SELinux and Shorewall with IPSets

Dominick Grift domg472 at gmail.com
Sun Jun 27 17:04:33 UTC 2010 

On 06/27/2010 06:40 PM, Mr Dash Four wrote:

> I have two more queries though - if I want to use this module (the .pp 
> file) on a system which is built from a ks file (using standard 
> kickstart tools) do I just copy myshorewall.pp to 
> /etc/selinux/targeted/modules/active/modules on the target system in 
> order to use this module? Would that be enough?

You cannot simply copy it (need to install it (semodule -i). But you can
use a single binary presentation on most selinux enabled system (e.g.
deploy the single myshorewall.pp to various similar configured systems.)

all the modules in active/ are compiled into a policy database file
policy/policy.X.

If you just copy it to active it is not compiled into the actual policy
database yet.

> 
> I also need to mention that the target system's root ('/') is 
> 'read-only' in a sense that even though the content in it can be changed 
> it does NOT survive the boot (it is done as a unionfs of a ram  disk and 
> the read-only system where all the files and programs are, so changes 
> get preserved in the ram part for the life of the session, but are gone 
> the next time the machine is rebooted) - this is done for extra security 
> and saved my neck on quite a few occasions!
> 
> Second query in relation to this - when I build the system can I do the 
> relabelling on the target system at the time when the image is built? If 
> so, how do I do that (ideally I would like to do that during the image 
> building process, in the %post section perhaps, of the .ks script)?
> 
> The reason for that is, as I put it above, the changes made once the 
> image is built are not preserved, and I do not want to be relabelling on 
> every reboot as it is too damn slow!
> 
> 
> Thanks again!
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100627/a958d8b2/attachment.bin

More information about the selinux mailing list