SELinux and Shorewall with IPSets

[Stephen Smalley]

On Tue, 2010-06-29 at 00:35 +0100, Mr Dash Four wrote:
> >>> Is that a necessary thing to do after installing a new module? My 
> >>> understanding is that relabelling only corrects the SELinux file 
> >>> attributes on every file on the system, so why would I need to do the 
> >>> relabelling when I have just installed a new policy?
> >>>
> >>> Also, if my assumption is correct then why would I need to have a 
> >>> running SELinux to do that? It is a great inconvenience and a real pain 
> >>> for scenarios I described in my previous posts!
> >>>       
> >> Good points. i think you might indeed be able to run restorecon or
> >> fixfiles/setfiles in %post, but i am not sure.
> >>
> >> I would suggest you try it.
> >>
> >> Otherwise wait a day when the professionals can reply to your query.
> >>     
> >
> > restorecon exits immediately if SELinux is disabled, so you cannot use
> > it to label a tree on a non-SELinux build host.  Dan wanted it that way
> > so that he could unconditionally invoke it from scripts and not have it
> > do anything if SELinux was disabled.
> >
> > setfiles however does support labeling even on a non-SELinux host.  As
> > well as labeling an image that is being built with a "foreign" (i.e.
> > different from host) policy on a SELinux host, although you have to run
> > it in setfiles_mac_t for that purpose, as the livecd-creator does.
> >   
> Actually, I did execute restorecon on a non-SELinux running image (see 
> previous posts on this very thread) and it worked pretty damn well!
> 
> It works without me doing anything in particular - just executing 
> restorecon and semodule in the %post section of the kickstart file - no 
> problem!

rpm -q -f `which restorecon`
grep selinuxfs /proc/filesystems

restorecon checks is_selinux_enabled() and bails if it is not
successful.  Just tested it again on F13, and it has been true for a
very long time.

-- 
Stephen Smalley
National Security Agency