From: Karl MacMillan [mailto:kmacmillan@mentalrootkit.com]
Stephen Smalley wrote:
On Wed, 2006-11-29 at 18:41 -0500, Steve Friedman wrote:
The various GUI tools are nice for getting a policy configured correctly; however, to propagate this configuration to a series of like modified machines one runs into a speed bump.
The files (e.g., booleans.local) state that the semanage command should be used to modify the file; however, via the GUI I am blissfully unaware of the actual commands (and would like
to remain so).
But, it would seem that it should be perfectly legal to
propagate the
various ".local" files directly. If this is legal, what commands must be issued to cause selinux to read the various policy
updates?
If this isn't legal, then what means can be used to
propagate the policy?
I don't think it is "legal" in the sense that those files are the private state of libsemanage and are only supposed to be
manipulated
via the libsemanage interfaces by programs like semodule,
semanage and
setsebool. libsemanage will ultimately support other
backends beyond
just the current direct access to the local file store,
such as access
to local and ultimately remote policy management daemons.
However, I'm not sure that there is a good mechanism at
present to do
what you want in a "legal" way (Joshua or Karl feel free to
contradict
me if there is). If you do simply copy them over using
your favorite
utility for doing so, you can run semodule -B on the target
machine to
force a rebuild and reload of the kernel policy from the updated policy store there. Not sure if that is exported through
any GUI at present.
I think that this is needed functionality. Opened a bug - http://sourceforge.net/tracker/index.php?func=detail&aid=16061
03&group_id=21266&atid=121266.
At some point in the near (hopefully) future we'll be putting the network libsemanage backend into the library and after that a simple daemon could be written to send policy and local changes across the network. This would, ofcourse, be the predecessor to a full policy server with access control on policy changes.
On Thu, 30 Nov 2006, Joshua Brindle wrote:
From: Karl MacMillan [mailto:kmacmillan@mentalrootkit.com]
Stephen Smalley wrote:
On Wed, 2006-11-29 at 18:41 -0500, Steve Friedman wrote:
The various GUI tools are nice for getting a policy configured correctly; however, to propagate this configuration to a series of like modified machines one runs into a speed bump.
The files (e.g., booleans.local) state that the semanage command should be used to modify the file; however, via the GUI I am blissfully unaware of the actual commands (and would like
to remain so).
But, it would seem that it should be perfectly legal to
propagate the
various ".local" files directly. If this is legal, what commands must be issued to cause selinux to read the various policy
updates?
If this isn't legal, then what means can be used to
propagate the policy?
I don't think it is "legal" in the sense that those files are the private state of libsemanage and are only supposed to be
manipulated
via the libsemanage interfaces by programs like semodule,
semanage and
setsebool. libsemanage will ultimately support other
backends beyond
just the current direct access to the local file store,
such as access
to local and ultimately remote policy management daemons.
However, I'm not sure that there is a good mechanism at
present to do
what you want in a "legal" way (Joshua or Karl feel free to
contradict
me if there is). If you do simply copy them over using
your favorite
utility for doing so, you can run semodule -B on the target
machine to
force a rebuild and reload of the kernel policy from the updated policy store there. Not sure if that is exported through
any GUI at present.
I think that this is needed functionality. Opened a bug - http://sourceforge.net/tracker/index.php?func=detail&aid=16061
03&group_id=21266&atid=121266.
At some point in the near (hopefully) future we'll be putting the network libsemanage backend into the library and after that a simple daemon could be written to send policy and local changes across the network. This would, ofcourse, be the predecessor to a full policy server with access control on policy changes.
Call me old-fashioned, but it is nice to be able to send a colleague / customer / friend a text file that can be edited, diffed, reviewed, archived, and updated. Policy servers are convenient for one organization, but sometimes this transfer occurs across organization boundaries. (Not to mention the delay between this hoped-for tool and the actual, production-ready deployment schedule...)
From: Steve Friedman [mailto:steve@adsi-m4.com]
On Thu, 30 Nov 2006, Joshua Brindle wrote:
From: Karl MacMillan [mailto:kmacmillan@mentalrootkit.com]
Stephen Smalley wrote:
On Wed, 2006-11-29 at 18:41 -0500, Steve Friedman wrote:
The various GUI tools are nice for getting a policy configured correctly; however, to propagate this configuration to a
series of
like modified machines one runs into a speed bump.
The files (e.g., booleans.local) state that the semanage command should be used to modify the file; however, via the GUI I am blissfully unaware of the actual commands (and would like
to remain so).
But, it would seem that it should be perfectly legal to
propagate the
various ".local" files directly. If this is legal, what
commands
must be issued to cause selinux to read the various policy
updates?
If this isn't legal, then what means can be used to
propagate the policy?
I don't think it is "legal" in the sense that those files are the private state of libsemanage and are only supposed to be
manipulated
via the libsemanage interfaces by programs like semodule,
semanage and
setsebool. libsemanage will ultimately support other
backends beyond
just the current direct access to the local file store,
such as access
to local and ultimately remote policy management daemons.
However, I'm not sure that there is a good mechanism at
present to do
what you want in a "legal" way (Joshua or Karl feel free to
contradict
me if there is). If you do simply copy them over using
your favorite
utility for doing so, you can run semodule -B on the target
machine to
force a rebuild and reload of the kernel policy from the updated policy store there. Not sure if that is exported through
any GUI at present.
I think that this is needed functionality. Opened a bug - http://sourceforge.net/tracker/index.php?func=detail&aid=16061
03&group_id=21266&atid=121266.
At some point in the near (hopefully) future we'll be putting the network libsemanage backend into the library and after that
a simple
daemon could be written to send policy and local changes across the network. This would, ofcourse, be the predecessor to a full policy server with access control on policy changes.
Call me old-fashioned, but it is nice to be able to send a colleague / customer / friend a text file that can be edited, diffed, reviewed, archived, and updated. Policy servers are convenient for one organization, but sometimes this transfer occurs across organization boundaries. (Not to mention the delay between this hoped-for tool and the actual, production-ready deployment schedule...)
That's fine, and the bug added is to export the data, but I am dubious about the usefulness of doing so. Policies probably aren't going to be compatible across organization boundaries in a meaninful way, systems and policies are specific to the organization. For example, why would you send the selinux user and linux user to selinux user mappings to another organization?
selinux@lists.fedoraproject.org
-
Joshua Brindle -
Steve Friedman