4:47 p.m.
I am using puppet to manage my system configuration and I am looking for
the best way to manage file context changes between multiple hosts.
Basically I have some local changes that are held in
/etc/selinux/targeted/modules/active/file_contexts.local, is it
reasonable just to copy this file to hosts that need to be aware of the
changes held therein or is there a better method?
This would be implemented on RHEL 5 and 6 systems.
Thanks,
-Erinn
2 a.m.
On Wed, 2011-09-21 at 13:47 -0800, Erinn Looney-Triggs wrote:
I am using puppet to manage my system configuration and I am looking
for
the best way to manage file context changes between multiple hosts.
Basically I have some local changes that are held in
/etc/selinux/targeted/modules/active/file_contexts.local, is it
reasonable just to copy this file to hosts that need to be aware of the
changes held therein or is there a better method?
This would be implemented on RHEL 5 and 6 systems.
I guess the following might be the preferred way:
Managing multiple machines
Multiple machines that need the same customizations.
Extract customizations off first machine, copy them
to second and import them.
# semanage -o /tmp/local.selinux
# scp /tmp/local.selinux secondmachine:/tmp
# ssh secondmachine
# semanage -i /tmp/local.selinux
If these customizations include file context, you need to apply the
context using restorecon.
From: "man semanage"
Thanks,
-Erinn
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
7:50 a.m.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/21/2011 05:47 PM, Erinn Looney-Triggs wrote:
I am using puppet to manage my system configuration and I am
looking for the best way to manage file context changes between
multiple hosts.
Basically I have some local changes that are held in
/etc/selinux/targeted/modules/active/file_contexts.local, is it
reasonable just to copy this file to hosts that need to be aware of
the changes held therein or is there a better method?
This would be implemented on RHEL 5 and 6 systems.
Thanks, -Erinn
-- selinux mailing list selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
/etc/selinux/targeted/modules/active/file_contexts.local
# This file is only used when policy is updated
and
/etc/selinux/targeted/contexts/files/file_contexts.local
# This file is actually the one used by restorecon and rpm ...
Should be kept in sync, and would work on RHEL5 and RHEL6,
You could also use the method Dominick described for distributing all
local canonizations.
You might want to write puppet script that would dump local
customizations and check it versus global customizations, and apply
the global if they differ, since semanage -i will take a long time to run.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk57LxQACgkQrlYvE4MpobNtdQCgzoik2f4hNo++/pxWRVuxWfrK
P9QAoL4Gtks4ZfqY7hApKCmL2C6HNqnH
=6FSf
-----END PGP SIGNATURE-----
8:01 a.m.
On Wed, Sep 21, 2011 at 01:47:32PM -0800, Erinn Looney-Triggs wrote:
I am using puppet to manage my system configuration and I am looking
for
the best way to manage file context changes between multiple hosts.
Basically I have some local changes that are held in
/etc/selinux/targeted/modules/active/file_contexts.local, is it
reasonable just to copy this file to hosts that need to be aware of the
changes held therein or is there a better method?
This would be implemented on RHEL 5 and 6 systems.
... try csync2:
http://thuannvn.blogspot.com/2010/01/csync2-is-so-cool.html
Regards
Adam Przybyla
8:23 a.m.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/22/2011 09:01 AM, Adam Przybyla wrote:
On Wed, Sep 21, 2011 at 01:47:32PM -0800, Erinn Looney-Triggs
wrote:
> I am using puppet to manage my system configuration and I am
> looking for the best way to manage file context changes between
> multiple hosts.
>
> Basically I have some local changes that are held in
> /etc/selinux/targeted/modules/active/file_contexts.local, is it
> reasonable just to copy this file to hosts that need to be aware
> of the changes held therein or is there a better method?
>
> This would be implemented on RHEL 5 and 6 systems.
... try csync2:
http://thuannvn.blogspot.com/2010/01/csync2-is-so-cool.html
Regards Adam Przybyla -- selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
Also make sure any tool
that you use, insures the label on files
(restorecon) after putting them in place. Having the tool understand
SELinux and telling the kernel to label the file before it is created
is even better.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk57NucACgkQrlYvE4MpobPWNwCdEm0gYKYrlO0VFHUh7MQ2PsvQ
cAsAoNaB7cYYWqKXFUYzH/mstB+iAr6P
=dsLd
-----END PGP SIGNATURE-----
8:24 a.m.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/22/2011 09:01 AM, Adam Przybyla wrote:
On Wed, Sep 21, 2011 at 01:47:32PM -0800, Erinn Looney-Triggs
wrote:
> I am using puppet to manage my system configuration and I am
> looking for the best way to manage file context changes between
> multiple hosts.
>
> Basically I have some local changes that are held in
> /etc/selinux/targeted/modules/active/file_contexts.local, is it
> reasonable just to copy this file to hosts that need to be aware
> of the changes held therein or is there a better method?
>
> This would be implemented on RHEL 5 and 6 systems.
... try csync2:
http://thuannvn.blogspot.com/2010/01/csync2-is-so-cool.html
Regards Adam Przybyla -- selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
Does csync2 support
extended attributes?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk57NyIACgkQrlYvE4MpobM24gCfefbF0ktbbijcXvZrpeHRVsJe
SPcAn3QBbXJxRr37A3ZXQqA0wUAudSDc
=fYfv
-----END PGP SIGNATURE-----
10:57 a.m.
On Thu, Sep 22, 2011 at 09:24:50AM -0400, Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/22/2011 09:01 AM, Adam Przybyla wrote:
> On Wed, Sep 21, 2011 at 01:47:32PM -0800, Erinn Looney-Triggs
> wrote:
>> I am using puppet to manage my system configuration and I am
>> looking for the best way to manage file context changes between
>> multiple hosts.
>>
>> Basically I have some local changes that are held in
>> /etc/selinux/targeted/modules/active/file_contexts.local, is it
>> reasonable just to copy this file to hosts that need to be aware
>> of the changes held therein or is there a better method?
>>
>> This would be implemented on RHEL 5 and 6 systems.
> ... try csync2:
> http://thuannvn.blogspot.com/2010/01/csync2-is-so-cool.html
> Regards Adam Przybyla -- selinux mailing list
> selinux(a)lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
Does csync2 support extended attributes?
... nope, but you could execeute some
commands on remote systems
after file was send. Use "exec" statement in your configs. Regards
Adam Przybyla
4598
days inactive
4599
days old
selinux@lists.fedoraproject.org
6 comments
4 participants
participants (4)
-
Adam Przybyla -
Daniel J Walsh -
Dominick Grift -
Erinn Looney-Triggs