[rhelv6-list] Distributing SELinux policies
Trond Hasle Amundsen
t.h.amundsen at usit.uio.no
Mon Dec 16 12:50:26 UTC 2013
Eugene Vilensky <evilensky at gmail.com> writes:
> How might one go about and taking a policy generated by 'grep xxx
> /var/log/audit/audit.log' and distributing it to a set of machines?
> Is there a particular location they should be deployed to if wrapped
> in the simplest of RPMs?
I'll take a crack at answering this. We do exactly like you describe,
i.e. distribute a set of SELinux policies in an RPM, as a module. The
policies themselves are generated partly with audit2allow, and partly by
other means. If you do
cat /var/log/audit/audit.log | audit2allow -m foo
Then you'll get a textual representation of the policy. This should go
into the 'foo.te' file. In addition, you should create a 'foo.if' and
'foo.fc' file. They can be empty. These files are then compiled into a
module that you'll load with 'semodule -i foo'.
We do all this in an RPM package. In case you're interested, the
package SRPM is available here:
http://sterkvin.uio.no/pub/uio-free/6/SRPMS/uio-selinux-0.7-1.el6.src.rpm
Feel free to grab it and do the necessary adjustments for your
environment.
In creating and maintaining the RPM, I've tried to follow the relevant
documentation:
- SELinux Policy Modules Packaging Draft:
http://fedoraproject.org/wiki/PackagingDrafts/SELinux/PolicyModules
- Packaging:ScriptletSnippets
http://fedoraproject.org/wiki/Packaging/ScriptletSnippets
Regards,
--
Trond H. Amundsen <t.h.amundsen at usit.uio.no>
Center for Information Technology Services, University of Oslo
More information about the rhelv6-list
mailing list