> Two questions to the SELinux gurus on here: 1) Why am I getting
these
> alerts? and 2) How can I fix the problem so that I could run both
> Shorewall and IPSets with SELinux in Enforced mode?
>
1) probably untested functionality.
2) The following should fix it:
Job done! It works now, though it was NOT a straight-forward job!
make -f /usr/share/selinux/devel/Makefile myshorewall.pp
After executing this even though it all compiled OK I had an error at
the beginning telling me that /selinux/mls does not exist. That was
caused by SELinux being disabled (I did that as I was fed up with all
the alerts I was getting). I reinstated SELinux in Permissive mode,
re-labelled everything and then compiled this again - no error this
time. The above command created a lot of additional files though: .fc,
.if, as well as all_interfaces.conf, iferror.m4, .mod.role and .tmp
files (the last 4 files were placed in ~/myshorewall/tmp for some
reason) - do I need these files or should I delete them and just keep
the .pp file?
sudo semodule -i myshorewall.pp
When I did that the module was installed, I rebooted, but this time I
started getting alerts popping all over the place from a lot of
processes running (alerts I did NOT have before). So, what I did then
was to do a relabelling again at reboot, but that did not work - still
alerts (not from shorewall though).
From experience (I had this happening before, so I know) - what I did
then was to uninstall the targeted policy package via yum (made sure I
disabled SELinux first!) AND did 'rm -rdf /etc/selinux/targeted' as
there were leftovers in that directory (don't know why, but the majority
of the stuff was there even though the policy is supposed to be removed
- may be this is an issue for the FC RPM admins/maintainers, I don't
know), rebooted, installed selinux-targeted-policy package again, did
"semodule -i myshorewall.pp", enabled SELinux (in Permissive mode first)
and finally did a relabelling at boot again.
Result - no alerts of any kind!
I am now in Enforced mode and everything is going OK so far, so many
thanks for the (very prompt) advice - much appreciated.
I have two more queries though - if I want to use this module (the .pp
file) on a system which is built from a ks file (using standard
kickstart tools) do I just copy myshorewall.pp to
/etc/selinux/targeted/modules/active/modules on the target system in
order to use this module? Would that be enough?
I also need to mention that the target system's root ('/') is
'read-only' in a sense that even though the content in it can be changed
it does NOT survive the boot (it is done as a unionfs of a ram disk and
the read-only system where all the files and programs are, so changes
get preserved in the ram part for the life of the session, but are gone
the next time the machine is rebooted) - this is done for extra security
and saved my neck on quite a few occasions!
Second query in relation to this - when I build the system can I do the
relabelling on the target system at the time when the image is built? If
so, how do I do that (ideally I would like to do that during the image
building process, in the %post section perhaps, of the .ks script)?
The reason for that is, as I put it above, the changes made once the
image is built are not preserved, and I do not want to be relabelling on
every reboot as it is too damn slow!
Thanks again!