March 23rd, 2011

10 things you probably did not know about SELinux.. #2

#2 Outputting your semanage configuration

You set up a machine with a bunch of SELinux customizations.  You want to take those customizations and make 5 other machines look the same.  

How would I do this?

semanage -o /tmp/selinux.customizations

man semanage
       Output local customizations
       semanage [ -S store ] -o [ output_file | - ]

       Output local customizations
       semanage [ -S store ] -o [ output_file | - ]

The semanage -o command will output all semanage customizations into a file that the semanage -i command can read. 

# semanage -i /tmp/selinux.customizations
# scp /tmp/selinux.customizations
# ssh semanage -i selinux.customizations

Here is the output of this command on my laptop.

# semanage output -o -
boolean -D
boolean -1 allow_polyinstantiation
boolean -0 authlogin_nsswitch_use_ldap
boolean -1 httpd_can_sendmail
boolean -1 xguest_connect_network
boolean -1 xguest_mount_media
boolean -1 xguest_use_bluetooth
login -D
login -a -s guest_u -r 's0' __default__
login -a -s unconfined_u -r 's0-s0:c0.c1023' root
login -a -s system_u -r 's0-s0:c0.c1023' system_u
login -a -s xguest_u -r 's0' xguest
user -D
user -a -r s0-s0:c0.c1023 -R 'staff_r system_r webadm_r' webadm_u
user -a -r s0 -R 'xguest_r' xguest_u
port -D
port -a -t http_port_t -p tcp 81
interface -D
interface -a -t netif_t eth*
node -D
node -a -M -p ipv4 -t defaultif_t
node -a -M -p ipv4 -t internalif_t
fcontext -D
fcontext -a -f 'all files' -t httpd_sys_content_t '/myweb(/.*)?'
fcontext -a -f 'all files' -t public_content_t '/shared(/.*)?'
fcontext -a -f 'all files' -t samba_share_t '/shared/samba(/.*)?'

Notice the -D commands, these are used to delete all local customizations.  If you were to install this selinux configuration on your machine, you would have the same configuration as my laptop.

Note:  You would also need to make sure the policy modules were the same on each machine.