Handling SELinux Policies on Multiple Servers?

Pete Toscano pete-fedora at verisignlabs.com
Thu Jul 14 16:53:24 UTC 2005


Hello,

I've been running selinux (and the targeted policy) on my workstation
since FC3 came out.  I'm now using FC4.  Every-so-often, after scanning
the audit logs, I notice that I need to tweak the policy for the way I
use / configure my system.

I also have a few handfuls of FC2 servers and I'm starting to look at
rolling out FC4 to them.  (I'm building the kickstart configuration
now.)  I'd like to keep selinux enabled, but I'm concerned about
managing the policy tweaks.

On my workstation, I install the targeted policy sources, edit
domain/misc/local.te or file_contexts/misc/local.fc as necessary, then
"make load" (which I guess does, in effect, a "make; make install; make
load") and relabel as necessary.  From what I've read, installing the
policy sources on each server is probably not a good idea.

How do you go about managing selinux policies across many machines?
Each machine starts from a kickstart build that already diverges from
the stock selinux targeted policy:  /home is a symlink to /v/home, which
is on a different partition from /.  It seems to me that /v/home never
gets labeled correctly until I rebuild the policy from source.  After
the initial build, I'm sure I'll need to tweak the policies on a
per-machine basis.

Should I roll my own policies from targeted and update them (every
couple days) when a the targeted policy is updated?  Should I just have
one uber policy on my workstation that combines all the tweak across all
the machines, then install the binary policy files on the individual
machines?  Any practical experience with this, links, or other advice?

Thanks,
pete




More information about the fedora-list mailing list