SELinux and Shorewall with IPSets

Stephen Smalley sds at tycho.nsa.gov
Tue Jun 29 13:41:59 UTC 2010 

On Tue, 2010-06-29 at 14:35 +0100, Mr Dash Four wrote:
> >> Actually, I did execute restorecon on a non-SELinux running image (see 
> >> previous posts on this very thread) and it worked pretty damn well!
> >>
> >> It works without me doing anything in particular - just executing 
> >> restorecon and semodule in the %post section of the kickstart file - no 
> >> problem!
> >>     
> >
> > rpm -q -f `which restorecon`
> > grep selinuxfs /proc/filesystems
> >
> > restorecon checks is_selinux_enabled() and bails if it is not
> > successful.  Just tested it again on F13, and it has been true for a
> > very long time
> Let me make sure we are on the same page - the SELinux on the system I 
> am running to build the image is enabled (in enforced mode) and running 
> the targeted policy.

Oh, so SELinux is enabled.  

> The commands I am executing (semodule, semanage, restorecon etc) are ran 
> in the %post section of my kickstart file (the file, which is executed 
> and used to build that image) - these commands are basically executed in 
> chroot-ed environment (on the image file) just after it has been created 
> and all software, including SELinux + targeted policy, is installed (the 
> SELinux there is enabled and ready for using the targeted policy, but it 
> is NOT running as nothing is loaded - it is just an image with about 
> 200+MB worth of files in it).

Sure, but the question of SELinux enablement is merely one of whether
the running kernel has SELinux enabled and a policy loaded.  As your
build host is running with SELinux enabled, restorecon will run for you,
even within the chroot, although it might need proc mounted within the
chroot to determine the SELinux status.

> All of the above SELinux commands run successfully without any problem 
> whatsoever.
> 
> I have verified that and I am 100% certain they are doing the job they 
> are supposed to be doing on the image file (with the 'dead' SELinux 
> system). So, if you are thinking that is not possible, you are quite 
> simply wrong, because it is clear to me that is not the case - I saw 
> this with my own eyes!

restorecon will run as long as it sees that SELinux is enabled, which in
this case it is.  But if you were in fact building the image on a
SELinux-disabled host, you'd have to use setfiles instead.

Another interesting case is when SELinux is enabled on the build host
but using a very different policy than the image you are building,
including file security contexts that aren't even defined in the build
host's policy.  They had to solve that issue for livecd-creator.

-- 
Stephen Smalley
National Security Agency

More information about the selinux mailing list