> From: Steve Friedman [mailto:steve@xxxxxxxxxxx] > > On Thu, 30 Nov 2006, Joshua Brindle wrote: > > >> From: Karl MacMillan [mailto:kmacmillan@xxxxxxxxxxxxxxxxx] > >> > >> Stephen Smalley wrote: > >>> On Wed, 2006-11-29 at 18:41 -0500, Steve Friedman wrote: > >>>> The various GUI tools are nice for getting a policy configured > >>>> correctly; however, to propagate this configuration to a > series of > >>>> like modified machines one runs into a speed bump. > >>>> > >>>> The files (e.g., booleans.local) state that the semanage command > >>>> should be used to modify the file; however, via the GUI I am > >>>> blissfully unaware of the actual commands (and would like > >> to remain so). > >>>> > >>>> But, it would seem that it should be perfectly legal to > >> propagate the > >>>> various ".local" files directly. If this is legal, what > commands > >>>> must be issued to cause selinux to read the various policy > >> updates? > >>>> If this isn't legal, then what means can be used to > >> propagate the policy? > >>> > >>> I don't think it is "legal" in the sense that those files are the > >>> private state of libsemanage and are only supposed to be > >> manipulated > >>> via the libsemanage interfaces by programs like semodule, > >> semanage and > >>> setsebool. libsemanage will ultimately support other > >> backends beyond > >>> just the current direct access to the local file store, > >> such as access > >>> to local and ultimately remote policy management daemons. > >>> > >>> However, I'm not sure that there is a good mechanism at > >> present to do > >>> what you want in a "legal" way (Joshua or Karl feel free to > >> contradict > >>> me if there is). If you do simply copy them over using > >> your favorite > >>> utility for doing so, you can run semodule -B on the target > >> machine to > >>> force a rebuild and reload of the kernel policy from the updated > >>> policy store there. Not sure if that is exported through > >> any GUI at present. > >>> > >> > >> I think that this is needed functionality. Opened a bug - > >> http://sourceforge.net/tracker/index.php?func=detail&aid=16061 > > 03&group_id=21266&atid=121266. > >> > > > > At some point in the near (hopefully) future we'll be putting the > > network libsemanage backend into the library and after that > a simple > > daemon could be written to send policy and local changes across the > > network. This would, ofcourse, be the predecessor to a full policy > > server with access control on policy changes. > > > > Call me old-fashioned, but it is nice to be able to send a > colleague / customer / friend a text file that can be edited, > diffed, reviewed, archived, and updated. Policy servers are > convenient for one organization, but sometimes this transfer > occurs across organization boundaries. (Not to mention the > delay between this hoped-for tool and the actual, > production-ready deployment schedule...) > That's fine, and the bug added is to export the data, but I am dubious about the usefulness of doing so. Policies probably aren't going to be compatible across organization boundaries in a meaninful way, systems and policies are specific to the organization. For example, why would you send the selinux user and linux user to selinux user mappings to another organization? -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
