SELinux and Shorewall with IPSets
Dominick Grift
domg472 at gmail.com
Sun Jun 27 17:04:33 UTC 2010
On 06/27/2010 06:40 PM, Mr Dash Four wrote:
> I have two more queries though - if I want to use this module (the .pp
> file) on a system which is built from a ks file (using standard
> kickstart tools) do I just copy myshorewall.pp to
> /etc/selinux/targeted/modules/active/modules on the target system in
> order to use this module? Would that be enough?
You cannot simply copy it (need to install it (semodule -i). But you can
use a single binary presentation on most selinux enabled system (e.g.
deploy the single myshorewall.pp to various similar configured systems.)
all the modules in active/ are compiled into a policy database file
policy/policy.X.
If you just copy it to active it is not compiled into the actual policy
database yet.
>
> I also need to mention that the target system's root ('/') is
> 'read-only' in a sense that even though the content in it can be changed
> it does NOT survive the boot (it is done as a unionfs of a ram disk and
> the read-only system where all the files and programs are, so changes
> get preserved in the ram part for the life of the session, but are gone
> the next time the machine is rebooted) - this is done for extra security
> and saved my neck on quite a few occasions!
>
> Second query in relation to this - when I build the system can I do the
> relabelling on the target system at the time when the image is built? If
> so, how do I do that (ideally I would like to do that during the image
> building process, in the %post section perhaps, of the .ks script)?
>
> The reason for that is, as I put it above, the changes made once the
> image is built are not preserved, and I do not want to be relabelling on
> every reboot as it is too damn slow!
>
>
> Thanks again!
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100627/a958d8b2/attachment.bin
More information about the selinux
mailing list