On 06/27/2010 06:40 PM, Mr Dash Four wrote: > do I need these files or should I delete them and just keep > the .pp file? You do not really need to contents of ~/myshorewall after youve built/installed the binary presentation (myshorewall.pp) However it is a good idea to save the myshorewall.{te,if,fc} source policy files, as you may want to extend it or just keep it for reference. It may also be useful for your collegues. >> sudo semodule -i myshorewall.pp >> > When I did that the module was installed, I rebooted, but this time I > started getting alerts popping all over the place from a lot of > processes running (alerts I did NOT have before). So, what I did then > was to do a relabelling again at reboot, but that did not work - still > alerts (not from shorewall though). Never, ever disable SELinux. (atleast that is my opinion). You can also configure SELinux to run in permissive mode. Which is basically a interusion detection system as opposed to intrusing prevention system (selinux in enforcing mode). By using permissive mode, labeling should not mess up. > From experience (I had this happening before, so I know) - what I did > then was to uninstall the targeted policy package via yum (made sure I > disabled SELinux first!) AND did 'rm -rdf /etc/selinux/targeted' as > there were leftovers in that directory (don't know why, but the majority > of the stuff was there even though the policy is supposed to be removed > - may be this is an issue for the FC RPM admins/maintainers, I don't > know), rebooted, installed selinux-targeted-policy package again, did > "semodule -i myshorewall.pp", enabled SELinux (in Permissive mode first) > and finally did a relabelling at boot again. > > Result - no alerts of any kind! > > I am now in Enforced mode and everything is going OK so far, so many > thanks for the (very prompt) advice - much appreciated. > Yes in some cases de-installation of selinux-policy(-targeted), moving /etc/selinux/targeted, and re-installation of selinux-policy(-targeted) is the only way to fix some corruption. Always make sure to relabel afterwards and also do not forget that local changes will be gone (another good reason to keep the sources of your custom modules) > I have two more queries though - if I want to use this module (the .pp > file) on a system which is built from a ks file (using standard > kickstart tools) do I just copy myshorewall.pp to > /etc/selinux/targeted/modules/active/modules on the target system in > order to use this module? Would that be enough? No i do not think it will be enough (you would need sudo semodule -i myshorewall.pp). But you should report your shorewall issue to bugzilla so that it can be applied to the next selinux-policy package. This will then make your customization no longer needed. > > I also need to mention that the target system's root ('/') is > 'read-only' in a sense that even though the content in it can be changed > it does NOT survive the boot (it is done as a unionfs of a ram disk and > the read-only system where all the files and programs are, so changes > get preserved in the ram part for the life of the session, but are gone > the next time the machine is rebooted) - this is done for extra security > and saved my neck on quite a few occasions! > > Second query in relation to this - when I build the system can I do the > relabelling on the target system at the time when the image is built? If > so, how do I do that (ideally I would like to do that during the image > building process, in the %post section perhaps, of the .ks script)? > > The reason for that is, as I put it above, the changes made once the > image is built are not preserved, and I do not want to be relabelling on > every reboot as it is too damn slow! > You may (or may not) be able to edit dracut to relabel the filesystem on each bootup (e.g.) generate an initramfs with the relabeling command. Not exactly sure how to go about that but. you may be able to add it to this file: /usr/share/dracut/modules.d/99base/selinux-loadpolicy.sh and then regenerate initrc (make sure the filesystem is mounted in the chroot at the point of relabeling though) /usr/libexec/plymouth/plymouth-update-initrd (unconfirmed) > Thanks again! > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux
Attachment:
signature.asc
Description: OpenPGP digital signature
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux