Tired of ads? Upgrade to paid account and never see ads again!


Dan Walsh's Blog

Got SELinux?

Previous Entry Share Next Entry
10 things you probably did not know about SELinux.. #2
#2 Outputting your semanage configuration

You set up a machine with a bunch of SELinux customizations.  You want to take those customizations and make 5 other machines look the same.  

How would I do this?

semanage -o /tmp/selinux.customizations

man semanage
       Output local customizations
       semanage [ -S store ] -o [ output_file | - ]

       Output local customizations
       semanage [ -S store ] -o [ output_file | - ]

The semanage -o command will output all semanage customizations into a file that the semanage -i command can read. 

# semanage -i /tmp/selinux.customizations
# scp /tmp/selinux.customizations root@otherhost.mycompany.com
# ssh otherhost.mycompany.com root@otherhost.mycompany.com semanage -i selinux.customizations

Here is the output of this command on my laptop.

# semanage output -o -
boolean -D
boolean -1 allow_polyinstantiation
boolean -0 authlogin_nsswitch_use_ldap
boolean -1 httpd_can_sendmail
boolean -1 xguest_connect_network
boolean -1 xguest_mount_media
boolean -1 xguest_use_bluetooth
login -D
login -a -s guest_u -r 's0' __default__
login -a -s unconfined_u -r 's0-s0:c0.c1023' root
login -a -s system_u -r 's0-s0:c0.c1023' system_u
login -a -s xguest_u -r 's0' xguest
user -D
user -a -r s0-s0:c0.c1023 -R 'staff_r system_r webadm_r' webadm_u
user -a -r s0 -R 'xguest_r' xguest_u
port -D
port -a -t http_port_t -p tcp 81
interface -D
interface -a -t netif_t eth*
node -D
node -a -M -p ipv4 -t defaultif_t
node -a -M -p ipv4 -t internalif_t
fcontext -D
fcontext -a -f 'all files' -t httpd_sys_content_t '/myweb(/.*)?'
fcontext -a -f 'all files' -t public_content_t '/shared(/.*)?'
fcontext -a -f 'all files' -t samba_share_t '/shared/samba(/.*)?'

Notice the -D commands, these are used to delete all local customizations.  If you were to install this selinux configuration on your machine, you would have the same configuration as my laptop.

Note:  You would also need to make sure the policy modules were the same on each machine.

No HTML allowed in subject


(will be screened)

You are viewing danwalsh