I am using puppet to manage my system configuration and I am looking for
the best way to manage file context changes between multiple hosts.
Basically I have some local changes that are held in
/etc/selinux/targeted/modules/active/file_contexts.local, is it
reasonable just to copy this file to hosts that need to be aware of the
changes held therein or is there a better method?
This would be implemented on RHEL 5 and 6 systems.
Thanks,
-Erinn
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
09-22-2011, 07:00 AM
Dominick Grift
Best way to copy local changes between hosts
On Wed, 2011-09-21 at 13:47 -0800, Erinn Looney-Triggs wrote:
> I am using puppet to manage my system configuration and I am looking for
> the best way to manage file context changes between multiple hosts.
>
> Basically I have some local changes that are held in
> /etc/selinux/targeted/modules/active/file_contexts.local, is it
> reasonable just to copy this file to hosts that need to be aware of the
> changes held therein or is there a better method?
>
> This would be implemented on RHEL 5 and 6 systems.
I guess the following might be the preferred way:
> Managing multiple machines
> Multiple machines that need the same customizations.
> Extract customizations off first machine, copy them
> to second and import them.
>
> # semanage -o /tmp/local.selinux
> # scp /tmp/local.selinux secondmachine:/tmp
> # ssh secondmachine
> # semanage -i /tmp/local.selinux
>
> If these customizations include file context, you need to apply the
> context using restorecon.
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
09-22-2011, 12:50 PM
Daniel J Walsh
Best way to copy local changes between hosts
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/21/2011 05:47 PM, Erinn Looney-Triggs wrote:
> I am using puppet to manage my system configuration and I am
> looking for the best way to manage file context changes between
> multiple hosts.
>
> Basically I have some local changes that are held in
> /etc/selinux/targeted/modules/active/file_contexts.local, is it
> reasonable just to copy this file to hosts that need to be aware of
> the changes held therein or is there a better method?
>
> This would be implemented on RHEL 5 and 6 systems.
>
> Thanks, -Erinn
>
> -- selinux mailing list selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
/etc/selinux/targeted/modules/active/file_contexts.local
# This file is only used when policy is updated
and
/etc/selinux/targeted/contexts/files/file_contexts.local
# This file is actually the one used by restorecon and rpm ...
Should be kept in sync, and would work on RHEL5 and RHEL6,
You could also use the method Dominick described for distributing all
local canonizations.
You might want to write puppet script that would dump local
customizations and check it versus global customizations, and apply
the global if they differ, since semanage -i will take a long time to run.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
On Wed, Sep 21, 2011 at 01:47:32PM -0800, Erinn Looney-Triggs wrote:
> I am using puppet to manage my system configuration and I am looking for
> the best way to manage file context changes between multiple hosts.
>
> Basically I have some local changes that are held in
> /etc/selinux/targeted/modules/active/file_contexts.local, is it
> reasonable just to copy this file to hosts that need to be aware of the
> changes held therein or is there a better method?
>
> This would be implemented on RHEL 5 and 6 systems.
... try csync2:
http://thuannvn.blogspot.com/2010/01/csync2-is-so-cool.html
Regards
Adam Przybyla
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
09-22-2011, 01:23 PM
Daniel J Walsh
Best way to copy local changes between hosts
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/22/2011 09:01 AM, Adam Przybyla wrote:
> On Wed, Sep 21, 2011 at 01:47:32PM -0800, Erinn Looney-Triggs
> wrote:
>> I am using puppet to manage my system configuration and I am
>> looking for the best way to manage file context changes between
>> multiple hosts.
>>
>> Basically I have some local changes that are held in
>> /etc/selinux/targeted/modules/active/file_contexts.local, is it
>> reasonable just to copy this file to hosts that need to be aware
>> of the changes held therein or is there a better method?
>>
>> This would be implemented on RHEL 5 and 6 systems.
> ... try csync2:
> http://thuannvn.blogspot.com/2010/01/csync2-is-so-cool.html
> Regards Adam Przybyla -- selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
Also make sure any tool that you use, insures the label on files
(restorecon) after putting them in place. Having the tool understand
SELinux and telling the kernel to label the file before it is created
is even better.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
On 09/22/2011 09:01 AM, Adam Przybyla wrote:
> On Wed, Sep 21, 2011 at 01:47:32PM -0800, Erinn Looney-Triggs
> wrote:
>> I am using puppet to manage my system configuration and I am
>> looking for the best way to manage file context changes between
>> multiple hosts.
>>
>> Basically I have some local changes that are held in
>> /etc/selinux/targeted/modules/active/file_contexts.local, is it
>> reasonable just to copy this file to hosts that need to be aware
>> of the changes held therein or is there a better method?
>>
>> This would be implemented on RHEL 5 and 6 systems.
> ... try csync2:
> http://thuannvn.blogspot.com/2010/01/csync2-is-so-cool.html
> Regards Adam Przybyla -- selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
Does csync2 support extended attributes?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
On Thu, Sep 22, 2011 at 09:24:50AM -0400, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 09/22/2011 09:01 AM, Adam Przybyla wrote:
> > On Wed, Sep 21, 2011 at 01:47:32PM -0800, Erinn Looney-Triggs
> > wrote:
> >> I am using puppet to manage my system configuration and I am
> >> looking for the best way to manage file context changes between
> >> multiple hosts.
> >>
> >> Basically I have some local changes that are held in
> >> /etc/selinux/targeted/modules/active/file_contexts.local, is it
> >> reasonable just to copy this file to hosts that need to be aware
> >> of the changes held therein or is there a better method?
> >>
> >> This would be implemented on RHEL 5 and 6 systems.
> > ... try csync2:
> > http://thuannvn.blogspot.com/2010/01/csync2-is-so-cool.html
> > Regards Adam Przybyla -- selinux mailing list
> > selinux@lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
> Does csync2 support extended attributes?
... nope, but you could execeute some commands on remote systems
after file was send. Use "exec" statement in your configs. Regards
Adam Przybyla
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
Best way to copy local changes between hosts
