> So I'm curious as to why this isn't working for you. Did the restorecon > command in fact change the label of the program to iptables_exec_t? Did > you get the same AVC message as before? > Mystery solved! I've had an inspiration this morning. At the time I installed ipset at least 2 times (from Fedora Fusion as well as compiling it from source), so I assumed ipset was installed in the same location. 'whereis ipset' revealed that I have TWO copies: one in /sbin and another one (which I have 'used' up until now) in /usr/sbin. So, for some reason, even though I specified the executable in /usr/sbin to be executed in my shorewall init (the one with the 'right' SELinux attributes) the executable in /sbin must have been picked somehow. When I removed the copy in /sbin and then rebooted - all was well and shorewall ran without any problems. Bizarre! -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
