[release-notes] Convert Security beat

John J. McDonough jjmcd at fedoraproject.org
Sat Mar 26 00:44:19 UTC 2011 

commit 484575585742806b78103259b083a3403770101e
Author: John J. McDonough <jjmcd at fedoraproject.org>
Date:   Fri Mar 25 20:44:13 2011 -0400

    Convert Security beat

 en-US/Security.xml |  162 +++++++++++++++++++++++++++++++++++++++++++++++++++-
 1 files changed, 161 insertions(+), 1 deletions(-)
---
diff --git a/en-US/Security.xml b/en-US/Security.xml
index 59708e9..da33952 100644
--- a/en-US/Security.xml
+++ b/en-US/Security.xml
@@ -7,6 +7,166 @@
 <section id="sect-RelNotes-Security">
   <title>Security</title>
 
-    <para>&nbsp;</para>
+    <para>
+      This section describes the security changes and enhancements
+      available in Fedora 15.
+    </para>
+
+    <section>
+      <title>Dynamic Firewall</title>
+      <para>
+	Fedora 15 adds support for the optional firewall daemon
+	(<package>FirewallD</package>), providing a dynamic firewall
+	management with a D-Bus interface.
+      </para>
+      <para>
+	The previous firewall model with
+	<package>system-config-firewall</package>, was static and
+	required a full firewall restart for all changes, even simple
+	ones. This resulted in termination of filtered
+	connections. <package>Firewalld</package> can modify the
+	firewall dynamically and no firewall recreation is needed. At
+	this stage, it supports iptables, ip6tables and ebtables. In
+	Fedora 15 a simple tray applet shows the firewall state, and
+	firewall services can be enabled and disabled.
+      </para>
+      <para>
+	For more details, visit the Fedora wiki pages, <ulink
+	url="https://fedoraproject.org/wiki/Features/DynamicFirewall">https://fedoraproject.org/wiki/Features/DynamicFirewall</ulink>
+	and <ulink
+	url="https://fedoraproject.org/wiki/Features/FirewallD/">https://fedoraproject.org/wiki/Features/FirewallD/
+        </ulink>.
+      </para>
+    </section>
+
+  <section>
+    <title>DNSSEC on workstations </title>
+    <para>
+      In Fedora 15 comes in a new security feature that protects the
+      end users and their workstations exposition against various DNS
+      spoofing and DNS cache-poisoning attacks.
+    </para>
+    <para>
+      DNSSEC is an environment full tested in Fedora, as all major DNS
+      servers in Fedora run with DNSSEC validation enabled by default
+      since Fedora 11, giving to the Fedora Project a lot of
+      experience from server environment. DNSSEC is aimed to secure
+      all DNS traffic.  <package>NetworkManager</package> uses the
+      BIND nameserver as a DNSSEC resolver and all received DNS
+      responses are proved to be correct. In case a particular domain
+      is signed and failed to validate then resolver returns
+      <command>SERFVAIL</command> instead of invalidated response,
+      which means something is wrong.
+    </para>
+    <para>
+      For all details please refer to <ulink
+      url="https://fedoraproject.org/wiki/Features/DNSSEC_on_workstations">https://fedoraproject.org/wiki/Features/DNSSEC_on_workstations</ulink>
+      on the Fedora wiki.
+    </para>
+    <para>
+      <package>dnssec-tools</package> version 1.8 in Fedora 15 is
+      the tool used to improve this feature.
+    </para>
+  </section>
+
+  <section>
+    <title>OpenSCAP</title>
+    <para>
+      First introduced in Fedora 14, <package>OpenSCAP</package> is a
+      set of open source libraries providing an easier path for
+      integration of the SCAP line of standards, managed by NIST and
+      created to provide a standardized approach to maintaining the
+      security of enterprise systems, such as automatically verifying
+      the presence of patches, checking system security configuration
+      settings, and examining systems for signs of compromise.
+    </para>
+    <para>
+      In Fedora 15, <package>openscap</package>, the set of open
+      source libraries enabling integration of the SCAP line of
+      standards, has been upgraded from version 0.6.3 to 0.6.8. During
+      these development stage there has been introduced full support
+      for perl regular expression by default, OVAL float type support,
+      XSL transformation improvements and Dublin Core support, added
+      OVAL schemas version 5.6 and improved XCCDF reporting.
+    </para>
+    <para>
+      <package>secstate</package>, the Security State Configuration
+      Tool, has been rebuilt in Fedora 15 against version 0.4.1.
+    </para>
+    <para>
+      <package>firstaidkit</package>, the System Rescue Tool that
+      automates simple and common system recovery tasks, has been
+      upgraded from 0.2.17 to version 0.2.18.
+    </para>
+    <para>
+      For more information visit this page: 
+      <ulink url="http://www.open-scap.org/page/Main_Page">
+	http://www.open-scap.org/page/Main_Page
+	</ulink>. 
+    </para>
+  </section>
+
+  <section>
+    <title>authoconfig ecryptfs</title>
+    <para>
+      Fedora 15 brings in improved support for eCryptfs, a stacked
+      cryptographic filesystem for Linux. Now when a
+      <package>ecryptfs</package> user logs in,
+      <application>authconfig</application> will automatically mount
+      his private encrypted part of the home directory.
+    </para>
+    <para>
+      For details please refer to the wiki page <ulink
+      url="https://fedoraproject.org/wiki/Features/EcryptfsAuthConfig">
+      https://fedoraproject.org/wiki/Features/EcryptfsAuthConfig
+      </ulink>. 
+    </para>
+  </section>
+
+  <section>
+    <title>setroubleshoot</title>
+    <para>
+      The user interface of <package>setroubleshoot</package> has been
+      redesigned to make it easier to diagnose SELinux problems. In
+      the current setroubleshooter the "best" match is returned for a
+      solution to the customer. In the new redesign, all matches will
+      be returned. For example if samba tried to read content that it
+      is not allowed, we would like to tell the admin that he could
+      label the content <command>samba_share_t</command> or he could
+      set up SELinux to allow samba to share all content Read Only, or
+      Read Write, or samba should not be trying to read this content,
+      it could be a bug or an attack.
+    </para>
+    <para>
+      The interface has also been simplified with easier to
+      explain definitions, like
+    </para>
+<screen>
+If you want samba to share the entire system read/only,  then 
+you need to tell SELinux system about this, by setting the 
+samba_export_all_ro boolean. 
+
+Execute the following command as root.
+
+  setsebool -P samba_export_all_ro=1 
+</screen>
+  </section>
+
+  <section>
+    <title>Remove setuid</title>
+    <para>
+      Fedora 15 removes <command>setuid</command> applications and
+      instead specifically assigns the capabilities required by an
+      application, modifing the spec files of most applications that
+      include a setuid application to remove the setuid flag and
+      change to file capabilities.
+    </para>
+    <para>
+      Please refer to <ulink
+      url="https://fedoraproject.org/wiki/Features/RemoveSETUID">https://fedoraproject.org/wiki/Features/RemoveSETUID</ulink>
+      for all details.
+    </para>
+  </section>
+
 
 </section>

More information about the docs-commits mailing list