[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
RE: post direct-file-modification commands
- From: Stephen Smalley <sds tycho nsa gov>
- To: Steve Friedman <steve adsi-m4 com>
- Cc: Joshua Brindle <jbrindle tresys com>, fedora-selinux-list redhat com, Karl MacMillan <kmacmillan mentalrootkit com>
- Subject: RE: post direct-file-modification commands
- Date: Thu, 30 Nov 2006 14:15:15 -0500
On Thu, 2006-11-30 at 14:05 -0500, Steve Friedman wrote:
> Let me give an example. We use postfix at my organization. It has a
> number of configuration files. Using a makefile (an early version of
> which was copied from the web), the script (via make) issues the relevant
> commands to build the necessary hash files, etc. I would envision a
> similar situation here: I would distribute one or more ASCII
> configuration files for the local customization along with a makefile that
> would determine what commands needed to be issued to build the appropriate
> policy.
>
> In effect, I was asking for the details of the makefile. After updating
> (say) booleans.local, what needs to be executed, etc.
Yes, at present, it would be a matter of copying the new booleans.local
into place and running semodule -B on the target machine. Going
forward, we need utilities that can export/dump and import the data
without requiring manual copying of the raw files. In the booleans
case, that just means an option to getsebool to dump local booleans in a
format easily consumed by setsebool (or some new option to setsebool);
this requires finally migrating getsebool over to using libsemanage
rather than directly reading the kernel state via selinuxfs (or at least
supporting such an option as well).
--
Stephen Smalley
National Security Agency
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]