Previous Entry Share Next Entry
10 things you probably did not know about SELinux.. #2
#2 Outputting your semanage configuration

You set up a machine with a bunch of SELinux customizations.  You want to take those customizations and make 5 other machines look the same.  

How would I do this?

semanage -o /tmp/selinux.customizations

man semanage
       Output local customizations
       semanage [ -S store ] -o [ output_file | - ]

       Output local customizations
       semanage [ -S store ] -o [ output_file | - ]

The semanage -o command will output all semanage customizations into a file that the semanage -i command can read. 

# semanage -i /tmp/selinux.customizations
# scp /tmp/selinux.customizations
# ssh semanage -i selinux.customizations

Here is the output of this command on my laptop.

# semanage output -o -
boolean -D
boolean -1 allow_polyinstantiation
boolean -0 authlogin_nsswitch_use_ldap
boolean -1 httpd_can_sendmail
boolean -1 xguest_connect_network
boolean -1 xguest_mount_media
boolean -1 xguest_use_bluetooth
login -D
login -a -s guest_u -r 's0' __default__
login -a -s unconfined_u -r 's0-s0:c0.c1023' root
login -a -s system_u -r 's0-s0:c0.c1023' system_u
login -a -s xguest_u -r 's0' xguest
user -D
user -a -r s0-s0:c0.c1023 -R 'staff_r system_r webadm_r' webadm_u
user -a -r s0 -R 'xguest_r' xguest_u
port -D
port -a -t http_port_t -p tcp 81
interface -D
interface -a -t netif_t eth*
node -D
node -a -M -p ipv4 -t defaultif_t
node -a -M -p ipv4 -t internalif_t
fcontext -D
fcontext -a -f 'all files' -t httpd_sys_content_t '/myweb(/.*)?'
fcontext -a -f 'all files' -t public_content_t '/shared(/.*)?'
fcontext -a -f 'all files' -t samba_share_t '/shared/samba(/.*)?'

Notice the -D commands, these are used to delete all local customizations.  If you were to install this selinux configuration on your machine, you would have the same configuration as my laptop.

Note:  You would also need to make sure the policy modules were the same on each machine.

  • 1
Thank you for all the valuable info on your site; it makes it a lot easier working with SELinux and ensuring a proper/secure system configuration. It would be nice if you could elaborate on the other details in the "output" of your customizations, i.e. "-M" and other formatting info that's there. Otherwise, keep up the good work to educate people on how to properly use SELinux, instead of simply disabling it as many do.

Well the other code is just the same commands you would have executed with semanage commands.

IE If you had executed

semanage fcontext -a -f 'all files' -t samba_share_t '/shared/samba(/.*)?'

Then semanage -o

Would output

fcontext -D
fcontext -a -f 'all files' -t samba_share_t '/shared/samba(/.*)?'

  • 1

Log in

No account? Create an account