On Wed, Nov 15, 2017 at 04:23:44PM +0100, Andreas Nilsson wrote: > On 2017-11-13 13:29, Petr Lautrbach wrote: > > So the page is here > > > > https://github.com/cockpit-project/cockpit/wiki/Feature:-Manage-SELinux-policy > > > > There are 2 stories of 2 personas which I think describe expected usage. > > I'm not sure how to describe Workflows but in Prior Art it's documented > > as it is now. > > Looks good to me. Thanks for writing these up! > For the stories, what about something like this:
Did you mean workflows? > "Phillip logs in to the system with Cockpit. He navigates to the section > where he can set the SELinux permissions. He sets /companywebsite to be > accessible by httpd. > He then edits /etc/httpd/conf/httpd.conf and sets the configuration > parameters necessary. He then creates the public_html folder for each > users and set the right permissions. Once that is done he changes the > selinux rule to allow users to server web content out of their home > directories. In this scenario I would not expect users to change rules but change boolean values. I'd rephrase the last sentence: Once that is done he changes the SELinux boolean which allows web server to serve content out of home directories. > He then creates a test user, drops a html-file in > /home/testuser/public_html and tests if it's accessible from a web > browser. Once it's done he logs out." [1] > > "George Cucumber logs in to the system with Cockpit. He navigates to the > section where he can set the SELinux permissions. There he changes all > user accounts from unconfined to guest. Once it's done, he creates a > test user and tries to ping google.com. It won't work, so he's > successful. He logs out again." s/unconfined/unconfined_u/;s/guest/guest_u/ But it looks good. > > "Paul logs in to the system with Cockpit. He navigates to the section > where he can set the SELinux permissions. He sets the bank_trans_ > service to permissive. Once that is done, he logs out again" I'm not surte about this workflow. I CCed Mirek who's the owner of this idea if he can provide some insight for this. > 1. Note that I added the additional steps unrelated to selinux, but > necessary for the workflow to be successful. There is still a big gap > before all this is successful only using Cockpit, but I think that's OK > for now. > Thanks! Petr _______________________________________________ cockpit-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
