Skip to content

Feature: Manage SELinux policy

Jump to bottom Edit New page
Petr Lautrbach edited this page Nov 10, 2017 · 10 revisions

Stories

Phillip J Fry is a junior sysadmin. He’s pretty new at the job and kind of exaggerated his sysadmin skills at the job interview. He has a lot to learn about the job still and usually gets assigned various tasks from his manager. His task is to configure apache server with these requirements:

  • apache will provide a static website with files located in /companywebsite

  • apache will allow users to use ~/public_html directories for their presentations

He found in the Fedora SELinux Uses and Administrators Guide that he needs to label /companywebsite directory with httpd_sys_content_t type and set httpd_enable_homedirs boolean to on.

George Cucumber is an experienced system administrator. He was assigned to a task to make available a Fedora system on a new powerful hardware for users to allow them some operations. But since users are not trusted, he needs to confine them so that they can’t access the internet from the host. He read in Fedora SELinux Uses and Administrators Guide that users can be confined by SELinux using guest_u SELinux user.

Workflows

Phillip logs in to the server with cockpit.

George logs in to the server with Cockpit.

Prior art

Command line utility semanage

Phillip would do these steps:

# semanage fcontext -a -t httpd_sys_content_t "/companywebsite(/.*)?"
# restorecon -R -v /companywebsite
restorecon reset /companywebsite context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
restorecon reset /companywebsite/index.html context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
# semanage boolean -l | grep httpd_enable_homedirs
httpd_enable_homedirs          (off  ,  off)  Allow httpd to read home directories
# semanage boolean -m --on httpd_enable_homedirs
# semanage boolean -l | grep httpd_enable_homedirs
httpd_enable_homedirs          (on   ,   on)  Allow httpd to read home directories

George would do these steps:

# semanage login -l
Login Name           SELinux User         MLS/MCS Range        Service
__default__          unconfined_u         s0-s0:c0.c1023       *
root                 unconfined_u         s0-s0:c0.c1023       *
# semanage login -m -s guest_u __default__
# semanage login -l
Login Name           SELinux User         MLS/MCS Range        Service
__default__          guest_u              s0                   *
root                 unconfined_u         s0-s0:c0.c1023       *

GUI utility system-config-selinux.

system-config-selinux

Wireframes

Feedback

Home / About / Contributing / Cockpit project website

Home

About

Contributing

Design Guidelines

Team/Project guidelines

User Experience Research

Clone this wiki locally