On 06/27/2010 06:40 PM, Mr Dash Four wrote:
I have two more queries though - if I want to use this module (the
file) on a system which is built from a ks file (using standard
kickstart tools) do I just copy myshorewall.pp to
/etc/selinux/targeted/modules/active/modules on the target system in
order to use this module? Would that be enough?
You cannot simply copy it (need to install it (semodule -i). But you can
use a single binary presentation on most selinux enabled system (e.g.
deploy the single myshorewall.pp to various similar configured systems.)
all the modules in active/ are compiled into a policy database file
If you just copy it to active it is not compiled into the actual policy
I also need to mention that the target system's root ('/') is
'read-only' in a sense that even though the content in it can be changed
it does NOT survive the boot (it is done as a unionfs of a ram disk and
the read-only system where all the files and programs are, so changes
get preserved in the ram part for the life of the session, but are gone
the next time the machine is rebooted) - this is done for extra security
and saved my neck on quite a few occasions!
Second query in relation to this - when I build the system can I do the
relabelling on the target system at the time when the image is built? If
so, how do I do that (ideally I would like to do that during the image
building process, in the %post section perhaps, of the .ks script)?
The reason for that is, as I put it above, the changes made once the
image is built are not preserved, and I do not want to be relabelling on
every reboot as it is too damn slow!
selinux mailing list