RE: post direct-file-modification commands

["Joshua Brindle" <jbrindle tresys com>]

> From: Steve Friedman [mailto:steve adsi-m4 com] 
> 
> On Thu, 30 Nov 2006, Joshua Brindle wrote:
> 
> >> From: Karl MacMillan [mailto:kmacmillan mentalrootkit com]
> >>
> >> Stephen Smalley wrote:
> >>> On Wed, 2006-11-29 at 18:41 -0500, Steve Friedman wrote:
> >>>> The various GUI tools are nice for getting a policy configured 
> >>>> correctly; however, to propagate this configuration to a 
> series of 
> >>>> like modified machines one runs into a speed bump.
> >>>>
> >>>> The files (e.g., booleans.local) state that the semanage command 
> >>>> should be used to modify the file; however, via the GUI I am 
> >>>> blissfully unaware of the actual commands (and would like
> >> to remain so).
> >>>>
> >>>> But, it would seem that it should be perfectly legal to
> >> propagate the
> >>>> various ".local" files directly.  If this is legal, what 
> commands 
> >>>> must be issued to cause selinux to read the various policy
> >> updates?
> >>>> If this isn't legal, then what means can be used to
> >> propagate the policy?
> >>>
> >>> I don't think it is "legal" in the sense that those files are the 
> >>> private state of libsemanage and are only supposed to be
> >> manipulated
> >>> via the libsemanage interfaces by programs like semodule,
> >> semanage and
> >>> setsebool.  libsemanage will ultimately support other
> >> backends beyond
> >>> just the current direct access to the local file store,
> >> such as access
> >>> to local and ultimately remote policy management daemons.
> >>>
> >>> However, I'm not sure that there is a good mechanism at
> >> present to do
> >>> what you want in a "legal" way (Joshua or Karl feel free to
> >> contradict
> >>> me if there is).  If you do simply copy them over using
> >> your favorite
> >>> utility for doing so, you can run semodule -B on the target
> >> machine to
> >>> force a rebuild and reload of the kernel policy from the updated 
> >>> policy store there.  Not sure if that is exported through
> >> any GUI at present.
> >>>
> >>
> >> I think that this is needed functionality. Opened a bug -
> >> http://sourceforge.net/tracker/index.php?func=detail&aid=16061
> > 03&group_id=21266&atid=121266.
> >>
> >
> > At some point in the near (hopefully) future we'll be putting the 
> > network libsemanage backend into the library and after that 
> a simple 
> > daemon could be written to send policy and local changes across the 
> > network. This would, ofcourse, be the predecessor to a full policy 
> > server with access control on policy changes.
> >
> 
> Call me old-fashioned, but it is nice to be able to send a 
> colleague / customer / friend a text file that can be edited, 
> diffed, reviewed, archived, and updated.  Policy servers are 
> convenient for one organization, but sometimes this transfer 
> occurs across organization boundaries.  (Not to mention the 
> delay between this hoped-for tool and the actual, 
> production-ready deployment schedule...)
> 

That's fine, and the bug added is to export the data, but I am dubious
about the usefulness of doing so. Policies probably aren't going to be
compatible across organization boundaries in a meaninful way, systems
and policies are specific to the organization. For example, why would
you send the selinux user and linux user to selinux user mappings to
another organization?