<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
<div class="moz-cite-prefix">On 09/21/2014 09:49 PM, Douglas Brown
wrote:<br>
</div>
<blockquote cite="mid:D045BD65.48296%25doug.brown@qut.edu.au"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<div style="background-color: rgb(255, 255, 255);">Hi all,</div>
<div style="background-color: rgb(255, 255, 255);"><br>
</div>
<div style="background-color: rgb(255, 255, 255);">SELinux has
some configuration files such as /etc/selinux/config which are
easily managed with a tool like puppet. There’s also modular
policies that can be managed with rpms (via Satellite) and or
puppet (semodule). Finally puppet supports enforcing booleans
with 'seboolean’. However, there’s a few things missing:</div>
<ul style="background-color: rgb(255, 255, 255); margin-top: 14pt;
margin-bottom: 14pt;">
<li>SELinux user and role mappings</li>
<li>Port labels (only supported in base policy or changed with
semanage like so: semanage port -a -t httpd_port_t -p tcp
6312)</li>
<li>Custom file labels (ie. semanage fcontext -a -t
httpd_sys_content_t "/data/www(/.*)?")</li>
</ul>
<div style="background-color: rgb(255, 255, 255);">I know these
can be imported and exported with semanage using the -i and -o
flags, however it’s slow and doesn't easily facilitate the
programmatic query and enforcement of these settings at scale
using a tool like puppet. Ideally puppet could manage the .local
files in /etc/selinux/targeted/modules/active/, however Red Hat
support tells me this won’t work and that semanage is the only
supported mechanism. Surely there’s someone in the community who
has a non-hackish method of dealing with this?</div>
<div style="background-color: rgb(255, 255, 255);"><br>
</div>
<div style="background-color: rgb(255, 255, 255);">Is FreeIPA the
solution to the user and role mappings? What about the labels?</div>
<div style="background-color: rgb(255, 255, 255);"><br>
</div>
<div style="background-color: rgb(255, 255, 255);">Thanks,</div>
<div style="background-color: rgb(255, 255, 255);">Doug</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">--
selinux mailing list
<a class="moz-txt-link-abbreviated" href="mailto:selinux@lists.fedoraproject.org">selinux@lists.fedoraproject.org</a>
<a class="moz-txt-link-freetext" href="https://admin.fedoraproject.org/mailman/listinfo/selinux">https://admin.fedoraproject.org/mailman/listinfo/selinux</a></pre>
</blockquote>
Why is managing this content via semanage not a good thing?<br>
<br>
BTW You can put multiple ops within a transaction, which speeds up
semanage.<br>
<br>
<a class="moz-txt-link-freetext" href="https://danwalsh.livejournal.com/41593.html">https://danwalsh.livejournal.com/41593.html</a><br>
<br>
The openstack-selinux rpm package has a bunch of operations being
done within a transaction, including setting network ports, booleans
and default file labeling.<br>
<br>
BTW Ansible is also a nice method for managing SELinux in the
enterprise.<br>
<br>
Here is an presentation I wrote on managing SELinux in the
enterprise<br>
<br>
<a class="moz-txt-link-freetext" href="https://fedorapeople.org/~dwalsh/SELinux/Presentations/SummitSELinuxEnterprise.odp">https://fedorapeople.org/~dwalsh/SELinux/Presentations/SummitSELinuxEnterprise.odp</a><br>
</body>
</html>