<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 2014-10-12 6:14, Douglas Brown
wrote:<br>
</div>
<blockquote
cite="mid:B08F565C-7DBC-43F8-AAC4-5EE6F8597D1B@qut.edu.au"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
semanage is great for general administration but not for
compliance; it's not really designed to compare an expected
configuration with running configuration, and rectify any
differences, rather, for the most part applies cumulative changes.<br>
</blockquote>
<br>
I use a cron job that runs "semanage -o" to dump the current
configuration and compare it, using diff, with the expected
configuration which is just the output of "semanage -o -" manually
generated by an administrator at the last time the configuration was
changed.<br>
<br>
The same cronjob also checks the output of sestatus and "semodule
-l" against expected values.<br>
<br>
This approach is primitive, but it works. You could hash the
output, if you wanted, and compare the hash instead of using diff.
I use diff in order to have the cron job email the administrator the
diff output, showing how the actual configuration is different from
the expected configuration in the alert.<br>
<br>
<pre class="moz-signature" cols="72">--
Mark Montague
<a class="moz-txt-link-abbreviated" href="mailto:mark@catseye.org">mark@catseye.org</a></pre>
</body>
</html>