Re: Managing SELinux in the Enterprise

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On 09/21/2014 09:49 PM, Douglas Brown wrote:
Hi all,

SELinux has some configuration files such as /etc/selinux/config which are easily managed with a tool like puppet. There’s also modular policies that can be managed with rpms (via Satellite) and or puppet (semodule). Finally puppet supports enforcing booleans with 'seboolean’. However, there’s a few things missing:
  • SELinux user and role mappings
  • Port labels (only supported in base policy or changed with semanage like so: semanage port -a -t httpd_port_t -p tcp 6312)
  • Custom file labels (ie. semanage fcontext -a -t httpd_sys_content_t "/data/www(/.*)?")
I know these can be imported and exported with semanage using the -i and -o flags, however it’s slow and doesn't easily facilitate the programmatic query and enforcement of these settings at scale using a tool like puppet. Ideally puppet could manage the .local files in /etc/selinux/targeted/modules/active/, however Red Hat support tells me this won’t work and that semanage is the only supported mechanism. Surely there’s someone in the community who has a non-hackish method of dealing with this?

Is FreeIPA the solution to the user and role mappings? What about the labels?

Thanks,
Doug


--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
Why is managing this content via semanage not a good thing?

BTW You can put multiple ops within a transaction, which speeds up semanage.

https://danwalsh.livejournal.com/41593.html

The openstack-selinux rpm package has a bunch of operations being done within a transaction, including setting network ports, booleans and default file labeling.

BTW Ansible is also a nice method for managing SELinux in the enterprise.

Here is an presentation I wrote on managing SELinux in the enterprise

https://fedorapeople.org/~dwalsh/SELinux/Presentations/SummitSELinuxEnterprise.odp
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux