[refpolicy] [patch 1/1] shorewall: shorewall-init script runs /var/lib/shorewall/firewall
Miroslav Grepl
mgrepl at redhat.com
Wed Mar 9 01:40:10 CST 2011
----- Original Message -----
From: "Christopher J. PeBenito" <cpebenito at tresys.com>
To: "Miroslav Grepl" <mgrepl at redhat.com>
Cc: refpolicy at oss1.tresys.com
Sent: Tuesday, March 8, 2011 4:40:05 PM
Subject: Re: [patch 1/1] shorewall: shorewall-init script runs /var/lib/shorewall/firewall
On 02/18/11 11:19, Miroslav Grepl wrote:
> http://mgrepl.fedorapeople.org/F15/admin_shorewall.patch
>
> * shorewall-init script runs /var/lib/shorewall/firewall
> * add label for shorewall lock file
> * allow iptables to read shorewall tmp files
> * fixes for shorewall_admin() interface
Why is the domtrans over shorewall_var_lib_t necessary? The fact that
shorewall can write and exec them makes it even more dubious. I see a
comment about # shorewall-init script run /var/lib/shorewall/firewall.
Does shorewall create this script and then the init script runs it?
Yes, the problem is /var/lib/shorewall/firewall file is created on the fly by shorewall.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
More information about the refpolicy
mailing list