Managing SELinux in the Enterprise
Mark Montague
mark at catseye.org
Sun Oct 12 14:49:32 UTC 2014
On 2014-10-12 6:14, Douglas Brown wrote:
> semanage is great for general administration but not for compliance;
> it's not really designed to compare an expected configuration with
> running configuration, and rectify any differences, rather, for the
> most part applies cumulative changes.
I use a cron job that runs "semanage -o" to dump the current
configuration and compare it, using diff, with the expected
configuration which is just the output of "semanage -o -" manually
generated by an administrator at the last time the configuration was
changed.
The same cronjob also checks the output of sestatus and "semodule -l"
against expected values.
This approach is primitive, but it works. You could hash the output, if
you wanted, and compare the hash instead of using diff. I use diff in
order to have the cron job email the administrator the diff output,
showing how the actual configuration is different from the expected
configuration in the alert.
--
Mark Montague
mark at catseye.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20141012/fc5a757b/attachment.html>
More information about the selinux
mailing list