March 22nd, 2011

10 things you probably did not know about SELinux..

Over the next few days, I am going to blog about things you probably did not know about SELinux

  Multiple semanage commands:

The semanage command is pretty slow.  It can take 10-20 seconds for a semanage command to complete.    semanage recompiles  a huge amount of policy.  In Fedora 15 we have almost 500,000 allow and dontaudit rules.  The compiler checking each type, user, role, etc to make sure they are valid.   I have seen people executing multiple semanage commands in post install of rpm spec files as well as people customizing lots of machines by executing setsebool, semodule and semanage commands.  Not too many people realize you can run them all within the same transaction.

man semanage
       Input local customizations
       semanage [ -S store ] -i [ input_file | - ]
    -i, --input
              Take a set of commands from a specified file and load them in  a
              single transaction.

The xguest uses this in its post install.

semanage -S targeted -i - << _EOF
boolean -m --on allow_polyinstantiation
boolean -m --on xguest_connect_network
boolean -m --on xguest_mount_media
boolean -m --on xguest_use_bluetooth

It sets a bunch of boolean values.  You can also manage different semanage commands within the same transaction. 

semanage -i - << _EOF
port -a -t http_port_t -p tcp 81
fcontext -a -t httpd_sys_content_t "/myweb(/.*)?"
boolean -m --on httpd_can_sendmail
user -a -R "staff_r system_r webadm_r" -r s0-s0:c0.c1023 webadm_u
login -m -s guest_u -r s0 __default__