SELinux and Shorewall with IPSets

[Mr Dash Four]

>> Two questions to the SELinux gurus on here: 1) Why am I getting these 
>> alerts? and 2) How can I fix the problem so that I could run both 
>> Shorewall and IPSets with SELinux in Enforced mode?
>>     
> 1) probably untested functionality.
>
> 2) The following should fix it:
>   
Job done! It works now, though it was NOT a straight-forward job!

> make -f /usr/share/selinux/devel/Makefile myshorewall.pp
>   
After executing this even though it all compiled OK I had an error at 
the beginning telling me that /selinux/mls does not exist. That was 
caused by SELinux being disabled (I did that as I was fed up with all 
the alerts I was getting). I reinstated SELinux in Permissive mode, 
re-labelled everything and then compiled this again - no error this 
time. The above command created a lot of additional files though: .fc, 
.if, as well as all_interfaces.conf, iferror.m4, .mod.role and .tmp 
files (the last 4 files were placed in ~/myshorewall/tmp for some 
reason) - do I need these files or should I delete them and just keep 
the .pp file?

> sudo semodule -i myshorewall.pp
>   
When I did that the module was installed, I rebooted, but this time I 
started getting alerts popping all over the place from a lot of 
processes running (alerts I did NOT have before). So, what I did then 
was to do a relabelling again at reboot, but that did not work - still 
alerts (not from shorewall though).

 From experience (I had this happening before, so I know) - what I did 
then was to uninstall the targeted policy package via yum (made sure I 
disabled SELinux first!) AND did 'rm -rdf /etc/selinux/targeted' as 
there were leftovers in that directory (don't know why, but the majority 
of the stuff was there even though the policy is supposed to be removed 
- may be this is an issue for the FC RPM admins/maintainers, I don't 
know), rebooted, installed selinux-targeted-policy package again, did 
"semodule -i myshorewall.pp", enabled SELinux (in Permissive mode first) 
and finally did a relabelling at boot again.

Result - no alerts of any kind!

I am now in Enforced mode and everything is going OK so far, so many 
thanks for the (very prompt) advice - much appreciated.

I have two more queries though - if I want to use this module (the .pp 
file) on a system which is built from a ks file (using standard 
kickstart tools) do I just copy myshorewall.pp to 
/etc/selinux/targeted/modules/active/modules on the target system in 
order to use this module? Would that be enough?

I also need to mention that the target system's root ('/') is 
'read-only' in a sense that even though the content in it can be changed 
it does NOT survive the boot (it is done as a unionfs of a ram  disk and 
the read-only system where all the files and programs are, so changes 
get preserved in the ram part for the life of the session, but are gone 
the next time the machine is rebooted) - this is done for extra security 
and saved my neck on quite a few occasions!

Second query in relation to this - when I build the system can I do the 
relabelling on the target system at the time when the image is built? If 
so, how do I do that (ideally I would like to do that during the image 
building process, in the %post section perhaps, of the .ks script)?

The reason for that is, as I put it above, the changes made once the 
image is built are not preserved, and I do not want to be relabelling on 
every reboot as it is too damn slow!


Thanks again!