From: paul@city-fan.org (Paul Howarth)
Date: Tue, 08 Mar 2011 16:45:05 +0000
Subject: [refpolicy] [patch 1/1] shorewall: shorewall-init script runs
 /var/lib/shorewall/firewall
In-Reply-To: <4D765488.7010608@tresys.com>
References: <4D5E9C22.8080505@redhat.com> <4D764DD5.4050901@tresys.com>
	<4D76507F.9010200@city-fan.org> <4D765488.7010608@tresys.com>
Message-ID: <4D765D11.8060602@city-fan.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 08/03/11 16:08, Christopher J. PeBenito wrote:
> On 03/08/11 10:51, Paul Howarth wrote:
>> On 08/03/11 15:40, Christopher J. PeBenito wrote:
>>> On 02/18/11 11:19, Miroslav Grepl wrote:
>>>> http://mgrepl.fedorapeople.org/F15/admin_shorewall.patch
>>>>
>>>>       * shorewall-init script runs /var/lib/shorewall/firewall
>>>>       * add label for shorewall lock file
>>>>       * allow iptables to read shorewall tmp files
>>>>       * fixes for shorewall_admin() interface
>>>
>>> Why is the domtrans over shorewall_var_lib_t necessary?  The fact that
>>> shorewall can write and exec them makes it even more dubious.  I see a
>>> comment about # shorewall-init script run /var/lib/shorewall/firewall.
>>> Does shorewall create this script and then the init script runs it?
>>
>> That's basically it. I have /var mounted with noexec but I need separate
>> mounts for /var/lib/shorewall and /var/lib/shorewall6 that don't have
>> noexec for this reason.
>
> Are these the only two files in /var/lib/shorewall or are there
> additional files in there that shouldn't be executable?

The latter:

# ls -lZ /var/lib/shore*
/var/lib/shorewall:
-rwx------. root root system_u:object_r:shorewall_var_lib_t:s0 firewall
drwx------. root root system_u:object_r:lost_found_t:s0 lost+found
-rw-------. root root system_u:object_r:shorewall_var_lib_t:s0 nat
-rw-------. root root system_u:object_r:shorewall_var_lib_t:s0 policies
-rw-------. root root system_u:object_r:shorewall_var_lib_t:s0 proxyarp
-rw-------. root root system_u:object_r:shorewall_var_lib_t:s0 restarted
-rw-------. root root system_u:object_r:shorewall_var_lib_t:s0 state
-rw-------. root root system_u:object_r:shorewall_var_lib_t:s0 zones

/var/lib/shorewall6:
-rwx------. root root system_u:object_r:shorewall_var_lib_t:s0 firewall
drwx------. root root system_u:object_r:lost_found_t:s0 lost+found
-rw-------. root root system_u:object_r:shorewall_var_lib_t:s0 nat
-rw-------. root root system_u:object_r:shorewall_var_lib_t:s0 policies
-rw-------. root root system_u:object_r:shorewall_var_lib_t:s0 proxyarp
-rw-------. root root system_u:object_r:shorewall_var_lib_t:s0 restarted
-rw-------. root root system_u:object_r:shorewall_var_lib_t:s0 state
-rw-------. root root system_u:object_r:shorewall_var_lib_t:s0 zones

Paul.