SELinux and Shorewall with IPSets

Dominick Grift domg472 at gmail.com
Wed Jun 30 21:14:47 UTC 2010 

On 06/30/2010 11:09 PM, Mr Dash Four wrote:
> 
>>>> this is what i committed to my branch that might fix that:
>>>>
>>>> ------------------------ policy/modules/apps/livecd.te
>>>> ------------------------
>>>> index 4e69cdf..5d1084a 100644
>>>> @@ -23,7 +23,7 @@
>>>>
>>>>  domain_ptrace_all_domains(livecd_t)
>>>>
>>>> -seutil_domtrans_setfiles_mac(livecd_t)
>>>> +seutil_run_setfiles_mac(livecd_t, system_r)
>>>>
>>>>  manage_dirs_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t)
>>>>  manage_files_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t)
>>>>
>>>>         
>>> Do I save this as ~/rpmbuld/SOURCES/DG-SELinux.patch and then apply it
>>> to my custom selinux-policy?
>>>     
>>
>> Replace it manually. Because that isnt a proper patch.
>>
>> open policy/modules/apps/livecd.te. find
>> seutil_domtrans_setfiles_mac(livecd_t) and replace it by
>> seutil_run_setfiles_mac(livecd_t, system_r)
>>   
> I presume this will be for the development machine (the one I am using
> to create the image) as on the image itself livecd is not used at all
> and is not needed. Is that correct? If so, I presume I need to compile
> and install my own custom policy and replace it with the 'stock' version
> - is that right?

Its a bug in policy, and in that regard it affects all systems. The
problem is that if you are going to maintain your own fork of
selinux_policy it will be much work to maintain (a fedora update might
undo your changes)

Therefore it is best to submit this bug report to fedora bugzilla so
that the fix can be applied upstream, then eventually it will get pushed
to the repositories and end up on your system.

So in your case, you might want to, in the meantime, fix it with a
custom module (myseutils.pp) whilst your bug report is processed.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100630/361a6ef3/attachment.bin

More information about the selinux mailing list