SELinux and Shorewall with IPSets (FC14)
Mr Dash Four
mr.dash.four at googlemail.com
Mon Jan 3 14:25:26 UTC 2011
> Might have been some merge issue with upstream policy.
>
> I think Fedora and refpolicy implement configfile each in a different
> way, this may (or may not) cause confusion when Fedora merges upstream
> refpolicy in its branch.
>
I am annoyed because I do not want to be dealing with issues which were
'resolved' nearly a year ago just to resurface again when I try to upgrade.
Anyway, I backed out of this upgrade because as it turns out there are
also quite a few issues with compiling the kernel as well, so I may as
well just wait until FC15 comes around - I do not normally follow even
number Fedora upgrades, but do not know what possessed me over the xmas
period to go for this upgrade...
> In my view allowing iptables to read all config files is sub-optimal.
>
> I would probably just allow:
>
> shorewall_read_config(iptables)
>
I did that as a temporary measure (added optional_policy statement with
shorewall_read_config) to see if it is going to cure the problem - it
did, though, as you put it above, it is not ideal.
More information about the selinux
mailing list