post direct-file-modification commands
Stephen Smalley
sds at tycho.nsa.gov
Thu Nov 30 19:15:15 UTC 2006
On Thu, 2006-11-30 at 14:05 -0500, Steve Friedman wrote:
> Let me give an example. We use postfix at my organization. It has a
> number of configuration files. Using a makefile (an early version of
> which was copied from the web), the script (via make) issues the relevant
> commands to build the necessary hash files, etc. I would envision a
> similar situation here: I would distribute one or more ASCII
> configuration files for the local customization along with a makefile that
> would determine what commands needed to be issued to build the appropriate
> policy.
>
> In effect, I was asking for the details of the makefile. After updating
> (say) booleans.local, what needs to be executed, etc.
Yes, at present, it would be a matter of copying the new booleans.local
into place and running semodule -B on the target machine. Going
forward, we need utilities that can export/dump and import the data
without requiring manual copying of the raw files. In the booleans
case, that just means an option to getsebool to dump local booleans in a
format easily consumed by setsebool (or some new option to setsebool);
this requires finally migrating getsebool over to using libsemanage
rather than directly reading the kernel state via selinuxfs (or at least
supporting such an option as well).
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list