Thanks to those who have replied. I’ve looked at the semanage python library that
underpins the semanage tool, and created a hello world with it; as with anything Python,
it’s straightforward.
Mandatory Access Controls have strong theoretical foundations in set theory and Python has
native support for sets, so my idea is to create a tool called ‘secompliance’ that can be
run by cron/puppet/etc to diff the running and expected config using set operators then
resolve conflicts as appropriate. Naturally, if it comes off, I will provide it to the
community.
Cheers,
Doug
From: selinux-bounces(a)lists.fedoraproject.org
[mailto:selinux-bounces@lists.fedoraproject.org] On Behalf Of Jeremy Young
Sent: Monday, 13 October 2014 3:09 AM
To: Mark Montague
Cc: selinux(a)lists.fedoraproject.org
Subject: Re: Managing SELinux in the Enterprise
I'll second the cron option. If you're like me and have only recently gotten
sign-off for a tool like Puppet or Ansible, scripts and crons will still work while you
transition to the CM tool. For example, I'll run this in cron.hourly to maintain a
consistent state of the booleans available. It may not be perfect, but it's a nice
go-between until we can finish implementing Puppet.
#!/bin/bash
## Use lists in /etc/selinux to set SELinux booleans to desired state
PREFIX=/etc/selinux
LOGFILE=/var/log/sebooleans
touch ${LOGFILE}
for state in on off; do
cat ${PREFIX}/booleans$state | while read variable; do
## getsebool is a lot faster than semanage for this task
if [[ "$( getsebool $variable | gawk '{print $3}'
)" != "$state" ]]; then
## If we're running the script manually, output
info to the screen
if [[ -z "$PS1" ]]; then
echo "Setting $variable to
$state..."
fi
echo "Setting $variable to $state at $( date +%c
)..." >> ${LOGFILE}
setsebool -P $variable $state
fi
done
done
I like the idea of a hash comparison. After the required action is taken, hash the
relevant file and store it somewhere for reference later. Have Puppet execute your
script, first hashing the relevant file and comparing it to your known value from last
time. So, for your original question, the files modules/active/users.local and
modules/active/seusers.final could provide you with the information that you'd want.
If that's no good, maybe you grep through these files to confirm the existence of your
customizations, and for every one that is missing, append it to a temporary file,
executing only the required commands with one semanage.
On Sun, Oct 12, 2014 at 9:49 AM, Mark Montague
<mark@catseye.org<mailto:mark@catseye.org>> wrote:
On 2014-10-12 6:14, Douglas Brown wrote:
semanage is great for general administration but not for compliance; it's not really
designed to compare an expected configuration with running configuration, and rectify any
differences, rather, for the most part applies cumulative changes.
I use a cron job that runs "semanage -o" to dump the current configuration and
compare it, using diff, with the expected configuration which is just the output of
"semanage -o -" manually generated by an administrator at the last time the
configuration was changed.
The same cronjob also checks the output of sestatus and "semodule -l" against
expected values.
This approach is primitive, but it works. You could hash the output, if you wanted, and
compare the hash instead of using diff. I use diff in order to have the cron job email
the administrator the diff output, showing how the actual configuration is different from
the expected configuration in the alert.
--
Mark Montague
mark@catseye.org<mailto:mark@catseye.org>
--
selinux mailing list
selinux@lists.fedoraproject.org<mailto:selinux@lists.fedoraproject.org>
https://admin.fedoraproject.org/mailman/listinfo/selinux
--
Jeremy Young<mailto:jrm16020@gmail.com>, M.S., RHCSA