[prev in list] [next in list] [prev in thread] [next in thread]
List: fedora-selinux-list
Subject: Managing SELinux in the Enterprise
From: Douglas Brown <doug.brown () qut ! edu ! au>
Date: 2014-09-22 1:49:55
Message-ID: D045BD65.48296%doug.brown () qut ! edu ! au
[Download RAW message or body]
Hi all,
SELinux has some configuration files such as /etc/selinux/config which are =
easily managed with a tool like puppet. There=92s also modular policies tha=
t can be managed with rpms (via Satellite) and or puppet (semodule). Finall=
y puppet supports enforcing booleans with 'seboolean=92. However, there=92s=
a few things missing:
* SELinux user and role mappings
* Port labels (only supported in base policy or changed with semanage l=
ike so: semanage port -a -t httpd_port_t -p tcp 6312)
* Custom file labels (ie. semanage fcontext -a -t httpd_sys_content_t "=
/data/www(/.*)?")
I know these can be imported and exported with semanage using the -i and -o=
flags, however it=92s slow and doesn't easily facilitate the programmatic =
query and enforcement of these settings at scale using a tool like puppet. =
Ideally puppet could manage the .local files in /etc/selinux/targeted/modul=
es/active/, however Red Hat support tells me this won=92t work and that sem=
anage is the only supported mechanism. Surely there=92s someone in the comm=
unity who has a non-hackish method of dealing with this?
Is FreeIPA the solution to the user and role mappings? What about the label=
s?
Thanks,
Doug
[Attachment #3 (text/html)]
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: \
after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-family: Calibri, \
sans-serif;"> <div style="background-color: rgb(255, 255, 255);">Hi all,</div>
<div style="background-color: rgb(255, 255, 255);"><br>
</div>
<div style="background-color: rgb(255, 255, 255);">SELinux has some configuration \
files such as /etc/selinux/config which are easily managed with a tool like puppet. \
There’s also modular policies that can be managed with rpms (via Satellite) and or \
puppet (semodule). Finally puppet supports enforcing booleans with 'seboolean’. \
However, there’s a few things missing:</div> <ul style="background-color: rgb(255, \
255, 255); margin-top: 14pt; margin-bottom: 14pt;"> <li>SELinux user and role \
mappings</li><li>Port labels (only supported in base policy or changed with semanage \
like so: semanage port -a -t httpd_port_t -p tcp 6312)</li><li>Custom file \
labels (ie. semanage fcontext -a -t httpd_sys_content_t \
"/data/www(/.*)?")</li></ul> <div style="background-color: rgb(255, 255, \
255);">I know these can be imported and exported with semanage using the -i and -o \
flags, however it’s slow and doesn't easily facilitate the programmatic query and \
enforcement of these settings at scale using a tool like puppet. Ideally puppet \
could manage the .local files in /etc/selinux/targeted/modules/active/, however Red \
Hat support tells me this won’t work and that semanage is the only supported \
mechanism. Surely there’s someone in the community who has a non-hackish method of \
dealing with this?</div> <div style="background-color: rgb(255, 255, 255);"><br>
</div>
<div style="background-color: rgb(255, 255, 255);">Is FreeIPA the solution to the \
user and role mappings? What about the labels?</div> <div style="background-color: \
rgb(255, 255, 255);"><br> </div>
<div style="background-color: rgb(255, 255, 255);">Thanks,</div>
<div style="background-color: rgb(255, 255, 255);">Doug</div>
</body>
</html>
[Attachment #4 (unknown)]
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic