> From: Karl MacMillan [mailto:kmacmillan@xxxxxxxxxxxxxxxxx] > > Stephen Smalley wrote: > > On Wed, 2006-11-29 at 18:41 -0500, Steve Friedman wrote: > >> The various GUI tools are nice for getting a policy configured > >> correctly; however, to propagate this configuration to a series of > >> like modified machines one runs into a speed bump. > >> > >> The files (e.g., booleans.local) state that the semanage command > >> should be used to modify the file; however, via the GUI I am > >> blissfully unaware of the actual commands (and would like > to remain so). > >> > >> But, it would seem that it should be perfectly legal to > propagate the > >> various ".local" files directly. If this is legal, what commands > >> must be issued to cause selinux to read the various policy > updates? > >> If this isn't legal, then what means can be used to > propagate the policy? > > > > I don't think it is "legal" in the sense that those files are the > > private state of libsemanage and are only supposed to be > manipulated > > via the libsemanage interfaces by programs like semodule, > semanage and > > setsebool. libsemanage will ultimately support other > backends beyond > > just the current direct access to the local file store, > such as access > > to local and ultimately remote policy management daemons. > > > > However, I'm not sure that there is a good mechanism at > present to do > > what you want in a "legal" way (Joshua or Karl feel free to > contradict > > me if there is). If you do simply copy them over using > your favorite > > utility for doing so, you can run semodule -B on the target > machine to > > force a rebuild and reload of the kernel policy from the updated > > policy store there. Not sure if that is exported through > any GUI at present. > > > > I think that this is needed functionality. Opened a bug - > http://sourceforge.net/tracker/index.php?func=detail&aid=16061 03&group_id=21266&atid=121266. > At some point in the near (hopefully) future we'll be putting the network libsemanage backend into the library and after that a simple daemon could be written to send policy and local changes across the network. This would, ofcourse, be the predecessor to a full policy server with access control on policy changes. -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
