SELinux and Shorewall with IPSets

[Mr Dash Four]

>> Actually, I did execute restorecon on a non-SELinux running image (see 
>> previous posts on this very thread) and it worked pretty damn well!
>>
>> It works without me doing anything in particular - just executing 
>> restorecon and semodule in the %post section of the kickstart file - no 
>> problem!
>>     
>
> rpm -q -f `which restorecon`
> grep selinuxfs /proc/filesystems
>
> restorecon checks is_selinux_enabled() and bails if it is not
> successful.  Just tested it again on F13, and it has been true for a
> very long time
Let me make sure we are on the same page - the SELinux on the system I 
am running to build the image is enabled (in enforced mode) and running 
the targeted policy.

The commands I am executing (semodule, semanage, restorecon etc) are ran 
in the %post section of my kickstart file (the file, which is executed 
and used to build that image) - these commands are basically executed in 
chroot-ed environment (on the image file) just after it has been created 
and all software, including SELinux + targeted policy, is installed (the 
SELinux there is enabled and ready for using the targeted policy, but it 
is NOT running as nothing is loaded - it is just an image with about 
200+MB worth of files in it).

All of the above SELinux commands run successfully without any problem 
whatsoever.

I have verified that and I am 100% certain they are doing the job they 
are supposed to be doing on the image file (with the 'dead' SELinux 
system). So, if you are thinking that is not possible, you are quite 
simply wrong, because it is clear to me that is not the case - I saw 
this with my own eyes!