On 11/16/2017 03:29 PM, Miroslav Grepl wrote: > On 11/16/2017 12:31 PM, Petr Lautrbach wrote: >> On Wed, Nov 15, 2017 at 04:23:44PM +0100, Andreas Nilsson wrote: >>> On 2017-11-13 13:29, Petr Lautrbach wrote: >>>> So the page is here >>>> >>>> https://github.com/cockpit-project/cockpit/wiki/Feature:-Manage-SELinux-policy >>>> >>>> There are 2 stories of 2 personas which I think describe expected usage. >>>> I'm not sure how to describe Workflows but in Prior Art it's documented >>>> as it is now. >>> >>> Looks good to me. Thanks for writing these up! >>> For the stories, what about something like this: >> >> Did you mean workflows? >> >>> "Phillip logs in to the system with Cockpit. He navigates to the section >>> where he can set the SELinux permissions. He sets /companywebsite to be >>> accessible by httpd. >>> He then edits /etc/httpd/conf/httpd.conf and sets the configuration >>> parameters necessary. He then creates the public_html folder for each >>> users and set the right permissions. Once that is done he changes the >>> selinux rule to allow users to server web content out of their home >>> directories. >> >> In this scenario I would not expect users to change rules but change boolean >> values. >> I'd rephrase the last sentence: >> >> Once that is done he changes the SELinux boolean which allows web server >> to serve content out of home directories. >> >>> He then creates a test user, drops a html-file in >>> /home/testuser/public_html and tests if it's accessible from a web >>> browser. Once it's done he logs out." [1] >>> >>> "George Cucumber logs in to the system with Cockpit. He navigates to the >>> section where he can set the SELinux permissions. There he changes all >>> user accounts from unconfined to guest. Once it's done, he creates a >>> test user and tries to ping google.com. It won't work, so he's >>> successful. He logs out again." >> >> s/unconfined/unconfined_u/;s/guest/guest_u/ >> >> But it looks good. >> >>> >>> "Paul logs in to the system with Cockpit. He navigates to the section >>> where he can set the SELinux permissions. He sets the bank_trans_ >>> service to permissive. Once that is done, he logs out again"> >> I'm not surte about this workflow. I CCed Mirek who's the owner of this >> idea if he can provide some insight for this. >> > > I would like to see a possibility to apply the permissive mode for a > selected service which can be listed by "semanage permissive -l"
To be more specific. I would like to see an option that a user can choose a specific SELinux domain from a list provided by Cockpit WebUI, mark it and apply Permissive mode for the selected SELinux domain. The same user can search for an SELinux domain in this list so he does not need go thru the generated list. > >> >>> 1. Note that I added the additional steps unrelated to selinux, but >>> necessary for the workflow to be successful. There is still a big gap >>> before all this is successful only using Cockpit, but I think that's OK >>> for now. >>> >> >> Thanks! >> >> Petr >> >> > > -- Miroslav Grepl Associate Manager, Platform Security Red Hat, Inc. _______________________________________________ cockpit-devel mailing list -- cockpit-devel@lists.fedorahosted.org To unsubscribe send an email to cockpit-devel-le...@lists.fedorahosted.org
