SELinux and Shorewall with IPSets

Dominick Grift domg472 at gmail.com
Sun Jun 27 19:26:42 UTC 2010 

On 06/27/2010 08:37 PM, Mr Dash Four wrote:
> 
>>> Also, does semodule need to have a running SELinux as I need to deploy 
>>> this module on a Linux system (image) which does NOT have SELinux 
>>> running (yet)?
>>>     
>>
>> Not sure, try it out.
>>   
> I will, though I have a gut feeling that it won't work as semodule may 
> be looking for a running SELinux database and I presume it picks up 
> policy (and files) from the running system. Will give it a try though!
> 
>>> In other words, if I issue this command in chroot-ed environment would 
>>> that be enough? The "%post" section of the kickstart file does just that 
>>> - it chroots to the image as it has been built and from there I can do 
>>> whatever I like on the actual image, though this is not a running system 
>>> - i.e. SELinux on that system is not loaded! If that is possible and if 
>>> I run on different architectures (say the image is for x86_64 and the 
>>> machine on which the image is built is i686) would it matter?
>>>     
>>
>> The policy is arch-independent but i am not sure if it can be installed
>> on a system that has no selinux enabled. I think it is possible but i am
>> not sure.
>>   
> I'll give it a go!
> 
>> You will still have the issue that you would have to relabel the
>> filesystem on each boot though.
>>   
> Is that a necessary thing to do after installing a new module? My 
> understanding is that relabelling only corrects the SELinux file 
> attributes on every file on the system, so why would I need to do the 
> relabelling when I have just installed a new policy?
> 
> Also, if my assumption is correct then why would I need to have a 
> running SELinux to do that? It is a great inconvenience and a real pain 
> for scenarios I described in my previous posts!

Good points. i think you might indeed be able to run restorecon or
fixfiles/setfiles in %post, but i am not sure.

I would suggest you try it.

Otherwise wait a day when the professionals can reply to your query.

> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100627/668e8074/attachment.bin

More information about the selinux mailing list