SELinux and Shorewall with IPSets

Mr Dash Four mr.dash.four at googlemail.com
Sun Jun 27 18:27:27 UTC 2010 

>> I have two more queries though - if I want to use this module (the .pp 
>> file) on a system which is built from a ks file (using standard 
>> kickstart tools) do I just copy myshorewall.pp to 
>> /etc/selinux/targeted/modules/active/modules on the target system in 
>> order to use this module? Would that be enough?
>>     
>
> No i do not think it will be enough (you would need sudo semodule -i
> myshorewall.pp).
See my previous response - I need to know whether I can use semodule on 
a Linux system, which isn't running yet.

>  But you should report your shorewall issue to bugzilla
> so that it can be applied to the next selinux-policy package. This will
> then make your customization no longer needed.
>   
It is not that simple because xtables is an (unofficial) addon, which 
has not yet been added to the ip(6)tables packages (though there are 
plans to do that) and as of now it is distributed separately (nothing to 
do with shorewall - it just uses it, as it does ip(6)tables). So, I am 
hoping that ipset would become part of ip(6)tables and then, may be I 
can remove my custom policy.

>> [relabelling]
>
> You may (or may not) be able to edit dracut to relabel the filesystem on
> each bootup (e.g.) generate an initramfs with the relabeling command.
>
> Not exactly sure how to go about that but. you may be able to add it to
> this file:
> /usr/share/dracut/modules.d/99base/selinux-loadpolicy.sh
> and then regenerate initrc (make sure the filesystem is mounted in the
> chroot at the point of relabeling though)
> /usr/libexec/plymouth/plymouth-update-initrd (unconfirmed)
>   
OK, the whole reason I would like to do the relabelling is because I am 
not sure that when the image is built and installed on the target 
machine (with SELinux enforced!) I am not going to get lots of alerts 
clogging my logs and preventing the system from operating just because 
of labelling not done properly. As I am building this image from scratch 
using kickstart tools, I do not know if I do not relabel the system I 
won't get any alerts. I just want to be prepared for the worst case 
scenario, that's all. If I do not get any alerts on the target system 
after building and deploying the image, then all is well and this 
relabelling business won't be needed - ever (as I already pointed out - 
the target system will be read-only)!

Also, by placing '.relabel' (I think that was the file name) in the root 
('/') directory this forces SELinux to relabel the whole system at 
startup. As I mentioned before, if I need to do relabelling I would like 
to do it when the image is built! I do not want to do that at every boot 
(doing the relabelling when the target system boots would be a pointless 
exercise as the changes won't be saved, so the next time I reboot I will 
be at square 1 and the whole process will start again).

How is the relabelling done? Which program is used for that? If I start 
that program from chroot-ed environment (from the %post section of my 
kickstart file - see my previous reply) to relabel the whole image, 
would that work?

More information about the selinux mailing list