Hello, SELinux list!
is there anybody who uses SELinux on a cluster of computers? If so, I have two questions:
- how do you synchronize the policy between the nodes? (Especially when there are local modifications and parts of a policy)? Can I simply rsync /etc/selinux/policy/targeted from a host I have just modified to the other node, and then run something (what?) to make the changes visible on the other node as well?
- are SELinux file contexts in ext3/4 xattrs portable between hosts? My cluster has a shared filesystem on top of drbd, mounted on a primary node. Will it work also after a failover to the secondary node (and remounting the FS there), or would it be necessary to do a restorecon on that filesystem first?
Thanks,
-Yenya
On 03/26/2010 12:06 PM, Jan Kasprzak wrote:
Hello, SELinux list!
is there anybody who uses SELinux on a cluster of computers? If so, I have two questions:
- how do you synchronize the policy between the nodes? (Especially when there are local modifications and parts of a policy)? Can I simply rsync /etc/selinux/policy/targeted from a host I have just modified to the other node, and then run something (what?) to make the changes visible on the other node as well?
That should work, I would make sure the labels are correct running restorecon -R -v /etc/selinux/policy after you copy them over and then run load_policy.
- are SELinux file contexts in ext3/4 xattrs portable between hosts?
Yes if they run the same or relatively the same policy.
My cluster has a shared filesystem on top of drbd, mounted on a primary node. Will it work also after a failover to the secondary node (and remounting the FS there), or would it be necessary to do a restorecon on that filesystem first?
It should not be necessary to run restorecon. We have been working with the cluster guys to get SELinux to work with it. If you have any problems please ping me. Or open a bugzilla.
Thanks,
-Yenya
Is anyone looking at improving the Policy Server that Josh Brindle worked on a while back?
http://oss.tresys.com/projects/policy-server
On Fri, Mar 26, 2010 at 12:13 PM, Daniel J Walsh dwalsh@redhat.com wrote:
On 03/26/2010 12:06 PM, Jan Kasprzak wrote:
Hello, SELinux list!
is there anybody who uses SELinux on a cluster of computers? If so, I have two questions:
- how do you synchronize the policy between the nodes? (Especially when
there are local modifications and parts of a policy)? Can I simply rsync /etc/selinux/policy/targeted from a host I have just modified to the other node, and then run something (what?) to make the changes visible on the other node as well?
That should work, I would make sure the labels are correct running restorecon -R -v /etc/selinux/policy after you copy them over and then run load_policy.
- are SELinux file contexts in ext3/4 xattrs portable between
hosts?
Yes if they run the same or relatively the same policy.
My cluster has a shared filesystem on top of drbd, mounted on a primary node. Will it work also after a failover to the secondary node (and remounting the FS there), or would it be necessary to do a restorecon on that filesystem first?
It should not be necessary to run restorecon. We have been working with the cluster guys to get SELinux to work with it. If you have any problems please ping me. Or open a bugzilla.
Thanks,
-Yenya
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
selinux@lists.fedoraproject.org