How to replicate SELinux policies among Linux machines
SELinux or Security Enhaced Linux, is a set of kernel modification & user-space tools, that implements access policies called MAC (Mandatory access controls). It reduces privileges for any server or service to minimum required to work, thus eliminating problems due to unchecked privileges.
With SELinux, there is no concept for root user or super user & also does not have short comings of Linux security mechanism, for ex dependence on setuid/setgid. We have already discussed SELinux in detail in our article Beginner’s guide to SELinux. Please refer the article to learn about SELinux in detail.
In this tutorial, we are going to discuss how we can replicate SELinux policies of one system to another system. But before we do that let’s discuss pre-requisite,
In order to copy the SELinux policies of one system to another, we require ‘semange’ command. To check if ‘semange’ command is installed on your CentOS machine, run
$ semanage –help
& if you get the following error, than its not installed on your machine,
-bash: semanage: command not found
To install ‘semanage’ command on your machine, install the following package,
$ sudo yum install policycoreutils-python
This command will install ‘semange’ command along with some other dependencies.
Replicate SELinux policies
We will firstly create a file with all the SELinux customization/settings, to create it execute the following command,
$ sudo semanage -o /root/local.selinux
Now transfer this file the second system on which we want same SELinux policies as the first system,
$ scp -rv /root/local.selinux firstname.lastname@example.org:/root
After the file has been copied to second machine, we now need to restore that file. So, ssh into the second machine,
$ ssh email@example.com
After we have accessed the system, restore file using the following command,
# semanage -i /root/local.selinux
That’s it , this will restore the SELinux policies of first machine onto the second machine.
Note:- This works fine on CentOS 6 & up, CentOS 5 lacks the feature to export the SELinux customization to a file.
Also we need to make sure that the target machine should either be on same or higher version of SELinux as source machine as the SELinux modules are not backward compatible.
With this we end our tutorial, feel free to send any questions or suggestions you have. ADIOS !!!