Hello, I've been running selinux (and the targeted policy) on my workstation since FC3 came out. I'm now using FC4. Every-so-often, after scanning the audit logs, I notice that I need to tweak the policy for the way I use / configure my system. I also have a few handfuls of FC2 servers and I'm starting to look at rolling out FC4 to them. (I'm building the kickstart configuration now.) I'd like to keep selinux enabled, but I'm concerned about managing the policy tweaks. On my workstation, I install the targeted policy sources, edit domain/misc/local.te or file_contexts/misc/local.fc as necessary, then "make load" (which I guess does, in effect, a "make; make install; make load") and relabel as necessary. From what I've read, installing the policy sources on each server is probably not a good idea. How do you go about managing selinux policies across many machines? Each machine starts from a kickstart build that already diverges from the stock selinux targeted policy: /home is a symlink to /v/home, which is on a different partition from /. It seems to me that /v/home never gets labeled correctly until I rebuild the policy from source. After the initial build, I'm sure I'll need to tweak the policies on a per-machine basis. Should I roll my own policies from targeted and update them (every couple days) when a the targeted policy is updated? Should I just have one uber policy on my workstation that combines all the tweak across all the machines, then install the binary policy files on the individual machines? Any practical experience with this, links, or other advice? Thanks, pete
