Feature: SELinux Troubleshooting - cockpit-project/cockpit GitHub Wiki

Notes

Stories

Robert Paulson is a developer at a small IT company with 20 employees. For one reason or another, he got tossed the sysadmin hat at the company. He got asked to set up a web server for a webapp they are going to evaluate before putting in production. The machine has the OS on an SSD and 3 disks set up in RAID5 mounted on /media/storage. He decides to put the webapp in a directory on the storage disk and changes the apache configuration to look in that place. It doesn't seem to work though.

Sarah Manning is a part-time sysadmin at an IT startup, spending the other half of her work as a backend developer on the company's upcoming product. The developers at the company run their OS of choice. Some, like Sarah, run Linux, some run OSX and some run Windows. There is a need for a way to easily share files between them. Some have suggested Dropbox, but Sarah doesn't feel comfortable relying on a centralized internet service when it should all be doable over the local network with their own server. Hence she decides to set up a file server using Samba as the file sharing protocol and giving each of the developers an account on it so they can serve the files from their home folders there. It works fine when she's testing with SELinux disabled, but stops working as soon as she sets it to enforcing.

Phillip J. Fry leads a small IT at a moderately sized firm. One of their machines is a web server that serves the company website. It's therefore exposed to the Internet, and hence possible to hack. To avoid this they have a firewall set up and have SELinux set in enforcing mode by default. Phillip wants to make it possible for the employees to have an easy way for developers at the company to serve small test sites and files from their public home directories on the server, but for some reason he can't get that to work.

Workflows

Robert logs in to the server with cockpit. The system informs him that SELinux has blocked his attempt to have Apache serve files out of /media/storage/mywebapp since it's not in the expected /var/www/html.

He realizes that it might not be a good idea to serve it from there. Instead he sets up a logical volume using a part of the storage disk, mounts it on /var/www/html and puts the webapp files there instead. He then dismisses the SELinux alert. Now everything works as expected.

Sarah logs in to the server with Cockpit. The system informs her that SELinux has blocked the request to serve Samba content from home directories. Sarah ponders the pros and cons of ease of use versus security implications, but since it's an internal server only, it's OK in this case. She therefore decides to enable the ability to serve Samba content out of the users home directory.

Phillip logs in to the server with Cockpit. The system informs him that SELinux has blocked the request to serve http content from home directories. But that's just what he wants. So he enables the ability to do that in SELinux.

Wireframes

Mockup

Prior art

SeLinux1 SeLinux3 SeLinux4 SeLinux5 SeLinux2

Feedback