How to replicate SELinux policies among Linux machines

SELinux or Security Enhaced Linux, is a set of kernel modification & user-space tools, that implements access policies called MAC (Mandatory access controls). It reduces privileges for any server or service to minimum required to work, thus eliminating problems due to unchecked privileges.

With SELinux, there is no concept for root user or super user & also does not have short comings of Linux security mechanism, for ex dependence on setuid/setgid. We have already discussed SELinux in detail in our article Beginner’s guide to SELinux. Please refer the article to learn about SELinux in detail.

In this tutorial, we are going to discuss how we can replicate SELinux policies of one system to another system. But before we do that let’s discuss pre-requisite,

(Also Read: Cloning Disks using dd & cat commands for Linux systems)

 

Pre-requisite

In order to copy the SELinux policies of one system to another, we require ‘semange’ command. To check if ‘semange’ command is installed on your CentOS machine, run

$ semanage –help

& if you get the following error, than its not installed on your machine,

-bash: semanage: command not found

To install ‘semanage’ command on your machine, install the following package,

$ sudo yum install policycoreutils-python

This command will install ‘semange’ command along with some other dependencies.

 

Replicate SELinux policies

We will firstly create a file with all the SELinux customization/settings, to create it execute the following command,

$ sudo semanage -o /root/local.selinux

Now transfer this file the second system on which we want same SELinux policies as the first system,

$ scp -rv /root/local.selinux root@192.168.1.100:/root

After the file has been copied to second machine, we now need to restore that file. So, ssh into the second machine,

$ ssh root@192.168.1.100

After we have accessed the system, restore file using the following command,

# semanage -i /root/local.selinux

That’s it , this will restore the SELinux policies of first machine onto the second machine.

Note:- This works fine on CentOS 6 & up, CentOS 5 lacks the feature to export the SELinux customization to a file.

Also we need to make sure that the target machine should either be on same or higher version of SELinux as source machine as the SELinux modules are not backward compatible.

With this we end our tutorial, feel free to send any questions or suggestions you have. ADIOS !!!

 

If you think we have helped you or just want to support us, please consider these :-

Connect to us: Facebook | Twitter | Google Plus

Donate us some of you hard earned money:

Linux TechLab is thankful for your continued support.

Shusain

Passionate about Linux & open source. Loves to learn, read & write about Linux as well as new technologies.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *