On 11/16/2017 12:31 PM, Petr Lautrbach wrote: > On Wed, Nov 15, 2017 at 04:23:44PM +0100, Andreas Nilsson wrote: >> On 2017-11-13 13:29, Petr Lautrbach wrote: >>> So the page is here >>> >>> https://github.com/cockpit-project/cockpit/wiki/Feature:-Manage-SELinux-policy >>> >>> There are 2 stories of 2 personas which I think describe expected usage. >>> I'm not sure how to describe Workflows but in Prior Art it's documented >>> as it is now. >> >> Looks good to me. Thanks for writing these up! >> For the stories, what about something like this: > > Did you mean workflows? > >> "Phillip logs in to the system with Cockpit. He navigates to the section >> where he can set the SELinux permissions. He sets /companywebsite to be >> accessible by httpd. >> He then edits /etc/httpd/conf/httpd.conf and sets the configuration >> parameters necessary. He then creates the public_html folder for each >> users and set the right permissions. Once that is done he changes the >> selinux rule to allow users to server web content out of their home >> directories. > > In this scenario I would not expect users to change rules but change boolean > values. > I'd rephrase the last sentence: > > Once that is done he changes the SELinux boolean which allows web server > to serve content out of home directories. > >> He then creates a test user, drops a html-file in >> /home/testuser/public_html and tests if it's accessible from a web >> browser. Once it's done he logs out." [1] >> >> "George Cucumber logs in to the system with Cockpit. He navigates to the >> section where he can set the SELinux permissions. There he changes all >> user accounts from unconfined to guest. Once it's done, he creates a >> test user and tries to ping google.com. It won't work, so he's >> successful. He logs out again." > > s/unconfined/unconfined_u/;s/guest/guest_u/ > > But it looks good. > >> >> "Paul logs in to the system with Cockpit. He navigates to the section >> where he can set the SELinux permissions. He sets the bank_trans_ >> service to permissive. Once that is done, he logs out again"> > I'm not surte about this workflow. I CCed Mirek who's the owner of this > idea if he can provide some insight for this. >
I would like to see a possibility to apply the permissive mode for a selected service which can be listed by "semanage permissive -l" > >> 1. Note that I added the additional steps unrelated to selinux, but >> necessary for the workflow to be successful. There is still a big gap >> before all this is successful only using Cockpit, but I think that's OK >> for now. >> > > Thanks! > > Petr > > -- Miroslav Grepl Associate Manager, Platform Security Red Hat, Inc. _______________________________________________ cockpit-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
