[refpolicy] [patch 1/1] shorewall: shorewall-init script runs /var/lib/shorewall/firewall

All of lore.kernel.org
 help / color / mirror / Atom feed

* [refpolicy] [patch 1/1] shorewall: shorewall-init script runs /var/lib/shorewall/firewall
@ 2011-02-18 16:19 Miroslav Grepl
  2011-03-08 15:40 ` Christopher J. PeBenito
  0 siblings, 1 reply; 6+ messages in thread
From: Miroslav Grepl @ 2011-02-18 16:19 UTC (permalink / raw)
  To: refpolicy

http://mgrepl.fedorapeople.org/F15/admin_shorewall.patch

     * shorewall-init script runs /var/lib/shorewall/firewall
     * add label for shorewall lock file
     * allow iptables to read shorewall tmp files
     * fixes for shorewall_admin() interface

^ permalink raw reply	[flat|nested] 6+ messages in thread

* [refpolicy] [patch 1/1] shorewall: shorewall-init script runs /var/lib/shorewall/firewall
  2011-02-18 16:19 [refpolicy] [patch 1/1] shorewall: shorewall-init script runs /var/lib/shorewall/firewall Miroslav Grepl
@ 2011-03-08 15:40 ` Christopher J. PeBenito
  2011-03-08 15:51   ` Paul Howarth
  2011-03-09  7:40   ` Miroslav Grepl
  0 siblings, 2 replies; 6+ messages in thread
From: Christopher J. PeBenito @ 2011-03-08 15:40 UTC (permalink / raw)
  To: refpolicy

On 02/18/11 11:19, Miroslav Grepl wrote:
> http://mgrepl.fedorapeople.org/F15/admin_shorewall.patch
> 
>     * shorewall-init script runs /var/lib/shorewall/firewall
>     * add label for shorewall lock file
>     * allow iptables to read shorewall tmp files
>     * fixes for shorewall_admin() interface

Why is the domtrans over shorewall_var_lib_t necessary?  The fact that
shorewall can write and exec them makes it even more dubious.  I see a
comment about # shorewall-init script run /var/lib/shorewall/firewall.
Does shorewall create this script and then the init script runs it?

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

^ permalink raw reply	[flat|nested] 6+ messages in thread

* [refpolicy] [patch 1/1] shorewall: shorewall-init script runs /var/lib/shorewall/firewall
  2011-03-08 15:40 ` Christopher J. PeBenito
@ 2011-03-08 15:51   ` Paul Howarth
  2011-03-08 16:08     ` Christopher J. PeBenito
  2011-03-09  7:40   ` Miroslav Grepl
  1 sibling, 1 reply; 6+ messages in thread
From: Paul Howarth @ 2011-03-08 15:51 UTC (permalink / raw)
  To: refpolicy

On 08/03/11 15:40, Christopher J. PeBenito wrote:
> On 02/18/11 11:19, Miroslav Grepl wrote:
>> http://mgrepl.fedorapeople.org/F15/admin_shorewall.patch
>>
>>      * shorewall-init script runs /var/lib/shorewall/firewall
>>      * add label for shorewall lock file
>>      * allow iptables to read shorewall tmp files
>>      * fixes for shorewall_admin() interface
>
> Why is the domtrans over shorewall_var_lib_t necessary?  The fact that
> shorewall can write and exec them makes it even more dubious.  I see a
> comment about # shorewall-init script run /var/lib/shorewall/firewall.
> Does shorewall create this script and then the init script runs it?

That's basically it. I have /var mounted with noexec but I need separate 
mounts for /var/lib/shorewall and /var/lib/shorewall6 that don't have 
noexec for this reason.

Paul.

^ permalink raw reply	[flat|nested] 6+ messages in thread

* [refpolicy] [patch 1/1] shorewall: shorewall-init script runs /var/lib/shorewall/firewall
  2011-03-08 15:51   ` Paul Howarth
@ 2011-03-08 16:08     ` Christopher J. PeBenito
  2011-03-08 16:45       ` Paul Howarth
  0 siblings, 1 reply; 6+ messages in thread
From: Christopher J. PeBenito @ 2011-03-08 16:08 UTC (permalink / raw)
  To: refpolicy

On 03/08/11 10:51, Paul Howarth wrote:
> On 08/03/11 15:40, Christopher J. PeBenito wrote:
>> On 02/18/11 11:19, Miroslav Grepl wrote:
>>> http://mgrepl.fedorapeople.org/F15/admin_shorewall.patch
>>>
>>>      * shorewall-init script runs /var/lib/shorewall/firewall
>>>      * add label for shorewall lock file
>>>      * allow iptables to read shorewall tmp files
>>>      * fixes for shorewall_admin() interface
>>
>> Why is the domtrans over shorewall_var_lib_t necessary?  The fact that
>> shorewall can write and exec them makes it even more dubious.  I see a
>> comment about # shorewall-init script run /var/lib/shorewall/firewall.
>> Does shorewall create this script and then the init script runs it?
> 
> That's basically it. I have /var mounted with noexec but I need separate 
> mounts for /var/lib/shorewall and /var/lib/shorewall6 that don't have 
> noexec for this reason.

Are these the only two files in /var/lib/shorewall or are there
additional files in there that shouldn't be executable?

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

^ permalink raw reply	[flat|nested] 6+ messages in thread

* [refpolicy] [patch 1/1] shorewall: shorewall-init script runs /var/lib/shorewall/firewall
  2011-03-08 16:08     ` Christopher J. PeBenito
@ 2011-03-08 16:45       ` Paul Howarth
  0 siblings, 0 replies; 6+ messages in thread
From: Paul Howarth @ 2011-03-08 16:45 UTC (permalink / raw)
  To: refpolicy

On 08/03/11 16:08, Christopher J. PeBenito wrote:
> On 03/08/11 10:51, Paul Howarth wrote:
>> On 08/03/11 15:40, Christopher J. PeBenito wrote:
>>> On 02/18/11 11:19, Miroslav Grepl wrote:
>>>> http://mgrepl.fedorapeople.org/F15/admin_shorewall.patch
>>>>
>>>>       * shorewall-init script runs /var/lib/shorewall/firewall
>>>>       * add label for shorewall lock file
>>>>       * allow iptables to read shorewall tmp files
>>>>       * fixes for shorewall_admin() interface
>>>
>>> Why is the domtrans over shorewall_var_lib_t necessary?  The fact that
>>> shorewall can write and exec them makes it even more dubious.  I see a
>>> comment about # shorewall-init script run /var/lib/shorewall/firewall.
>>> Does shorewall create this script and then the init script runs it?
>>
>> That's basically it. I have /var mounted with noexec but I need separate
>> mounts for /var/lib/shorewall and /var/lib/shorewall6 that don't have
>> noexec for this reason.
>
> Are these the only two files in /var/lib/shorewall or are there
> additional files in there that shouldn't be executable?

The latter:

# ls -lZ /var/lib/shore*
/var/lib/shorewall:
-rwx------. root root system_u:object_r:shorewall_var_lib_t:s0 firewall
drwx------. root root system_u:object_r:lost_found_t:s0 lost+found
-rw-------. root root system_u:object_r:shorewall_var_lib_t:s0 nat
-rw-------. root root system_u:object_r:shorewall_var_lib_t:s0 policies
-rw-------. root root system_u:object_r:shorewall_var_lib_t:s0 proxyarp
-rw-------. root root system_u:object_r:shorewall_var_lib_t:s0 restarted
-rw-------. root root system_u:object_r:shorewall_var_lib_t:s0 state
-rw-------. root root system_u:object_r:shorewall_var_lib_t:s0 zones

/var/lib/shorewall6:
-rwx------. root root system_u:object_r:shorewall_var_lib_t:s0 firewall
drwx------. root root system_u:object_r:lost_found_t:s0 lost+found
-rw-------. root root system_u:object_r:shorewall_var_lib_t:s0 nat
-rw-------. root root system_u:object_r:shorewall_var_lib_t:s0 policies
-rw-------. root root system_u:object_r:shorewall_var_lib_t:s0 proxyarp
-rw-------. root root system_u:object_r:shorewall_var_lib_t:s0 restarted
-rw-------. root root system_u:object_r:shorewall_var_lib_t:s0 state
-rw-------. root root system_u:object_r:shorewall_var_lib_t:s0 zones

Paul.

^ permalink raw reply	[flat|nested] 6+ messages in thread

* [refpolicy] [patch 1/1] shorewall: shorewall-init script runs /var/lib/shorewall/firewall
  2011-03-08 15:40 ` Christopher J. PeBenito
  2011-03-08 15:51   ` Paul Howarth
@ 2011-03-09  7:40   ` Miroslav Grepl
  1 sibling, 0 replies; 6+ messages in thread
From: Miroslav Grepl @ 2011-03-09  7:40 UTC (permalink / raw)
  To: refpolicy



----- Original Message -----
From: "Christopher J. PeBenito" <cpebenito@tresys.com>
To: "Miroslav Grepl" <mgrepl@redhat.com>
Cc: refpolicy at oss1.tresys.com
Sent: Tuesday, March 8, 2011 4:40:05 PM
Subject: Re: [patch 1/1] shorewall: shorewall-init script runs /var/lib/shorewall/firewall

On 02/18/11 11:19, Miroslav Grepl wrote:
> http://mgrepl.fedorapeople.org/F15/admin_shorewall.patch
> 
>     * shorewall-init script runs /var/lib/shorewall/firewall
>     * add label for shorewall lock file
>     * allow iptables to read shorewall tmp files
>     * fixes for shorewall_admin() interface

Why is the domtrans over shorewall_var_lib_t necessary?  The fact that
shorewall can write and exec them makes it even more dubious.  I see a
comment about # shorewall-init script run /var/lib/shorewall/firewall.
Does shorewall create this script and then the init script runs it?

Yes, the problem is /var/lib/shorewall/firewall file is created on the fly by shorewall.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2011-03-09  7:40 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-02-18 16:19 [refpolicy] [patch 1/1] shorewall: shorewall-init script runs /var/lib/shorewall/firewall Miroslav Grepl
2011-03-08 15:40 ` Christopher J. PeBenito
2011-03-08 15:51   ` Paul Howarth
2011-03-08 16:08     ` Christopher J. PeBenito
2011-03-08 16:45       ` Paul Howarth
2011-03-09  7:40   ` Miroslav Grepl

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.