From: mgrepl@redhat.com (Miroslav Grepl)
Date: Wed, 9 Mar 2011 02:40:10 -0500 (EST)
Subject: [refpolicy] [patch 1/1] shorewall: shorewall-init script runs
 /var/lib/shorewall/firewall
In-Reply-To: <4D764DD5.4050901@tresys.com>
Message-ID: <966186493.440299.1299656410510.JavaMail.root@zmail04.collab.prod.int.phx2.redhat.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com



----- Original Message -----
From: "Christopher J. PeBenito" <cpebenito@tresys.com>
To: "Miroslav Grepl" <mgrepl@redhat.com>
Cc: refpolicy at oss1.tresys.com
Sent: Tuesday, March 8, 2011 4:40:05 PM
Subject: Re: [patch 1/1] shorewall: shorewall-init script runs /var/lib/shorewall/firewall

On 02/18/11 11:19, Miroslav Grepl wrote:
> http://mgrepl.fedorapeople.org/F15/admin_shorewall.patch
> 
>     * shorewall-init script runs /var/lib/shorewall/firewall
>     * add label for shorewall lock file
>     * allow iptables to read shorewall tmp files
>     * fixes for shorewall_admin() interface

Why is the domtrans over shorewall_var_lib_t necessary?  The fact that
shorewall can write and exec them makes it even more dubious.  I see a
comment about # shorewall-init script run /var/lib/shorewall/firewall.
Does shorewall create this script and then the init script runs it?

Yes, the problem is /var/lib/shorewall/firewall file is created on the fly by shorewall.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com