post direct-file-modification commands
Steve Friedman
steve at adsi-m4.com
Thu Nov 30 19:32:44 UTC 2006
On Thu, 30 Nov 2006, Stephen Smalley wrote:
> On Thu, 2006-11-30 at 14:05 -0500, Steve Friedman wrote:
>> Let me give an example. We use postfix at my organization. It has a
>> number of configuration files. Using a makefile (an early version of
>> which was copied from the web), the script (via make) issues the relevant
>> commands to build the necessary hash files, etc. I would envision a
>> similar situation here: I would distribute one or more ASCII
>> configuration files for the local customization along with a makefile that
>> would determine what commands needed to be issued to build the appropriate
>> policy.
>>
>> In effect, I was asking for the details of the makefile. After updating
>> (say) booleans.local, what needs to be executed, etc.
>
> Yes, at present, it would be a matter of copying the new booleans.local
> into place and running semodule -B on the target machine. Going
> forward, we need utilities that can export/dump and import the data
> without requiring manual copying of the raw files. In the booleans
> case, that just means an option to getsebool to dump local booleans in a
> format easily consumed by setsebool (or some new option to setsebool);
> this requires finally migrating getsebool over to using libsemanage
> rather than directly reading the kernel state via selinuxfs (or at least
> supporting such an option as well).
>
Great. One last question, if I may: are there any other ".local" files
besides booleans.local and file_contexts.local? This, plus Dan Walsh's
blog post (http://danwalsh.livejournal.com/8637.html, for the archives),
and I think that I am set.
More information about the fedora-selinux-list
mailing list