
The SELinux coloring book [pdf] - mromnia
https://people.redhat.com/duffy/selinux/selinux-coloring-book_A4-Stapled.pdf
======
Dangeranger
This trend of using illustration to explain complex topics is really
wonderful. I know that people may criticize it as childish, but I find it
helpful and enlightening.

The illustrations that I've found most amazing and well done are created by
people like:

Lin Clark ([https://code-cartoons.com/](https://code-cartoons.com/))

Julia Evans ([http://jvns.ca/zines/](http://jvns.ca/zines/))

Linda Liukas ([http://www.helloruby.com/](http://www.helloruby.com/))

Amy Wibowo ([https://shop.bubblesort.io/](https://shop.bubblesort.io/))

You may notice a trend with the gender of the authors above. I personally
believe that women have a better sense for simplifying complex ideas, and
greater empathy and patience for teaching those ideas once they've been made
simple.

~~~
eugeneionesco
>I personally believe that women have a better sense for simplifying complex
ideas

SELinux is not a "complex idea", SELinux is a tool with subpar documentation.

A coloring book does nothing to fix that.

~~~
Dangeranger
My comment was in reference to topics covered beyond SELinux.

------
fideloper
The thing that made SELinux click for me was this talk - it's really a great
talk for SELinux:
[https://www.youtube.com/watch?v=MxjenQ31b70](https://www.youtube.com/watch?v=MxjenQ31b70)

(I also have a video explaining some specific/common things:
[https://serversforhackers.com/video/battling-selinux-
cast](https://serversforhackers.com/video/battling-selinux-cast))

------
krylon
SELinux always makes me feel like I'm a complete idiot (the worst thing about
that is that I could be an idiot and not know it or refuse to acknowledge it).

So, maybe this introduction will make it a little more accessible.

~~~
Moogs
If you're having issues with selinux run:

    
    
      sealert -a /var/log/audit/audit.log
    

Most of the time, that will give you a detailed description of what's going
wrong and tell you the command to fix it. Completely changed my opinion on
selinux when I learned it. Also, the SELinux For Mere Mortals[1] talk is a
great introduction.

[1]
[https://www.youtube.com/watch?v=MxjenQ31b70&t=1s](https://www.youtube.com/watch?v=MxjenQ31b70&t=1s)

~~~
pricechild
It's nice... but the suggestions are often terrible when they could be fixed
properly with a bool or changing the context of a directory.

I sat the RHCE course/exam recently and the Red Hat trainer dealt with this
in... amusing... ways.

Unfortunately, fixing things properly requires knowledge, if only of where to
find the information. Thinking solely about file contexts, it's not easy to
for example search them. e.g. "show me all contexts related to samba" so you
can find the share rw label. (One of the RHEL 7.0 man pages suggests the nfs
rw label which doesn't work, had to make a point of remembering that for the
exam!) Everything's spread across selinux's man pages, service's man pages...
ugh.

~~~
NoGravitas
That "show me all contexts related to samba" is something I'm really missing.
I worked one weekend on getting NextCloud to play nicely with SELinux and
Apache on Fedora 25 without any dirty tricks, and one thing that would really
have come in handy was an accurate list of all the labels related to Apache.
The only comprehensive lists I could find online were out-of-date, and the
only things that were up to date were single examples.

~~~
blockoperation
sesearch is one way of doing it, for example:

    
    
      $ sesearch -A -s some_app_t -c file -p read -p write
      allow some_app_t some_type_t:file { read write };
      allow some_app_t some_other_type_t:file { read write };
      allow some_attribute_of_some_app_t yet_another_type_t:file { read write };
    

Or, say you want to do the opposite – you know the label, and want to find all
domains that can read and write it:

    
    
      $ sesearch -A -t some_type_t -c file -p read -p write
      allow some_app_t some_type_t:file { read write };
      allow some_other_app_t some_type_t:file { read write };
    

You can use regexes for the parameters if you don't know the exact types (just
specify '-r[stcdb]').

~~~
NoGravitas
I had no idea this existed. Thank you.

------
saycheese
At the point you have to make a "cute" coloring book (for adults) to make your
OS seem more friendly, maybe it's time to reflect on the reality that there's
something fundamentally wrong with the reasoning used to justify the logic
required to use it.

~~~
AckSyn
> At the point you have to make a "cute" coloring book (for adults)

... is right about the point where you've lost completely. what is this
nonsense? This infantilization of adults is insane.

~~~
wst_
You may not like the approach, but, please, stop using "infantilization"
argument. Not all comic books and animated movies are for kids, even though
they look like it might be the case.

Here, it may open the subject for broader audience. It is easier to comprehend
even for a layman. And even if you're not the one, you could dig in - just for
fun.

A picture is worth a thousand words, they say.

~~~
simias
While I do enjoy some comic book and/or tv shows I did find this book a bit
infantilizing. This looks more like Teletubbies than Rick and Morty if you see
what I mean.

"Hey, I've heard you're too much of a dumb-dumb to get SELinux to work? Maybe
if we turn it into an episode of Dora the Explorer you'll get it this time!
Don't forget to renew your RHEL subscription by the way."

------
ourmandave
So the lesson is (just looking at the pictures) if I don't disable SELinux a
puppy will starve?

~~~
gingerbread-man
Yup. [http://puppylinux.org/](http://puppylinux.org/)

------
godmodus
That kernel though. Damn awesome work, made me smile.

~~~
_jal
I thought the kernel looked a bit menacing.

This is one of the weirder artifacts I've come across lately. One of those
things for which I like to imagine how a far-future archaeologist would react
to it.

That is, if we still made documents that will be around for far-future
archaeologists to puzzle over.

------
jamiethompson
As a colouring book, it's not great.

~~~
munificent
The writing is all messed up too. :(

Very first sentence:

> The SELinux primary model or enforcement is called type enforcement.

"or" should be "of" or "for". I'm not sure which, because it doesn't even tell
you what enforcement means.

First page:

> Imagine a system where we define types on objects like cats and dogs.

"On" isn't a preposition you usually use with "type". You can say things
_have_ a type, or _are_ a type, but "define a type on" is a unfamiliar
construction.

> A cat and dog are process types.

I'm confused. Do they have types defined on them, or are they the types?
Earlier, it said they are objects, now they are process types?

> We have a class of objects that they want to interact with which we call
> food. And I want to add types to the food, cat_chow and dog_chow.

Using "they" to refer to a noun from the previous page is a little confusing.
"food" should be quoted. You can start a sentence with "And", but it feels
gratuitous here since the previous sentence is short.

> As a policy writer, I would say that a dog has permission to eat dog_chow
> write this rule in policy, as shown below.

What happened between "dog_chow" and "write" here? The latter half looks like
a random fragment of text. What is a "policy writer"?

> food and a cat has permission to eat cat_chow food. In SELinux we would

We would what?

~~~
SloopJon
The last two sentences that you complain about are on a two-page spread: "As a
policy writer, I would say that a dog has permission to eat dog_chow food and
a cat has permission to eat cat_chow food. In SELinux we would write this rule
in policy, as shown below."

------
rdtsc
Just curious, anyone here not working on government systems ever enabled MLS
mode and used it successfully?

~~~
jlgaddis
Yes, mostly just to learn more about it.

Finally managed to get it working and get all my sensitivities and categories
set up the way I wanted them. Wasn't fun at all.

Before I started I had this idea I was going to use it all the time for all my
data. That didn't last long.

------
pwernersbach
I love this idea. It's not meant to teach people everything, but it shows the
basic SELinux concepts in a fun manner, that is different from the typical dry
written documentation.

The best utility that this has is that it gets people asking questions. I
could put this on my wall at work, and then when my colleagues ask about it, I
could use it to segue into actually teaching them about SELinux. Putting the
SELinux text documentation on my wall would not have the same effect.

------
dchest
From @lattera on Twitter:

here's a couple lost pages found by the grsecurity folks:

[https://grsecurity.net/~spender/pics/lost_selinux_coloring_b...](https://grsecurity.net/~spender/pics/lost_selinux_coloring_book_page1.gif)

[https://grsecurity.net/~spender/pics/lost_selinux_coloring_b...](https://grsecurity.net/~spender/pics/lost_selinux_coloring_book_page2.gif)

:)

------
ryanmarsh
Wow I feel like I understand SELinux. Guess I can stop turning it off now...

------
ghaff
For those who liked this, the authors have another one on containers:
[https://raw.githubusercontent.com/fedoradesign/coloringbook-...](https://raw.githubusercontent.com/fedoradesign/coloringbook-
containers/master/Print-Ready/Web.pdf)

------
beevai142
The problem with SELinux is not really in the beginner documentation, but in
the documentation of the policy macro packages eg. in Fedora -- which are what
you in the end should/need to use for actually writing or modifying policies.

Answers to questions on eg. finding the difference between
"userdom_user_application_domain" and "application_domain", or learning that
"~/.local/share" has the symbolic name "data_home_t" are very difficult to
find. Everything in SElinux has a symbolic name, so there's also at least one
more layer of indirection as compared to apparmor.

------
sdrothrock
I don't necessarily think that the illustrations are what makes this great.
They're cute, but the simple and explicit examples with uncontrived situations
are what really makes this worthwhile.

It may be that getting into "writing for a coloring book" mode makes people
think simpler and "cuter," which lends itself well to quick illustration of
complex ideas.

I'd like to see more of this kind of explanation in guides and manuals in
general, with the "normal" manuals being for reference when people need to
drill down into something specific.

------
ghaff
I think the version in this link may be an old one. In the version on Github
([https://github.com/mairin/selinux-coloring-
book/blob/4ac589b...](https://github.com/mairin/selinux-coloring-
book/blob/4ac589bb80af52159b39abb1f9520267551df5df/Print-Ready/Web.pdf)), I
see at least one typo that's fixed and I believe there are other differences
as well.

------
justin_oaks
I just wish I had some example commands to color in.

------
naibafo
Cute.

------
9gunpi
Explaining weird solutions with cute explanations is cute.

