Re: SELinux and Shorewall with IPSets

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> ipset isn't part of Fedora, right?
Wrong!

It is distributed as rpm in the Fedora Fusion (Free) repo (3 rpms in 
fact: kmod-xtables-addons, xtables-addons and one additional package - 
optional - xtables addons with metadata for kernel).

>   You just built and installed it from source?
>   
Please read my initial post - installing the above packages (i.e. the 
'standard' distribution) makes NO difference whatsoever - I was getting 
the same alerts regardless of whether I compile and install from source 
or use the 'standard' distribution packages.

> I think it might be easiest to just label it the same as iptables and
> then shorewall will transition to iptables_t which already has raw IP
> socket access as well as other related permissions.  That will be better
> too in that you don't need to directly allow shorewall or anything else
> it runs in-domain to have those permissions.
>
> semanage fcontext -a -t iptables_exec_t /path/to/ipset
> restorecon -v /path/to/ipset
>   
An elegant solution ... but unfortunately it does NOT work - I am 
getting the same alerts again.

The problem (as evident from my initial post on this thread) is that the 
shorewall init file (normally based in /etc/shorewall/init) executes 
ipset, which in turn, as you pointed out above, tries to open a raw 
socket. I am in no way SELinux expert, but I would assume that the 
security context in which this executes is shorewall and not the one set 
in ipset.

Anyway, the solution presented by Dominic above works very well, so I 
may stick with it.
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux


[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux