Managing SELinux in the Enterprise
Daniel J Walsh
dwalsh at redhat.com
Sat Oct 11 11:20:33 UTC 2014
On 09/21/2014 09:49 PM, Douglas Brown wrote:
> Hi all,
>
> SELinux has some configuration files such as /etc/selinux/config which
> are easily managed with a tool like puppet. There’s also modular
> policies that can be managed with rpms (via Satellite) and or puppet
> (semodule). Finally puppet supports enforcing booleans with
> 'seboolean’. However, there’s a few things missing:
>
> * SELinux user and role mappings
> * Port labels (only supported in base policy or changed with
> semanage like so: semanage port -a -t httpd_port_t -p tcp 6312)
> * Custom file labels (ie. semanage fcontext -a -t
> httpd_sys_content_t "/data/www(/.*)?")
>
> I know these can be imported and exported with semanage using the -i
> and -o flags, however it’s slow and doesn't easily facilitate the
> programmatic query and enforcement of these settings at scale using a
> tool like puppet. Ideally puppet could manage the .local files in
> /etc/selinux/targeted/modules/active/, however Red Hat support tells
> me this won’t work and that semanage is the only supported mechanism.
> Surely there’s someone in the community who has a non-hackish method
> of dealing with this?
>
> Is FreeIPA the solution to the user and role mappings? What about the
> labels?
>
> Thanks,
> Doug
>
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
Why is managing this content via semanage not a good thing?
BTW You can put multiple ops within a transaction, which speeds up semanage.
https://danwalsh.livejournal.com/41593.html
The openstack-selinux rpm package has a bunch of operations being done
within a transaction, including setting network ports, booleans and
default file labeling.
BTW Ansible is also a nice method for managing SELinux in the enterprise.
Here is an presentation I wrote on managing SELinux in the enterprise
https://fedorapeople.org/~dwalsh/SELinux/Presentations/SummitSELinuxEnterprise.odp
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20141011/92d39730/attachment.html>
More information about the selinux
mailing list