post direct-file-modification commands
Joshua Brindle
jbrindle at tresys.com
Thu Nov 30 15:12:43 UTC 2006
> From: Karl MacMillan [mailto:kmacmillan at mentalrootkit.com]
>
> Stephen Smalley wrote:
> > On Wed, 2006-11-29 at 18:41 -0500, Steve Friedman wrote:
> >> The various GUI tools are nice for getting a policy configured
> >> correctly; however, to propagate this configuration to a series of
> >> like modified machines one runs into a speed bump.
> >>
> >> The files (e.g., booleans.local) state that the semanage command
> >> should be used to modify the file; however, via the GUI I am
> >> blissfully unaware of the actual commands (and would like
> to remain so).
> >>
> >> But, it would seem that it should be perfectly legal to
> propagate the
> >> various ".local" files directly. If this is legal, what commands
> >> must be issued to cause selinux to read the various policy
> updates?
> >> If this isn't legal, then what means can be used to
> propagate the policy?
> >
> > I don't think it is "legal" in the sense that those files are the
> > private state of libsemanage and are only supposed to be
> manipulated
> > via the libsemanage interfaces by programs like semodule,
> semanage and
> > setsebool. libsemanage will ultimately support other
> backends beyond
> > just the current direct access to the local file store,
> such as access
> > to local and ultimately remote policy management daemons.
> >
> > However, I'm not sure that there is a good mechanism at
> present to do
> > what you want in a "legal" way (Joshua or Karl feel free to
> contradict
> > me if there is). If you do simply copy them over using
> your favorite
> > utility for doing so, you can run semodule -B on the target
> machine to
> > force a rebuild and reload of the kernel policy from the updated
> > policy store there. Not sure if that is exported through
> any GUI at present.
> >
>
> I think that this is needed functionality. Opened a bug -
> http://sourceforge.net/tracker/index.php?func=detail&aid=16061
03&group_id=21266&atid=121266.
>
At some point in the near (hopefully) future we'll be putting the
network libsemanage backend into the library and after that a simple
daemon could be written to send policy and local changes across the
network. This would, ofcourse, be the predecessor to a full policy
server with access control on policy changes.
More information about the fedora-selinux-list
mailing list