返回
-
标题
How to test policy changes before committing? -
说明
If I check out the policy and change one or more profiles, is there a way to test the changes without committing the policy? -
解决办法
To change and test the policy we recommend:
1) Check out a temporary copy, e.g.: pmpolicy checkout -d /tmp
2) Edit the files in the checked out copy as required and make the necessary changes
3) Use pmcheck to verify your changes to the checked out copy, e.g. if I have added 'cat' to allow commands and I want to check if user 'user1' can submit a request to run the command 'cat' as the user 'root' on the local host, today:
pmcheck -i -p /tmp/one/policy_pmpolicy -f pm.conf -u user1 cat /tmp/file
Note: pmcheck has a number of options to allow you to emulate the session parameters, and verify a session submitted from various user/group/host and time/date combinations. Any session variables not explicitly set using the command line options will default to the current environment: i.e.
- submit host and run host will default to the local hostname,
- user will default to the current user;
- requestuser will default to ‘root’
- group information will default to the user’s groups on the local host; rungroup information will default to the requestuser’s groups on the local host
- time and date will default to the current time and date.
More information about pmcheck in the Administrators Guide, page 332
4) Commit your changes, e.g.: pmpolicy commit -d /tmp/ -l "<comment>"