post direct-file-modification commands
Stephen Smalley
sds at tycho.nsa.gov
Thu Nov 30 21:43:32 UTC 2006
On Thu, 2006-11-30 at 14:32 -0500, Steve Friedman wrote:
> On Thu, 30 Nov 2006, Stephen Smalley wrote:
> > Yes, at present, it would be a matter of copying the new booleans.local
> > into place and running semodule -B on the target machine. Going
> > forward, we need utilities that can export/dump and import the data
> > without requiring manual copying of the raw files. In the booleans
> > case, that just means an option to getsebool to dump local booleans in a
> > format easily consumed by setsebool (or some new option to setsebool);
> > this requires finally migrating getsebool over to using libsemanage
> > rather than directly reading the kernel state via selinuxfs (or at least
> > supporting such an option as well).
> >
>
> Great. One last question, if I may: are there any other ".local" files
> besides booleans.local and file_contexts.local? This, plus Dan Walsh's
> blog post (http://danwalsh.livejournal.com/8637.html, for the archives),
> and I think that I am set.
There can be, if local definitions are created via semanage by the
admin, e.g.
ports.local - local labeling of TCP or UDP ports
interfaces.local - local labeling of network interfaces
nodes.local - local labeling of hosts based on (netmask,address)
users.local - local additions of SELinux users
seusers - map Linux users to SELinux users
Also, there can be local modules created by the admin, which could be
named anything (*.pp) under the modules subdirectory; the names are just
the module names. So local.pp would be common for people using
audit2allow -M local as per the Fedora SELinux FAQ, but people may also
be defining any number of more precisely named local modules to e.g. fix
up issues they encounter with particular programs.
Safest thing to do is to just rsync the entire policy tree and semodule
-B it.
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list