Skip to content

Feature: Manage SELinux policy

Martin Pitt edited this page Jan 29, 2018 · 10 revisions

Notes

This is related to https://github.com/cockpit-project/cockpit/wiki/Feature:-SELinux-Troubleshooting but this feature should be more focused on manageability than troubleshooting.

Stories

Phillip J Fry is a junior sysadmin. He’s pretty new at the job and kind of exaggerated his sysadmin skills at the job interview. He has a lot to learn about the job still and usually gets assigned various tasks from his manager. His task is to configure apache server with these requirements:

  • apache will provide a static website with files located in /companywebsite

  • apache will allow users to use ~/public_html directories for their presentations

He found in the Fedora SELinux Uses and Administrators Guide that he needs to label /companywebsite directory with httpd_sys_content_t type and set httpd_enable_homedirs boolean to on.

George Cucumber is an experienced system administrator. He was assigned to a task to make available a Fedora system on a new powerful hardware for users to allow them some operations. But since users are not trusted, he needs to confine them so that they can’t access the internet from the host. He read in Fedora SELinux Uses and Administrators Guide that users can be confined by SELinux using guest_u SELinux user.

Paul is an experienced system administrator in a bank and he wants to add SELinux support for a new functionality of a service which provides monitoring of bank transactions. The service is already confined by SELinux with the bank_trans_t process label and he needs to collect all AVC messages related to this new functionality. He can not switch the entire production system to SELinux permissive mode and he found in the Fedora SELinux Uses and Administrators Guide that he needs to run the semanage permissive -a command for the SELinux process label of the service.

Workflows

Phillip logs in to the system with Cockpit. He navigates to the section where he can set the SELinux permissions. He sets /companywebsite to be accessible by httpd. He then edits /etc/httpd/conf/httpd.conf and sets the configuration parameters necessary. He then creates the public_html folder for each users and set the right permissions. Once that is done he changes the SELinux boolean which allows web server to serve content out of home directories.

George logs in to the system with Cockpit. He navigates to the section where he can set the SELinux permissions. There he changes all user accounts from unconfined_u to guest_u. Once it’s done, he creates a test user and tries to ping google.com. It won’t work, so he’s successful. He logs out again.

Paul logs in to the server with Cockpit.

Prior art

Command line utility semanage

Phillip would do these steps:

# semanage fcontext -a -t httpd_sys_content_t "/companywebsite(/.*)?"
# restorecon -R -v /companywebsite
restorecon reset /companywebsite context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
restorecon reset /companywebsite/index.html context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
# semanage boolean -l | grep httpd_enable_homedirs
httpd_enable_homedirs          (off  ,  off)  Allow httpd to read home directories
# semanage boolean -m --on httpd_enable_homedirs
# semanage boolean -l | grep httpd_enable_homedirs
httpd_enable_homedirs          (on   ,   on)  Allow httpd to read home directories

George would do these steps:

# semanage login -l
Login Name           SELinux User         MLS/MCS Range        Service
__default__          unconfined_u         s0-s0:c0.c1023       *
root                 unconfined_u         s0-s0:c0.c1023       *
# semanage login -m -s guest_u __default__
# semanage login -l
Login Name           SELinux User         MLS/MCS Range        Service
__default__          guest_u              s0                   *
root                 unconfined_u         s0-s0:c0.c1023       *

Paul would do these steps:

# semanage permissive -a bank_trans_t

Wireframes

Feedback

Notes from Brno discussion about RHEL 8 scope

  • Show/handle booleans: semanage policy --list shows available booleans; there exist 310 of them:

    • Put mapping to service name into XML

    • Move policy XML to package that is installed by default

  • semanage export/import can transfer changes to a different machines; download/upload files or just show text dump and help reference for education and avoiding to break server by wholesale import?

  • We don’t do a general file browser with labelling

Clone this wiki locally