Issue OwlCyberDefense#86 - Include RHEL_7-Alpha3 policy doc in README.md

mpalmi · May 28, 2015 · f48bf6d · f48bf6d
1 parent 5645a3e
commit f48bf6d
Showing 1 changed file with 30 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -4,6 +4,7 @@
   * [Getting Started](#gs)
   * [Build System](#bs)
   * [Creating a Live CD] (#livecd)
+  * [SELinux Policy] (#selinux)
   * [Use Cases] (#use)
   * [Frequently Asked Questions] (#faq)
   * [Known Issues] (#issues)
@@ -217,6 +218,35 @@ overlay size (in MB) and an overlay size (in MB) as well:
 ```
 make iso-to-disk USB_DEV=/dev/sdb ISO_FILE=clip-rhel7-*-live.iso OVERLAY_SIZE=256 OVERLAY_HOME=128
 ```
+## SELinux Policy <a id="selinux"></a>
+
+CLIP SELinux policy for Red Hat Enterprise Linux 7 (RHEL7) takes a step toward
+strengthening RHEL7 targeted systemd policy. The policy is currently in an
+Alpha state and only supports booting/logins in Enforcing. Some caveats about
+the current policy state:
+- Remaining denials do not prevent booting/logins in Enforcing, but may cause
+  error messages on boot.
+- systemd_unit_file policy is not complete; therefore, starting and stopping
+  services may not be fully supported.
+- Login user policy is not stripped down to match least-privilege model and
+  lacks support for a super-user role. Any commands which would require a super
+  user will not be available in the Alpha (e.g. shutdown, reboot, mount).
+- Modules have not been stripped down to the smallest subset of CLIP-related
+  modules.
+
+The main design goals for this release are as follows:
+- First and foremost, get CLIP RHEL7 booting in Enforcing.
+- Support logins in Enforcing.
+- Put long-running processes in explicitly labeled domains.
+- Allow short-running processes/scripts to fall through to the initrc domain.
+  Any subsequent forks/execs (from initrc_t) should result in proper domain
+  transitions.
+
+The status of policy issues/developments can be tracked here:
+https://github.com/TresysTechnology/clip/labels/selinux
+
+The intent is to resolve all of the remaining issues outlined above by the next
+CLIP release (https://github.com/TresysTechnology/clip/milestones/RHEL_7-Beta).
 
 ## Use Cases (WIP) <a id="use"></a>