http://mgrepl.fedorapeople.org/F15/admin_shorewall.patch
* shorewall-init script runs /var/lib/shorewall/firewall
* add label for shorewall lock file
* allow iptables to read shorewall tmp files
* fixes for shorewall_admin() interface
On 02/18/11 11:19, Miroslav Grepl wrote:
> http://mgrepl.fedorapeople.org/F15/admin_shorewall.patch
>
> * shorewall-init script runs /var/lib/shorewall/firewall
> * add label for shorewall lock file
> * allow iptables to read shorewall tmp files
> * fixes for shorewall_admin() interface
Why is the domtrans over shorewall_var_lib_t necessary? The fact that
shorewall can write and exec them makes it even more dubious. I see a
comment about # shorewall-init script run /var/lib/shorewall/firewall.
Does shorewall create this script and then the init script runs it?
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 08/03/11 15:40, Christopher J. PeBenito wrote:
> On 02/18/11 11:19, Miroslav Grepl wrote:
>> http://mgrepl.fedorapeople.org/F15/admin_shorewall.patch
>>
>> * shorewall-init script runs /var/lib/shorewall/firewall
>> * add label for shorewall lock file
>> * allow iptables to read shorewall tmp files
>> * fixes for shorewall_admin() interface
>
> Why is the domtrans over shorewall_var_lib_t necessary? The fact that
> shorewall can write and exec them makes it even more dubious. I see a
> comment about # shorewall-init script run /var/lib/shorewall/firewall.
> Does shorewall create this script and then the init script runs it?
That's basically it. I have /var mounted with noexec but I need separate
mounts for /var/lib/shorewall and /var/lib/shorewall6 that don't have
noexec for this reason.
Paul.
On 03/08/11 10:51, Paul Howarth wrote:
> On 08/03/11 15:40, Christopher J. PeBenito wrote:
>> On 02/18/11 11:19, Miroslav Grepl wrote:
>>> http://mgrepl.fedorapeople.org/F15/admin_shorewall.patch
>>>
>>> * shorewall-init script runs /var/lib/shorewall/firewall
>>> * add label for shorewall lock file
>>> * allow iptables to read shorewall tmp files
>>> * fixes for shorewall_admin() interface
>>
>> Why is the domtrans over shorewall_var_lib_t necessary? The fact that
>> shorewall can write and exec them makes it even more dubious. I see a
>> comment about # shorewall-init script run /var/lib/shorewall/firewall.
>> Does shorewall create this script and then the init script runs it?
>
> That's basically it. I have /var mounted with noexec but I need separate
> mounts for /var/lib/shorewall and /var/lib/shorewall6 that don't have
> noexec for this reason.
Are these the only two files in /var/lib/shorewall or are there
additional files in there that shouldn't be executable?
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 08/03/11 16:08, Christopher J. PeBenito wrote:
> On 03/08/11 10:51, Paul Howarth wrote:
>> On 08/03/11 15:40, Christopher J. PeBenito wrote:
>>> On 02/18/11 11:19, Miroslav Grepl wrote:
>>>> http://mgrepl.fedorapeople.org/F15/admin_shorewall.patch
>>>>
>>>> * shorewall-init script runs /var/lib/shorewall/firewall
>>>> * add label for shorewall lock file
>>>> * allow iptables to read shorewall tmp files
>>>> * fixes for shorewall_admin() interface
>>>
>>> Why is the domtrans over shorewall_var_lib_t necessary? The fact that
>>> shorewall can write and exec them makes it even more dubious. I see a
>>> comment about # shorewall-init script run /var/lib/shorewall/firewall.
>>> Does shorewall create this script and then the init script runs it?
>>
>> That's basically it. I have /var mounted with noexec but I need separate
>> mounts for /var/lib/shorewall and /var/lib/shorewall6 that don't have
>> noexec for this reason.
>
> Are these the only two files in /var/lib/shorewall or are there
> additional files in there that shouldn't be executable?
The latter:
# ls -lZ /var/lib/shore*
/var/lib/shorewall:
-rwx------. root root system_u:object_r:shorewall_var_lib_t:s0 firewall
drwx------. root root system_u:object_r:lost_found_t:s0 lost+found
-rw-------. root root system_u:object_r:shorewall_var_lib_t:s0 nat
-rw-------. root root system_u:object_r:shorewall_var_lib_t:s0 policies
-rw-------. root root system_u:object_r:shorewall_var_lib_t:s0 proxyarp
-rw-------. root root system_u:object_r:shorewall_var_lib_t:s0 restarted
-rw-------. root root system_u:object_r:shorewall_var_lib_t:s0 state
-rw-------. root root system_u:object_r:shorewall_var_lib_t:s0 zones
/var/lib/shorewall6:
-rwx------. root root system_u:object_r:shorewall_var_lib_t:s0 firewall
drwx------. root root system_u:object_r:lost_found_t:s0 lost+found
-rw-------. root root system_u:object_r:shorewall_var_lib_t:s0 nat
-rw-------. root root system_u:object_r:shorewall_var_lib_t:s0 policies
-rw-------. root root system_u:object_r:shorewall_var_lib_t:s0 proxyarp
-rw-------. root root system_u:object_r:shorewall_var_lib_t:s0 restarted
-rw-------. root root system_u:object_r:shorewall_var_lib_t:s0 state
-rw-------. root root system_u:object_r:shorewall_var_lib_t:s0 zones
Paul.
----- Original Message -----
From: "Christopher J. PeBenito" <[email protected]>
To: "Miroslav Grepl" <[email protected]>
Cc: refpolicy at oss1.tresys.com
Sent: Tuesday, March 8, 2011 4:40:05 PM
Subject: Re: [patch 1/1] shorewall: shorewall-init script runs /var/lib/shorewall/firewall
On 02/18/11 11:19, Miroslav Grepl wrote:
> http://mgrepl.fedorapeople.org/F15/admin_shorewall.patch
>
> * shorewall-init script runs /var/lib/shorewall/firewall
> * add label for shorewall lock file
> * allow iptables to read shorewall tmp files
> * fixes for shorewall_admin() interface
Why is the domtrans over shorewall_var_lib_t necessary? The fact that
shorewall can write and exec them makes it even more dubious. I see a
comment about # shorewall-init script run /var/lib/shorewall/firewall.
Does shorewall create this script and then the init script runs it?
Yes, the problem is /var/lib/shorewall/firewall file is created on the fly by shorewall.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com