|
Thanks to those who have replied. I’ve looked at the semanage python library that underpins the semanage tool, and created a hello
world with it; as with anything Python, it’s straightforward. Mandatory Access Controls have strong theoretical foundations in set theory and Python has native support for sets, so my idea is
to create a tool called ‘secompliance’ that can be run by cron/puppet/etc to diff the running and expected config using set operators then resolve conflicts as appropriate. Naturally, if it comes off, I will provide it to the community. Cheers, Doug From: selinux-bounces@xxxxxxxxxxxxxxxxxxxxxxx [mailto:selinux-bounces@xxxxxxxxxxxxxxxxxxxxxxx]
On Behalf Of Jeremy Young I'll second the cron option. If you're like me and have only recently gotten sign-off for a tool like Puppet or Ansible, scripts and crons will still work while you transition to the CM tool. For example, I'll run this in cron.hourly
to maintain a consistent state of the booleans available. It may not be perfect, but it's a nice go-between until we can finish implementing Puppet. #!/bin/bash ## Use lists in /etc/selinux to set SELinux booleans to desired state PREFIX=/etc/selinux LOGFILE=/var/log/sebooleans touch ${LOGFILE} for state in on off; do cat ${PREFIX}/booleans$state | while read variable; do ## getsebool is a lot faster than semanage for this task if [[ "$( getsebool $variable | gawk '{print $3}' )" != "$state" ]]; then ## If we're running the script manually, output info to the screen if [[ -z "$PS1" ]]; then echo "Setting $variable to $state..." fi echo "Setting $variable to $state at $( date +%c )..." >> ${LOGFILE} setsebool -P $variable $state fi done done I like the idea of a hash comparison. After the required action is taken, hash the relevant file and store it somewhere for reference later. Have Puppet execute your script, first hashing the relevant file and comparing it to your known
value from last time. So, for your original question, the files modules/active/users.local and modules/active/seusers.final could provide you with the information that you'd want. If that's no good, maybe you grep through these files to confirm the existence of your customizations, and for every one that is missing, append it to a temporary file, executing only the required commands with one semanage. On Sun, Oct 12, 2014 at 9:49 AM, Mark Montague <mark@xxxxxxxxxxx> wrote:
-- Jeremy Young, M.S., RHCSA |
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
