Re: [ SEMANAGE ] Install seusers, rename some files

[Stephen Smalley <sds@xxxxxxxxxxxxx>]

On Tue, 2005-11-01 at 16:42 -0500, Ivan Gyurdiev wrote:
> >> - copy /etc/selinux/?/local.users into 
> >> /etc/selinux/?/modules/active/users.local [ renamed ]
> > this could potentially be done the same way as booleans below, except 
> > that there isn't a user of the user api in libsemanage yet, so that 
> > would be written; with seuser handling the vast majority of users now 
> > this isn't very high priority.
> >
> >> - copy /etc/selinux/?/booleans.local into 
> >> /etc/selinux/?/modules/active/booleans.local
> > not sure about this. It would not be difficult to read the old 
> > booleans file and pipe the info through setsebool -p.
> setsebool -p does not go through libsemanage as of right now...
> I haven't written any users of libsemanage - I've been focusing on the 
> library so far..

Yes, but the plan is to move setsebool from libselinux to
libsemanage/utils or policycoreutils and rewrite it to use libsemanage.
Nonetheless, I can't see running it all through setsebool as being
particularly desirable.  Makes more sense to me to just move the files
once for migration and be done with it.  That also simplifies the
problem of atomically setting up the entire sandbox; we can move all of
the local files first, then run semodule -b, and the final commit should
just work since everything will be in place.  I suppose one could
alternatively install the base module first via semodule -b (possibly
with -n too to avoid immediate load), and then apply setsebool -P.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.