> From: Karl MacMillan [mailto:kmacmillan@mentalrootkit.com] > > Joshua Brindle wrote: >>> From: Steve Friedman [mailto:steve@adsi-m4.com] > > <snip> > >>> Call me old-fashioned, but it is nice to be able to send a colleague >>> / customer / friend a text file that can be edited, diffed, reviewed, >>> archived, and updated. Policy servers are convenient for one >>> organization, but sometimes this transfer occurs across organization >>> boundaries. (Not to mention the delay between this hoped-for tool >>> and the actual, production-ready deployment schedule...) >>> >> >> That's fine, and the bug added is to export the data, but I am dubious >> about the usefulness of doing so. Policies probably aren't going to be >> compatible across organization boundaries in a meaninful way, systems >> and policies are specific to the organization. For example, why would >> you send the selinux user and linux user to selinux user mappings to >> another organization? >> > > You probably wouldn't send user mappings to other > organizations but booleans, file context, port labeling, etc. These should be directly dependant on the services being run and the local configuration, if two organizations are running services in an identical manner then sure but what about all the unrelated noise? (exporting all ports when really you are trying to configure policy for a single service).

> are all probably fairly portable. Additioanlly, there are > other uses like backup, automatic system provisioning (e.g., > kickstart), or integration with existing administration > scripts and processes. > Agreed, the interface for this would likely be export all, something that is not useful for the above scenerio. > The policy server is a particular kind of solution for a > particular set of circumstances - no reason to not support > other solutions. Especially as they are likely - as Steve > points out - to be viable sooner. > That's fine, how do you suppose the exporting will work? What about policy modules? Should it be all or nothing or do you choose which parts you want to export? Clearly backup is a concern here, I didn't say it wasn't, but backup can be done very simply whereas some sort of portability of specific pieces is less trivial.

On Thu, 2006-11-30 at 14:05 -0500, Steve Friedman wrote: > Let me give an example. We use postfix at my organization. It has a > number of configuration files. Using a makefile (an early version of > which was copied from the web), the script (via make) issues the relevant > commands to build the necessary hash files, etc. I would envision a > similar situation here: I would distribute one or more ASCII > configuration files for the local customization along with a makefile that > would determine what commands needed to be issued to build the appropriate > policy. > > In effect, I was asking for the details of the makefile. After updating > (say) booleans.local, what needs to be executed, etc. Yes, at present, it would be a matter of copying the new booleans.local into place and running semodule -B on the target machine. Going forward, we need utilities that can export/dump and import the data without requiring manual copying of the raw files. In the booleans case, that just means an option to getsebool to dump local booleans in a format easily consumed by setsebool (or some new option to setsebool); this requires finally migrating getsebool over to using libsemanage rather than directly reading the kernel state via selinuxfs (or at least supporting such an option as well).