SELinux and Shorewall with IPSets

Dominick Grift domg472 at gmail.com
Sun Jun 27 16:57:47 UTC 2010 

On 06/27/2010 06:40 PM, Mr Dash Four wrote:
> do I need these files or should I delete them and just keep 
> the .pp file?


You do not really need to contents of ~/myshorewall after youve
built/installed the binary presentation (myshorewall.pp)

However it is a good idea to save the myshorewall.{te,if,fc} source
policy files, as you may want to extend it or just keep it for
reference. It may also be useful for your collegues.

>> sudo semodule -i myshorewall.pp
>>   
> When I did that the module was installed, I rebooted, but this time I 
> started getting alerts popping all over the place from a lot of 
> processes running (alerts I did NOT have before). So, what I did then 
> was to do a relabelling again at reboot, but that did not work - still 
> alerts (not from shorewall though).

Never, ever disable SELinux. (atleast that is my opinion). You can also
configure SELinux to run in permissive mode. Which is basically a
interusion detection system as opposed to intrusing prevention system
(selinux in enforcing mode).

By using permissive mode, labeling should not mess up.

>  From experience (I had this happening before, so I know) - what I did 
> then was to uninstall the targeted policy package via yum (made sure I 
> disabled SELinux first!) AND did 'rm -rdf /etc/selinux/targeted' as 
> there were leftovers in that directory (don't know why, but the majority 
> of the stuff was there even though the policy is supposed to be removed 
> - may be this is an issue for the FC RPM admins/maintainers, I don't 
> know), rebooted, installed selinux-targeted-policy package again, did 
> "semodule -i myshorewall.pp", enabled SELinux (in Permissive mode first) 
> and finally did a relabelling at boot again.
> 
> Result - no alerts of any kind!
> 
> I am now in Enforced mode and everything is going OK so far, so many 
> thanks for the (very prompt) advice - much appreciated.
> 

Yes in some cases de-installation of selinux-policy(-targeted), moving
/etc/selinux/targeted, and re-installation of selinux-policy(-targeted)
is the only way to fix some corruption. Always make sure to relabel
afterwards and also do not forget that local changes will be gone
(another good reason to keep the sources of your custom modules)

> I have two more queries though - if I want to use this module (the .pp 
> file) on a system which is built from a ks file (using standard 
> kickstart tools) do I just copy myshorewall.pp to 
> /etc/selinux/targeted/modules/active/modules on the target system in 
> order to use this module? Would that be enough?

No i do not think it will be enough (you would need sudo semodule -i
myshorewall.pp). But you should report your shorewall issue to bugzilla
so that it can be applied to the next selinux-policy package. This will
then make your customization no longer needed.

> 
> I also need to mention that the target system's root ('/') is 
> 'read-only' in a sense that even though the content in it can be changed 
> it does NOT survive the boot (it is done as a unionfs of a ram  disk and 
> the read-only system where all the files and programs are, so changes 
> get preserved in the ram part for the life of the session, but are gone 
> the next time the machine is rebooted) - this is done for extra security 
> and saved my neck on quite a few occasions!
> 
> Second query in relation to this - when I build the system can I do the 
> relabelling on the target system at the time when the image is built? If 
> so, how do I do that (ideally I would like to do that during the image 
> building process, in the %post section perhaps, of the .ks script)?
> 
> The reason for that is, as I put it above, the changes made once the 
> image is built are not preserved, and I do not want to be relabelling on 
> every reboot as it is too damn slow!
> 

You may (or may not) be able to edit dracut to relabel the filesystem on
each bootup (e.g.) generate an initramfs with the relabeling command.

Not exactly sure how to go about that but. you may be able to add it to
this file:
/usr/share/dracut/modules.d/99base/selinux-loadpolicy.sh
and then regenerate initrc (make sure the filesystem is mounted in the
chroot at the point of relabeling though)
/usr/libexec/plymouth/plymouth-update-initrd (unconfirmed)

> Thanks again!
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100627/a0a542e0/attachment.bin

More information about the selinux mailing list