-
Notifications
You must be signed in to change notification settings - Fork 1.1k
Feature: Manage SELinux policy
This is related to https://github.com/cockpit-project/cockpit/wiki/Feature:-SELinux-Troubleshooting but this feature should be more focused on manageability than troubleshooting.
Phillip J Fry is a junior sysadmin. He’s pretty new at the job and kind of exaggerated his sysadmin skills at the job interview. He has a lot to learn about the job still and usually gets assigned various tasks from his manager. His task is to configure apache server with these requirements:
-
apache will provide a static website with files located in
/companywebsite
-
apache will allow users to use
~/public_html
directories for their presentations
He found in the Fedora SELinux Uses and Administrators Guide that he needs to label /companywebsite
directory with httpd_sys_content_t
type and set httpd_enable_homedirs
boolean to on
.
George Cucumber is an experienced system administrator.
He was assigned to a task to make available a Fedora system on a new powerful hardware for users to allow them some operations.
But since users are not trusted, he needs to confine them so that they can’t access the internet from the host.
He read in Fedora SELinux Uses and Administrators Guide that users can be confined by SELinux using guest_u
SELinux user.
Phillip would do these steps:
# semanage fcontext -a -t httpd_sys_content_t "/companywebsite(/.*)?" # restorecon -R -v /companywebsite restorecon reset /companywebsite context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0 restorecon reset /companywebsite/index.html context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
# semanage boolean -l | grep httpd_enable_homedirs httpd_enable_homedirs (off , off) Allow httpd to read home directories # semanage boolean -m --on httpd_enable_homedirs # semanage boolean -l | grep httpd_enable_homedirs httpd_enable_homedirs (on , on) Allow httpd to read home directories
George would do these steps:
# semanage login -l Login Name SELinux User MLS/MCS Range Service __default__ unconfined_u s0-s0:c0.c1023 * root unconfined_u s0-s0:c0.c1023 * # semanage login -m -s guest_u __default__ # semanage login -l Login Name SELinux User MLS/MCS Range Service __default__ guest_u s0 * root unconfined_u s0-s0:c0.c1023 *