On 09/21/2014 09:49 PM, Douglas Brown
wrote:
Hi all,
SELinux has
some configuration files such as /etc/selinux/config which are
easily managed with a tool like puppet. There’s also modular
policies that can be managed with rpms (via Satellite) and or
puppet (semodule). Finally puppet supports enforcing booleans
with 'seboolean’. However, there’s a few things missing:
- SELinux user and role mappings
- Port labels (only supported in base policy or changed with
semanage like so: semanage port -a -t httpd_port_t -p tcp
6312)
- Custom file labels (ie. semanage fcontext -a -t
httpd_sys_content_t "/data/www(/.*)?")
I know these
can be imported and exported with semanage using the -i and -o
flags, however it’s slow and doesn't easily facilitate the
programmatic query and enforcement of these settings at scale
using a tool like puppet. Ideally puppet could manage the .local
files in /etc/selinux/targeted/modules/active/, however Red Hat
support tells me this won’t work and that semanage is the only
supported mechanism. Surely there’s someone in the community who
has a non-hackish method of dealing with this?
Is FreeIPA the
solution to the user and role mappings? What about the labels?
Thanks,
Doug
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
Why is managing this content via semanage not a good thing?
BTW You can put multiple ops within a transaction, which speeds up
semanage.
https://danwalsh.livejournal.com/41593.html
The openstack-selinux rpm package has a bunch of operations being
done within a transaction, including setting network ports, booleans
and default file labeling.
BTW Ansible is also a nice method for managing SELinux in the
enterprise.
Here is an presentation I wrote on managing SELinux in the
enterprise
https://fedorapeople.org/~dwalsh/SELinux/Presentations/SummitSELinuxEnterprise.odp
|
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux