danwalsh


Dan Walsh's Blog

Got SELinux?


Previous Entry Share Next Entry
10 things you probably did not know about SELinux..
danwalsh
Over the next few days, I am going to blog about things you probably did not know about SELinux

1:
  Multiple semanage commands:

The semanage command is pretty slow.  It can take 10-20 seconds for a semanage command to complete.    semanage recompiles  a huge amount of policy.  In Fedora 15 we have almost 500,000 allow and dontaudit rules.  The compiler checking each type, user, role, etc to make sure they are valid.   I have seen people executing multiple semanage commands in post install of rpm spec files as well as people customizing lots of machines by executing setsebool, semodule and semanage commands.  Not too many people realize you can run them all within the same transaction.

man semanage
...
       Input local customizations
       semanage [ -S store ] -i [ input_file | - ]
...
    -i, --input
              Take a set of commands from a specified file and load them in  a
              single transaction.


The xguest uses this in its post install.

semanage -S targeted -i - << _EOF
boolean -m --on allow_polyinstantiation
boolean -m --on xguest_connect_network
boolean -m --on xguest_mount_media
boolean -m --on xguest_use_bluetooth
_EOF


It sets a bunch of boolean values.  You can also manage different semanage commands within the same transaction. 

semanage -i - << _EOF
port -a -t http_port_t -p tcp 81
fcontext -a -t httpd_sys_content_t "/myweb(/.*)?"
boolean -m --on httpd_can_sendmail
user -a -R "staff_r system_r webadm_r" -r s0-s0:c0.c1023 webadm_u
login -m -s guest_u -r s0 __default__
_EOF


No HTML allowed in subject

  
 
   
 

(will be screened)

You are viewing danwalsh