post direct-file-modification commands
Stephen Smalley
sds at tycho.nsa.gov
Thu Nov 30 13:21:44 UTC 2006
On Wed, 2006-11-29 at 18:41 -0500, Steve Friedman wrote:
> The various GUI tools are nice for getting a policy configured correctly;
> however, to propagate this configuration to a series of like modified
> machines one runs into a speed bump.
>
> The files (e.g., booleans.local) state that the semanage command should be
> used to modify the file; however, via the GUI I am blissfully unaware of
> the actual commands (and would like to remain so).
>
> But, it would seem that it should be perfectly legal to propagate the
> various ".local" files directly. If this is legal, what commands must be
> issued to cause selinux to read the various policy updates? If this isn't
> legal, then what means can be used to propagate the policy?
I don't think it is "legal" in the sense that those files are the
private state of libsemanage and are only supposed to be manipulated via
the libsemanage interfaces by programs like semodule, semanage and
setsebool. libsemanage will ultimately support other backends beyond
just the current direct access to the local file store, such as access
to local and ultimately remote policy management daemons.
However, I'm not sure that there is a good mechanism at present to do
what you want in a "legal" way (Joshua or Karl feel free to contradict
me if there is). If you do simply copy them over using your favorite
utility for doing so, you can run semodule -B on the target machine to
force a rebuild and reload of the kernel policy from the updated policy
store there. Not sure if that is exported through any GUI at present.
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list