Changeset 2205
- Timestamp:
- 06/04/08 15:05:23 (6 months ago)
- Files:
-
- trunk/helpfiles/TableOfContents.xml (modified) (1 diff)
- trunk/helpfiles/advanced/custom.html (modified) (2 diffs)
- trunk/helpfiles/advanced/dictionary.html (modified) (1 diff)
- trunk/helpfiles/advanced/filestructure.html (modified) (1 diff)
- trunk/helpfiles/advanced/fnet.html (modified) (2 diffs)
- trunk/helpfiles/advanced/fsys.html (modified) (3 diffs)
- trunk/helpfiles/advanced/linkage.html (modified) (1 diff)
- trunk/helpfiles/advanced/main.html (modified) (2 diffs)
- trunk/helpfiles/advanced/mls.html (modified) (1 diff)
- trunk/helpfiles/advanced/rdef.html (added)
- trunk/helpfiles/overview/editor.html (modified) (2 diffs)
- trunk/helpfiles/settings/mls.html (modified) (1 diff)
Legend:
- Unmodified
- Added
- Removed
- Modified
- Copied
- Moved
trunk/helpfiles/TableOfContents.xml
r2202 r2205 54 54 <topic label="Advanced Concepts" href="advanced/advanced.html"> 55 55 <topic label="CDS Framework Language" href="advanced/main.html"> 56 <topic label="Rdef" href="advanced/rdef.html" /> 56 57 <topic label="Dictionary" href="advanced/dictionary.html" /> 58 <topic label="Text Language" href="advanced/policyfilesyntax.html" /> 59 <topic label="System Resources" href="advanced/fsys.html" /> 60 <topic label="Reference Policy Linkage" href="advanced/linkage.html" /> 61 <topic label="Network Configuration" href="advanced/fnet.html" /> 57 62 <topic label="MLS" href="advanced/mls.html" /> 58 <topic label="Reference Policy Linkage" href="advanced/linkage.html" />59 <topic label="System Resources" href="advanced/fsys.html" />60 <topic label="Text Language" href="advanced/policyfilesyntax.html" />61 <topic label="Network Configuration" href="advanced/fnet.html" />62 63 </topic> 63 64 trunk/helpfiles/advanced/custom.html
r2072 r2205 20 20 In this case CDS Framework provides a way to customize the SELinux policy for any given CDS Framework policy object. 21 21 This means of customizing policy is only meant to be used as a very last resort. 22 The preferred way of customizing the resulting SELinux policy is to create new dictionary entries, create new base domains, base resources and abilities.22 The preferred way of customizing the resulting SELinux policy is to create new <a href='../advanced/dictionary.html'>dictionary</a> entries, create new <a href='../setup/basedomain.html'>base domains</a>, <a href='../setup/baseresource.html'>base resources</a> and <a href='../setup/abilities.html'>abilities</a>. 23 23 If those ways of customizing just won't do it, then this is the last way. 24 24 When right clicking on a domain, resource, entrypoint, access or enter there is a menu item <i>Add Custom Policy</i>. … … 43 43 For domains and entrypoints the name of the of the template is 'cds_custom_' followed by the name of the system followed by the name of the domain or entrypoint. 44 44 For resources (and domains with resource definitions assigned) there will be multiple templates created, one for each resource definition. 45 This is because each resource type gets a different SELinux type during translation s.45 This is because each resource type gets a different SELinux type during translation. 46 46 In this case the name of the templates is 'cds_custom_' followed by the name of the system, followed by the name of the resource, followed by the name of the resource type. 47 47 For an access the name of the template is 'cds_custom_access_' followed by the name of the system, followed by the name of the domain, followed by the name of the resources, followed by the name of the resource type. trunk/helpfiles/advanced/dictionary.html
r2072 r2205 29 29 <ul> 30 30 <li> 31 Keyword 'rdef'31 Keyword <a href='../advanced/rdef.html'>'rdef'</a> 32 32 </li> 33 33 trunk/helpfiles/advanced/filestructure.html
r2202 r2205 34 34 <li> 35 35 Configuration Directory (<i>conf</i>) - This directory contains <a href='../advanced/linkage.html'>custom linkage (<i>.flnk</i>)</a>, 36 , custom <a href='../advanced/dictionary.html'>dictionary (<i>.fdic</i>)</a> files, <a href='../advances/fnet.html'>network configuration (<i>cds.fnet</i>)</a> file 37 and <a href='../advanced/mls.html'>MLS configuration (<i>framework_mls.xml</i>)</a> file. 38 These types of files are displayed in the <a href='../setup/custom.html'>custom additions folder</a> in the <a href='../views/navigator.html'>framework navigator</a>. 39 <!-- 40 To create these type of custom files, right click on the <i>conf</i> directory and choose the option to create a new <i>CDS Framework File</i>. 41 Any dictionary files added to this directory will expand upon the existing dictionary of resource definitions that was specified during project creation, not replace the existing dictionary. 42 --> 43 In addition the file <a href='../advanced/mls.html'>framework_mls.xml</a> defines the MLS levels and is modified through the <a href='../settings/mls.html'>project properties</a>. 36 and custom <a href='../advanced/dictionary.html'>dictionary (<i>.fdic</i>)</a> files which are displayed in the <a href='../setup/custom.html'>custom additions folder</a> in the <a href='../views/navigator.html'>framework navigator</a>. 37 In addition the <a href='../advanced/fnet.html'>network configuration (<i>cds.fnet</i>)</a> file and <a href='../advanced/mls.html'>MLS configuration (<i>framework_mls.xml</i>)</a> files are in this directory. 44 38 </li> 45 39 trunk/helpfiles/advanced/fnet.html
r2202 r2205 6 6 <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> 7 7 <link rel="stylesheet" type="text/css" href="../help.css" /> 8 <title> MLS FileSyntax</title>8 <title>Network Configuration Syntax</title> 9 9 <!-- 10 10 $Date$ … … 17 17 18 18 <p> 19 The Network Configuration (.fnet) file is how the CDS Framework Toolkit tracks information for network communication between all the systems defined in the project. 20 In the network configuration file there are three pieces of information that are defined, these include the systems in the project, the network resources along with their rdef and the connections between the systems. 21 </p> 19 22 23 <p> 24 The basic structure of defining the network configuration is as follows: 25 <ul> 26 <li> 27 The keyword <i>system</i> followed by the name of the system. 28 </li> 29 <li> 30 The keyword <i>networkresource</i> followed by the name of the resource. Within the curly brackets defines information about the network resource. 31 </li> 32 <li> 33 The keyword <i>connection</i> followed by source, target and network resource - only for ipsec type network resources. 34 </li> 35 </ul> 36 </p> 37 38 <p> 39 Below is a sample of a network configuration for multiple systems 40 </p> 41 42 <pre> 43 1. system guard; 44 2. system translator; 45 3. networkresource in { secmark }; 46 4. networkresource guardcom { ipsec ( 3des-cbc "thisistheencryptionkey" ) ( hmac-md5 "authentication" ) }; 47 5. connection guard.filterout { 192.168.15.6 } translator.filterin { 192.168.6.4 } guardcom { 5485 }; 48 </pre> 49 50 51 <p> 52 Lines 1 and 2 define the systems in the project, in this case they are named <i>guard</i> and <i>translator</i>. 53 Lines 3 and 4 define network resources. 54 The network resource on line 3 is named <i>in</i> is defined with the rdef <i>secmark</i> as shown in curly brackets. 55 There is no additional information required for secmark type network resources. 56 On line 4 the network resource named <i>guardcom</i> is defined with rdef <i>ipsec</i>. in this case the additional information required is the encryption and authentication types and their associated keys. 57 Finally line 5 defines connections between systems. This is only for ipsec type network resoruces, secmark network resources get all the information from the <a href='../advanced/fsys.html'>System Resources (.fsys) file</a>. 58 This line begins with <i>connection</i> then has source information which includes system name <i>guard</i> in this case followed by a dot then the source domain <i>filterout</i>. 59 Then in curly brackets is ip number (or DNS) and optionally the port number. 60 Next is the target information in the same format system name, domain name, and ip/port information. 61 Finally is the name of the network resource used for communication and in curly brackets a unique esp number. 62 </p> 63 64 <p class='copyright'> 65 ©2005 - 2008 Tresys Technology, LLC 66 <br /> 67 Patent Pending 20 68 </p> 21 69 trunk/helpfiles/advanced/fsys.html
r2072 r2205 38 38 resource definition selected, a mapping to the physical location on the system may be required. As an example, when 39 39 creating an entry point, the entry point needs to be associated with an executable file. The physical location is therefore 40 needed for the particular executable file to be used. Another instance where a specific location is needed is 41 upon creation of a domain that represents a running process. A domain representing a running process is a domain 42 that has not been decomposed, meaning that the domain has no children associated with it. The physical location for 43 the running process needs to be given. The association between the files and the policy object examples 44 mentioned above are handled within this System Resource File (<i>.fsys</i> file). 40 needed for the particular executable file to be used. 41 </p> 42 43 <p> 44 In addition to specifying paths the system resources file is also used to specify local networking information. 45 When using a secmark type network resource information about how to match incoming packets is specified. 46 When using ipsec type networking information about the local network is specified. 47 </p> 48 49 <p> 50 The association between the files and the policy object examples mentioned above are handled within this System Resource File (<i>.fsys</i> file). 45 51 </p> 46 52 … … 48 54 49 55 <p> 50 Each line in the System Resource File contains the path(s) for a single resource definition's location. All 51 resource definitions defined within the CDS Framework's graphical policy that have a path or paths associated with 52 it are defined here. The example below illustrates how these locations are defined within the System Resource 53 File. 56 Each line in the System Resource File contains the appropriate information for a single resource definition's location. 57 All resource definitions defined within the CDS Framework's graphical policy that have a path(s) or networking information associated with it are defined here. 58 The example below illustrates how these locations are defined within the System Resource File. 54 59 </p> 55 60 56 < p>57 Example:58 </ p>61 <h3> 62 Path Example: 63 </h3> 59 64 60 65 <p> … … 73 78 </p> 74 79 80 81 <h3> 82 Network Example: 83 </h3> 84 85 <p> 86 <b><i>in { secmark { { eth0 } { 192.168.1.5/255.255.255.0 } { 1937 } { eth2 } { 192.168.5.2/255.255.255.0 } { 1937 } { tcp } } }</i></b> 87 </p> 88 89 <p> 90 The above example is a network resource <i>in</i> which uses the secmark rdef the data following is in the format described. 91 First is local information network device, ip number and network mask finally the port(s). 92 Next is remote network information in the same order network device, ip number and network mask followed by port(s). 93 Lastly is the protocol - either tcp, udp or all. 94 Most everything is optional. The minimal information that must be specified is the local ip number or local network device. 95 When data is not specified the empty curly brackets still must be in place. 96 </p> 97 98 <p> 99 <b><i>guardcom { ipsec { { 192.168.1.2 } { 7623 } } }</i></b> 100 </p> 101 102 <p> 103 The above example is a network resource <i>guardcom</i> which uses the ipsec rdef. 104 The data required is only the local ip number (dns) and the port for incoming data. The port is optional. 105 </p> 106 107 75 108 <p class='copyright'> 76 109 ©2005 - 2008 Tresys Technology, LLC trunk/helpfiles/advanced/linkage.html
r2072 r2205 77 77 78 78 <pre> 79 1. baseresource eth2 {80 3. read {81 3. default { udp_read }82 4. udp_read {83 5. corenet_udp_receive_eth2_if($)84 6. }85 7. }86 8. write {87 9. default { udp_write }79 1. baseresource eth2 { 80 2. read { 81 3. default { udp_read } 82 4. udp_read { 83 5. corenet_udp_receive_eth2_if($) 84 6. } 85 7. } 86 8. write { 87 9. default { udp_write } 88 88 10. udp_write { 89 89 11. corenet_udp_send_eth2_if($) trunk/helpfiles/advanced/main.html
r2202 r2205 24 24 <ul> 25 25 <li> 26 <b>Dictionary (.fdic) File</b> - This file is used to translate CDS security architecture into SELinux policy. 27 See <a href='../advanced/dictionary.html'>Dictionary</a>. 28 </li> 29 30 <li> 26 31 <b>Framework Policy (.fpol) File</b> - This file contains a textual representation of the graphical CDS system. 27 32 This representation will be translated into SELinux security policy. … … 39 44 See <a href='../advanced/linkage.html'>Reference Policy Linkage</a>. 40 45 </li> 41 42 <li> 43 <b>Dictionary (.fdic) File</b> - This file is used to translate CDS security architecture into SELinux policy. 44 See <a href='../advanced/dictionary.html'>Dictionary</a>. 45 </li> 46 46 47 47 <li> 48 48 <b>Network Configuration (.fnet) file</b> - This file is used to describe the network connections between the systems in the project. trunk/helpfiles/advanced/mls.html
r2072 r2205 39 39 </p> 40 40 41 <p> 42 This file is edited through the <a href='../settings/mls.html'>MLS Properties</a> page. 43 </p> 44 41 45 <p class='copyright'> 42 46 ©2005 - 2008 Tresys Technology, LLC trunk/helpfiles/overview/editor.html
r2072 r2205 33 33 </p> 34 34 35 <p> 35 36 Note that: 36 37 <ul> 37 38 <li> 38 Base Domain, Base Resource and User Domain items only can be created as top level items.39 Base Domain, Base Resource, Network Resource, and User Domain items only can be created as top level items. 39 40 </li> 40 41 <li> … … 52 53 </li> 53 54 </ul> 55 </p> 54 56 55 57 <h2>Granting access</h2> trunk/helpfiles/settings/mls.html
r2072 r2205 37 37 </p> 38 38 39 <p> 40 This property page is displayed by right clicking on the project and selecting <i>Properties</i>. 41 </p> 42 39 43 <p class='copyright'> 40 44 ©2005 - 2008 Tresys Technology, LLC
