From: paul@city-fan.org (Paul Howarth) Date: Tue, 08 Mar 2011 16:45:05 +0000 Subject: [refpolicy] [patch 1/1] shorewall: shorewall-init script runs /var/lib/shorewall/firewall In-Reply-To: <4D765488.7010608@tresys.com> References: <4D5E9C22.8080505@redhat.com> <4D764DD5.4050901@tresys.com> <4D76507F.9010200@city-fan.org> <4D765488.7010608@tresys.com> Message-ID: <4D765D11.8060602@city-fan.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 08/03/11 16:08, Christopher J. PeBenito wrote: > On 03/08/11 10:51, Paul Howarth wrote: >> On 08/03/11 15:40, Christopher J. PeBenito wrote: >>> On 02/18/11 11:19, Miroslav Grepl wrote: >>>> http://mgrepl.fedorapeople.org/F15/admin_shorewall.patch >>>> >>>> * shorewall-init script runs /var/lib/shorewall/firewall >>>> * add label for shorewall lock file >>>> * allow iptables to read shorewall tmp files >>>> * fixes for shorewall_admin() interface >>> >>> Why is the domtrans over shorewall_var_lib_t necessary? The fact that >>> shorewall can write and exec them makes it even more dubious. I see a >>> comment about # shorewall-init script run /var/lib/shorewall/firewall. >>> Does shorewall create this script and then the init script runs it? >> >> That's basically it. I have /var mounted with noexec but I need separate >> mounts for /var/lib/shorewall and /var/lib/shorewall6 that don't have >> noexec for this reason. > > Are these the only two files in /var/lib/shorewall or are there > additional files in there that shouldn't be executable? The latter: # ls -lZ /var/lib/shore* /var/lib/shorewall: -rwx------. root root system_u:object_r:shorewall_var_lib_t:s0 firewall drwx------. root root system_u:object_r:lost_found_t:s0 lost+found -rw-------. root root system_u:object_r:shorewall_var_lib_t:s0 nat -rw-------. root root system_u:object_r:shorewall_var_lib_t:s0 policies -rw-------. root root system_u:object_r:shorewall_var_lib_t:s0 proxyarp -rw-------. root root system_u:object_r:shorewall_var_lib_t:s0 restarted -rw-------. root root system_u:object_r:shorewall_var_lib_t:s0 state -rw-------. root root system_u:object_r:shorewall_var_lib_t:s0 zones /var/lib/shorewall6: -rwx------. root root system_u:object_r:shorewall_var_lib_t:s0 firewall drwx------. root root system_u:object_r:lost_found_t:s0 lost+found -rw-------. root root system_u:object_r:shorewall_var_lib_t:s0 nat -rw-------. root root system_u:object_r:shorewall_var_lib_t:s0 policies -rw-------. root root system_u:object_r:shorewall_var_lib_t:s0 proxyarp -rw-------. root root system_u:object_r:shorewall_var_lib_t:s0 restarted -rw-------. root root system_u:object_r:shorewall_var_lib_t:s0 state -rw-------. root root system_u:object_r:shorewall_var_lib_t:s0 zones Paul.