[refpolicy] [patch 1/1] shorewall: shorewall-init script runs /var/lib/shorewall/firewall
Christopher J. PeBenito
cpebenito at tresys.com
Tue Mar 8 10:08:40 CST 2011
On 03/08/11 10:51, Paul Howarth wrote:
> On 08/03/11 15:40, Christopher J. PeBenito wrote:
>> On 02/18/11 11:19, Miroslav Grepl wrote:
>>> http://mgrepl.fedorapeople.org/F15/admin_shorewall.patch
>>>
>>> * shorewall-init script runs /var/lib/shorewall/firewall
>>> * add label for shorewall lock file
>>> * allow iptables to read shorewall tmp files
>>> * fixes for shorewall_admin() interface
>>
>> Why is the domtrans over shorewall_var_lib_t necessary? The fact that
>> shorewall can write and exec them makes it even more dubious. I see a
>> comment about # shorewall-init script run /var/lib/shorewall/firewall.
>> Does shorewall create this script and then the init script runs it?
>
> That's basically it. I have /var mounted with noexec but I need separate
> mounts for /var/lib/shorewall and /var/lib/shorewall6 that don't have
> noexec for this reason.
Are these the only two files in /var/lib/shorewall or are there
additional files in there that shouldn't be executable?
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
More information about the refpolicy
mailing list