Feature: SELinux export import - cockpit-project/cockpit GitHub Wiki

Notes

Related to:

Stories & Workflows

(These stories are continuations from the SELinux Troubleshooting feature. It's SELinux, the sequel.)

Duplicate exact SELinux configuration (full reset)

Robert Paulson is a developer who was roped into also being a sysadmin at a small IT company with 20 employees. He previously set up a production website and his company now has the funds to buy a machine for staging. Instead of trying to manually struggle with SELinux again, he wants to set up the staging site to be an exact copy of production — including SELinux rules.

Robert logs into Cockpit, navigates to the SELinux area in the production server, clicks the export button, saves the configuration file. He then switches to the freshly installed staging server in Cockpit, navigates to the SELinux area, clicks import, uploads the configuration file, checks the import summary, and imports the settings.

Copy specific SELinux rules to another machine (preserve existing rules)

Phillip J. Fry leads a small IT at a moderately sized firm. He set up a local development server and wants to make it easy for other developers to do the same thing on their test systems.

After setting up his local web server to allow access with SELinux through Cockpit, he exports his configuration file. He manually edits the file to remove non-relevant SELinux configuration. Phillip then adds the file to his company's intranet with instructions for his colleagues about how to set up their own test web servers.

Kasie Calkin is a colleague of Phillip's.

Kasie follows Phillip's instructions on a secondary machine, but this machine is already doing other tasks. When importing the SELinux, she decides to not wipe out existing SELinux rules so she double-checks to ensure "reset to defaults" is turned off.

SELinux page

Export and import buttons reside on the SELinux page.

mockup of SELinux page

Export

An export simply contains the ouput of sudo semanage export, which is similar to:

boolean -D
login -D
interface -D
user -D
port -D
node -D
fcontext -D
module -D
boolean -m -1 virt_sandbox_use_all_caps
boolean -m -1 virt_use_nfs
fcontext -a -f a -t chrome_sandbox_exec_t '/usr/lib/chrome-sandbox'
fcontext -a -f a -t bin_t '/usr/lib/chromium-browser'
fcontext -a -f a -t bin_t '/usr/lib/chromium-browser/chromium-browser.sh'
fcontext -a -f a -t cockpit_ws_exec_t '/usr/libexec/cockpit-ssh'

The output should be a text formatted forced download and the filename should be selinux-hostname_here.config.

As the file is plain text, it could be inspected and also manually edited before being imported into another machine.

export and import butons mockup

The dialog is system-provided. In this case, it's what Firefox provides to download a text file.

Import

  1. Reset to defaults
    • should be optional
    • should be off by default
    • might be either all-or-nothing to make the UI cleaner
    • should only reset what's in the import file
  2. Split into 3 sections (reset to defaults, booleans, filesystem changes)
  3. Parse file and show friendly text for booleans & fs contexts
  4. Checkboxes for selective import, with all booleans and fcontexts checked by default (exception is the resetting to defaults, which is handled separately)

[Mockup coming soon]