair
168			share of changes. To allow users, who are already on SELinux, to verify if there
169			are any changes they need to be aware off, this chapter lists the changes in
170			chronological order.
171			</abstract>
172			<include href="hb-using-changes.xml"/>
173			</chapter>
174	pebenito	1.1	</part>
175
176	swift	1.12	<!--
177	pebenito	1.1	<part>
178	swift	1.12	<title>Advanced SELinux</title>
179	pebenito	1.1	<abstract>
180	swift	1.12	SELinux can be much more integrated in the system. In this part, we describe how
181			to enhance SELinux configurations, tuning and securing your system even more.
182	pebenito	1.1	</abstract>
183	zorry	1.10
184	pebenito	1.1	<chapter>
185	swift	1.12	<title>Working with MLS</title>
186			<abstract>
187			...
188			</abstract>
189			<include href="hb-advanced-mls.xml"/>
190			</chapter>
191
192			<chapter>
193			<title>Using s(ecure) Virt(ualization)</title>
194	pebenito	1.1	<abstract>
195	swift	1.12	...
196	pebenito	1.1	</abstract>
197	swift	1.12	<include href="hb-advanced-svirt.xml"/>
198	pebenito	1.1	</chapter>
199	zorry	1.10
200	pebenito	1.1	<chapter>
201	swift	1.12	<title>Using Netlabel</title>
202	pebenito	1.1	<abstract>
203	swift	1.12	...
204	pebenito	1.1	</abstract>
205	swift	1.12	<include href="hb-advanced-netlabel.xml"/>
206	pebenito	1.1	</chapter>
207			</part>
208	swift	1.12	-->
209	pebenito	1.1
210			</book>