post direct-file-modification commands

Joshua Brindle jbrindle at tresys.com
Thu Nov 30 15:12:43 UTC 2006 

> From: Karl MacMillan [mailto:kmacmillan at mentalrootkit.com] 
> 
> Stephen Smalley wrote:
> > On Wed, 2006-11-29 at 18:41 -0500, Steve Friedman wrote:
> >> The various GUI tools are nice for getting a policy configured 
> >> correctly; however, to propagate this configuration to a series of 
> >> like modified machines one runs into a speed bump.
> >>
> >> The files (e.g., booleans.local) state that the semanage command 
> >> should be used to modify the file; however, via the GUI I am 
> >> blissfully unaware of the actual commands (and would like 
> to remain so).
> >>
> >> But, it would seem that it should be perfectly legal to 
> propagate the 
> >> various ".local" files directly.  If this is legal, what commands 
> >> must be issued to cause selinux to read the various policy 
> updates?  
> >> If this isn't legal, then what means can be used to 
> propagate the policy?
> > 
> > I don't think it is "legal" in the sense that those files are the 
> > private state of libsemanage and are only supposed to be 
> manipulated 
> > via the libsemanage interfaces by programs like semodule, 
> semanage and 
> > setsebool.  libsemanage will ultimately support other 
> backends beyond 
> > just the current direct access to the local file store, 
> such as access 
> > to local and ultimately remote policy management daemons.
> > 
> > However, I'm not sure that there is a good mechanism at 
> present to do 
> > what you want in a "legal" way (Joshua or Karl feel free to 
> contradict 
> > me if there is).  If you do simply copy them over using 
> your favorite 
> > utility for doing so, you can run semodule -B on the target 
> machine to 
> > force a rebuild and reload of the kernel policy from the updated 
> > policy store there.  Not sure if that is exported through 
> any GUI at present.
> > 
> 
> I think that this is needed functionality. Opened a bug - 
> http://sourceforge.net/tracker/index.php?func=detail&aid=16061
03&group_id=21266&atid=121266.
> 

At some point in the near (hopefully) future we'll be putting the
network libsemanage backend into the library and after that a simple
daemon could be written to send policy and local changes across the
network. This would, ofcourse, be the predecessor to a full policy
server with access control on policy changes.

More information about the fedora-selinux-list mailing list