From: Karl MacMillan [mailto:kmacmillan@mentalrootkit.com]
Stephen Smalley wrote:
> On Wed, 2006-11-29 at 18:41 -0500, Steve Friedman wrote:
>> The various GUI tools are nice for getting a policy configured
>> correctly; however, to propagate this configuration to a series of
>> like modified machines one runs into a speed bump.
>>
>> The files (e.g., booleans.local) state that the semanage command
>> should be used to modify the file; however, via the GUI I am
>> blissfully unaware of the actual commands (and would like
to remain so).
>>
>> But, it would seem that it should be perfectly legal to
propagate the
>> various ".local" files directly. If this is legal, what commands
>> must be issued to cause selinux to read the various policy
updates?
>> If this isn't legal, then what means can be used to
propagate the policy?
> I don't think it is "legal" in the sense
that those files are the
> private state of libsemanage and are only supposed to be
manipulated
> via the libsemanage interfaces by programs like semodule,
semanage and
> setsebool. libsemanage will ultimately support other
backends beyond
> just the current direct access to the local file store,
such as access
> to local and ultimately remote policy management daemons.
> However, I'm not sure that there is a good mechanism
at
present to do
> what you want in a "legal" way (Joshua or Karl feel free to
contradict
> me if there is). If you do simply copy them over using
your favorite
> utility for doing so, you can run semodule -B on the target
machine to
> force a rebuild and reload of the kernel policy from the updated
> policy store there. Not sure if that is exported through
any GUI at present.
I think that this is needed functionality. Opened a bug -
http://sourceforge.net/tracker/index.php?func=detail&aid=16061
03&group_id=21266&atid=121266.
At some point in the near (hopefully) future we'll be putting the
network libsemanage backend into the library and after that a simple
daemon could be written to send policy and local changes across the
network. This would, ofcourse, be the predecessor to a full policy
server with access control on policy changes.