> I have two more queries though - if I want to use this module
(the .pp
> file) on a system which is built from a ks file (using standard
> kickstart tools) do I just copy myshorewall.pp to
> /etc/selinux/targeted/modules/active/modules on the target system in
> order to use this module? Would that be enough?
>
No i do not think it will be enough (you would need sudo semodule -i
myshorewall.pp).
See my previous response - I need to know whether I can use
semodule on
a Linux system, which isn't running yet.
But you should report your shorewall issue to bugzilla
so that it can be applied to the next selinux-policy package. This will
then make your customization no longer needed.
It is not that simple because xtables is an (unofficial) addon, which
has not yet been added to the ip(6)tables packages (though there are
plans to do that) and as of now it is distributed separately (nothing to
do with shorewall - it just uses it, as it does ip(6)tables). So, I am
hoping that ipset would become part of ip(6)tables and then, may be I
can remove my custom policy.
> [relabelling]
You may (or may not) be able to edit dracut to relabel the filesystem on
each bootup (e.g.) generate an initramfs with the relabeling command.
Not exactly sure how to go about that but. you may be able to add it to
this file:
/usr/share/dracut/modules.d/99base/selinux-loadpolicy.sh
and then regenerate initrc (make sure the filesystem is mounted in the
chroot at the point of relabeling though)
/usr/libexec/plymouth/plymouth-update-initrd (unconfirmed)
OK, the whole reason I would like to do the relabelling is because I am
not sure that when the image is built and installed on the target
machine (with SELinux enforced!) I am not going to get lots of alerts
clogging my logs and preventing the system from operating just because
of labelling not done properly. As I am building this image from scratch
using kickstart tools, I do not know if I do not relabel the system I
won't get any alerts. I just want to be prepared for the worst case
scenario, that's all. If I do not get any alerts on the target system
after building and deploying the image, then all is well and this
relabelling business won't be needed - ever (as I already pointed out -
the target system will be read-only)!
Also, by placing '.relabel' (I think that was the file name) in the root
('/') directory this forces SELinux to relabel the whole system at
startup. As I mentioned before, if I need to do relabelling I would like
to do it when the image is built! I do not want to do that at every boot
(doing the relabelling when the target system boots would be a pointless
exercise as the changes won't be saved, so the next time I reboot I will
be at square 1 and the whole process will start again).
How is the relabelling done? Which program is used for that? If I start
that program from chroot-ed environment (from the %post section of my
kickstart file - see my previous reply) to relabel the whole image,
would that work?