beginner to SE Linux policy

beginner to SE Linux policy

[Mark]

[-- Attachment #1: Type: text/plain, Size: 381 bytes --]

I have seen programs that will help me to edit and analyze SE Linux
policies.  What I am interested in is a resource that will help me
understand what a policy does and how to write them.  At least for me,
learning at the code level and not using GUI tools helps me to understand
things better.

So what resources are out there for me to start looking at?

Thanks in advance.
Mark

[-- Attachment #2: Type: text/html, Size: 430 bytes --]

RE: beginner to SE Linux policy

[Brian M. Williams]

Mark,

	As for understanding how policy works and how to write it, there is a book: SELinux by Example which goes into detailed explanation [http://www.amazon.com/SELinux-Example-Security-Enhanced-Development/dp/0131963694].  There are also slides at [http://tresys.com/selinux/selinux-course-outline.html] which come from a course which Tresys offers on SELinux policy of which the book was based.  There are also some documents on the NSA site which may or may not be up to date [http://www.nsa.gov/selinux/info/docs.cfm].

Brian

________________________________________
From: owner-selinux@tycho.nsa.gov [mailto:owner-selinux@tycho.nsa.gov] On Behalf Of Mark
Sent: Friday, July 27, 2007 3:04 PM
To: selinux@tycho.nsa.gov
Subject: beginner to SE Linux policy

I have seen programs that will help me to edit and analyze SE Linux policies.  What I am interested in is a resource that will help me understand what a policy does and how to write them.  At least for me, learning at the code level and not using GUI tools helps me to understand things better.  

So what resources are out there for me to start looking at?

Thanks in advance.
Mark


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: beginner to SE Linux policy

[Mark]

[-- Attachment #1: Type: text/plain, Size: 1922 bytes --]

Thanks for the help.  I just want to become more familiar with SE Linux and
understand the context of the te, fe, if..etc files and how I can modify
them so that my programs are more secure.  There just seems to be alot of
information that may or may not be related in order to help me.  For
instance, there is the seedit tools, SLIDE and RedHat tools available.
Also, which is a better distribution to learn SE Linux, CentOS or Fedora
Core?

I am an application developer who really just needs to learn how to write
policies for the programs I am developing.  Things like policies, domains
and domain transition are important areas I really want to learn.

Thanks for the help.

PS.  I ordered the SE Linux by Example yesterday!
-- 
..Cheers
Mark

On 7/28/07, shahbaz khan <shazalive@gmail.com> wrote:
>
> Mark
>
> Selinux by example is the best answer to ur stated problem. NSA documents
> will give u a good background because things have been changing alot. Do not
> miss tresys' reference policy and policy managemnt server. U can get more
> info about it from tresys' website. Once u start to get aquainted with
> selinux this mailing list will be more useful to u. Also join fedora selinux
> mailing list.
>
> I am not sure which policy analysis tool will be more useful to u. Why
> dont u right a more specific question to this list w.r.t. policy analysis
> tools. U might get good answers from selinux by example.
>
> Shaz.
>
>
>
>
> On 7/28/07, Mark <elihusmails@gmail.com> wrote:
> >
> > I have seen programs that will help me to edit and analyze SE Linux
> > policies.  What I am interested in is a resource that will help me
> > understand what a policy does and how to write them.  At least for me,
> > learning at the code level and not using GUI tools helps me to understand
> > things better.
> >
> > So what resources are out there for me to start looking at?
> >
> > Thanks in advance.
> > Mark
> >
>
>

[-- Attachment #2: Type: text/html, Size: 2771 bytes --]

Re: beginner to SE Linux policy

[Stephen Smalley]

On Tue, 2007-08-07 at 13:56 -0400, Mark wrote:
> Thanks for the help.  I just want to become more familiar with SE
> Linux and understand the context of the te, fe, if..etc files and how
> I can modify them so that my programs are more secure.  There just
> seems to be alot of information that may or may not be related in
> order to help me.  For instance, there is the seedit tools, SLIDE and
> RedHat tools available.  Also, which is a better distribution to learn
> SE Linux, CentOS or Fedora Core? 

Fedora Core tracks the latest SELinux developments more closely.

The reference policy documentation should help you, online at
http://oss.tresys.com/projects/refpolicy/wiki/Documentation and if you
have selinux-policy installed, locally available docs
under /usr/share/doc/selinux-policy-x.y.z/.

SLIDE is an eclipse plugin that leverages reference policy and provides
the typical IDE-style auto-completion, interface lookup, wizards for
constructing domains, etc.  Useful if you are ok working in an IDE.

SEEdit is more about hiding the underlying abstractions and presenting a
very simple UI.  Requires switching to its own policy entirely, away
from the stock policy.

> I am an application developer who really just needs to learn how to
> write policies for the programs I am developing.  Things like
> policies, domains and domain transition are important areas I really
> want to learn. 

There are a number of resources, e.g. see
http://selinux.sourceforge.net/resources.php3 , but many of them predate
the reference policy.  Reference policy documentation and SLIDE are your
best bets right now, along with the book.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: beginner to SE Linux policy

[Mark]

[-- Attachment #1: Type: text/plain, Size: 1949 bytes --]

Thank you for the information.  I will continue working with the reference
policy and reading the information you provided.


-- 
..Cheers
Mark

On 8/7/07, Stephen Smalley <sds@tycho.nsa.gov> wrote:
>
> On Tue, 2007-08-07 at 13:56 -0400, Mark wrote:
> > Thanks for the help.  I just want to become more familiar with SE
> > Linux and understand the context of the te, fe, if..etc files and how
> > I can modify them so that my programs are more secure.  There just
> > seems to be alot of information that may or may not be related in
> > order to help me.  For instance, there is the seedit tools, SLIDE and
> > RedHat tools available.  Also, which is a better distribution to learn
> > SE Linux, CentOS or Fedora Core?
>
> Fedora Core tracks the latest SELinux developments more closely.
>
> The reference policy documentation should help you, online at
> http://oss.tresys.com/projects/refpolicy/wiki/Documentation and if you
> have selinux-policy installed, locally available docs
> under /usr/share/doc/selinux-policy-x.y.z/.
>
> SLIDE is an eclipse plugin that leverages reference policy and provides
> the typical IDE-style auto-completion, interface lookup, wizards for
> constructing domains, etc.  Useful if you are ok working in an IDE.
>
> SEEdit is more about hiding the underlying abstractions and presenting a
> very simple UI.  Requires switching to its own policy entirely, away
> from the stock policy.
>
> > I am an application developer who really just needs to learn how to
> > write policies for the programs I am developing.  Things like
> > policies, domains and domain transition are important areas I really
> > want to learn.
>
> There are a number of resources, e.g. see
> http://selinux.sourceforge.net/resources.php3 , but many of them predate
> the reference policy.  Reference policy documentation and SLIDE are your
> best bets right now, along with the book.
>
> --
> Stephen Smalley
> National Security Agency
>
>

[-- Attachment #2: Type: text/html, Size: 2553 bytes --]

Re: beginner to SE Linux policy

[Daniel J Walsh]

Mark wrote:
> Thanks for the help.  I just want to become more familiar with SE 
> Linux and understand the context of the te, fe, if..etc files and how 
> I can modify them so that my programs are more secure.  There just 
> seems to be alot of information that may or may not be related in 
> order to help me.  For instance, there is the seedit tools, SLIDE and 
> RedHat tools available.  Also, which is a better distribution to learn 
> SE Linux, CentOS or Fedora Core?
>
> I am an application developer who really just needs to learn how to 
> write policies for the programs I am developing.  Things like 
> policies, domains and domain transition are important areas I really 
> want to learn.
>
> Thanks for the help.
>
> PS.  I ordered the SE Linux by Example yesterday!
> -- 
> ..Cheers
> Mark
You might want to try system-config-selinux/polgengui to build you a 
policy template. 
>
> On 7/28/07, *shahbaz khan* <shazalive@gmail.com 
> <mailto:shazalive@gmail.com>> wrote:
>
>     Mark
>      
>     Selinux by example is the best answer to ur stated problem. NSA
>     documents will give u a good background because things have been
>     changing alot. Do not miss tresys' reference policy and policy
>     managemnt server. U can get more info about it from tresys'
>     website. Once u start to get aquainted with selinux this mailing
>     list will be more useful to u. Also join fedora selinux mailing list.
>      
>     I am not sure which policy analysis tool will be more useful to u.
>     Why dont u right a more specific question to this list w.r.t.
>     policy analysis tools. U might get good answers from selinux by
>     example.
>      
>     Shaz.
>
>      
>
>
>     On 7/28/07, *Mark* <elihusmails@gmail.com
>     <mailto:elihusmails@gmail.com>> wrote:
>
>         I have seen programs that will help me to edit and analyze SE
>         Linux policies.  What I am interested in is a resource that
>         will help me understand what a policy does and how to write
>         them.  At least for me, learning at the code level and not
>         using GUI tools helps me to understand things better. 
>
>         So what resources are out there for me to start looking at?
>
>         Thanks in advance.
>         Mark
>
>
>
> ------------------------------------------------------------------------
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.