SELinux and Shorewall with IPSets
Stephen Smalley
sds at tycho.nsa.gov
Tue Jun 29 12:12:46 UTC 2010
On Tue, 2010-06-29 at 00:35 +0100, Mr Dash Four wrote:
> >>> Is that a necessary thing to do after installing a new module? My
> >>> understanding is that relabelling only corrects the SELinux file
> >>> attributes on every file on the system, so why would I need to do the
> >>> relabelling when I have just installed a new policy?
> >>>
> >>> Also, if my assumption is correct then why would I need to have a
> >>> running SELinux to do that? It is a great inconvenience and a real pain
> >>> for scenarios I described in my previous posts!
> >>>
> >> Good points. i think you might indeed be able to run restorecon or
> >> fixfiles/setfiles in %post, but i am not sure.
> >>
> >> I would suggest you try it.
> >>
> >> Otherwise wait a day when the professionals can reply to your query.
> >>
> >
> > restorecon exits immediately if SELinux is disabled, so you cannot use
> > it to label a tree on a non-SELinux build host. Dan wanted it that way
> > so that he could unconditionally invoke it from scripts and not have it
> > do anything if SELinux was disabled.
> >
> > setfiles however does support labeling even on a non-SELinux host. As
> > well as labeling an image that is being built with a "foreign" (i.e.
> > different from host) policy on a SELinux host, although you have to run
> > it in setfiles_mac_t for that purpose, as the livecd-creator does.
> >
> Actually, I did execute restorecon on a non-SELinux running image (see
> previous posts on this very thread) and it worked pretty damn well!
>
> It works without me doing anything in particular - just executing
> restorecon and semodule in the %post section of the kickstart file - no
> problem!
rpm -q -f `which restorecon`
grep selinuxfs /proc/filesystems
restorecon checks is_selinux_enabled() and bails if it is not
successful. Just tested it again on F13, and it has been true for a
very long time.
--
Stephen Smalley
National Security Agency
More information about the selinux
mailing list