post direct-file-modification commands
Steve Friedman
steve at adsi-m4.com
Thu Nov 30 15:31:40 UTC 2006
On Thu, 30 Nov 2006, Joshua Brindle wrote:
>> From: Karl MacMillan [mailto:kmacmillan at mentalrootkit.com]
>>
>> Stephen Smalley wrote:
>>> On Wed, 2006-11-29 at 18:41 -0500, Steve Friedman wrote:
>>>> The various GUI tools are nice for getting a policy configured
>>>> correctly; however, to propagate this configuration to a series of
>>>> like modified machines one runs into a speed bump.
>>>>
>>>> The files (e.g., booleans.local) state that the semanage command
>>>> should be used to modify the file; however, via the GUI I am
>>>> blissfully unaware of the actual commands (and would like
>> to remain so).
>>>>
>>>> But, it would seem that it should be perfectly legal to
>> propagate the
>>>> various ".local" files directly. If this is legal, what commands
>>>> must be issued to cause selinux to read the various policy
>> updates?
>>>> If this isn't legal, then what means can be used to
>> propagate the policy?
>>>
>>> I don't think it is "legal" in the sense that those files are the
>>> private state of libsemanage and are only supposed to be
>> manipulated
>>> via the libsemanage interfaces by programs like semodule,
>> semanage and
>>> setsebool. libsemanage will ultimately support other
>> backends beyond
>>> just the current direct access to the local file store,
>> such as access
>>> to local and ultimately remote policy management daemons.
>>>
>>> However, I'm not sure that there is a good mechanism at
>> present to do
>>> what you want in a "legal" way (Joshua or Karl feel free to
>> contradict
>>> me if there is). If you do simply copy them over using
>> your favorite
>>> utility for doing so, you can run semodule -B on the target
>> machine to
>>> force a rebuild and reload of the kernel policy from the updated
>>> policy store there. Not sure if that is exported through
>> any GUI at present.
>>>
>>
>> I think that this is needed functionality. Opened a bug -
>> http://sourceforge.net/tracker/index.php?func=detail&aid=16061
> 03&group_id=21266&atid=121266.
>>
>
> At some point in the near (hopefully) future we'll be putting the
> network libsemanage backend into the library and after that a simple
> daemon could be written to send policy and local changes across the
> network. This would, ofcourse, be the predecessor to a full policy
> server with access control on policy changes.
>
Call me old-fashioned, but it is nice to be able to send a colleague /
customer / friend a text file that can be edited, diffed, reviewed,
archived, and updated. Policy servers are convenient for one
organization, but sometimes this transfer occurs across organization
boundaries. (Not to mention the delay between this hoped-for tool and the
actual, production-ready deployment schedule...)
More information about the fedora-selinux-list
mailing list