Thanks to [email protected] and <[email protected]> we are up and running.
1) After running restorecon, ls -lasZ still reports usr_t - so it looks like a Fedora/SELinux bug. 2) According to [email protected] the fc14 and SELinux folks are already aware of this, so I will not post a bug report. 3) but now that this topic has all the keywords, anybody facing the same problem should be able to find this solution. 4) I solved this problem by editing /etc/rc.local to read as follows. (Yes this does create a tiny security race condition, but that tiny race condition is better than permanently disabling SELinux. :-)
[don@mclachlan1 ~]$ cat /etc/rc.local #!/bin/sh # # This script will be executed *after* all the other init scripts. # You can put your own initialization stuff in here if you don't # want to do the full Sys V style init stuff. touch /var/lock/subsys/local # DGM 08/05/2011 - work around Fedora 14 / SELinux bug. echo 0 > /selinux/enforce /sbin/shorewall start echo 1 > /selinux/enforce Thanks again, Don On 09/05/2011 2:01 PM, Mr Dash Four wrote:
Mr Dash Four wrote:May 9 11:04:57 mclachlan1 kernel: [ 14.943055] type=1400 audit(1304953497.367:4): avc: denied { execute } for pid=1461 comm="perl" name="getparams" dev=dm-0 ino=395957 scontext=system_u:system_r:shorewall_t:s0 tcontext=system_u:object_r:usr_t:s 0 tclass=fileThis is an error with the selinux policy in FC14 (the main reason I am *NOT* on FC14)! Run "restorecon -vF /usr/share/shorewall/getparams" and then check the selinux context with "ls -lasZ /usr/share/shorewall/getparams" - if it is still "usr_t" you could try and submit a bug with Fedora. As a temporary "solution" you could do this (as root):Yeah, I just checked what I have on one of my machines - the context is "bin_t" which is a context not constrained by any SELinux policies (a work-around I did a while ago to avoid this very bug when I tried to upgrade to FC14 and then backtracked to FC13) - definitely a bug and SELinux people definitely know about it! ------------------------------------------------------------------------------ WhatsUp Gold - Download Free Network Management Software The most intuitive, comprehensive, and cost-effective network management toolset available today. Delivers lowest initial acquisition cost and overall TCO of any competing solution. http://p.sf.net/sfu/whatsupgold-sd _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
------------------------------------------------------------------------------ WhatsUp Gold - Download Free Network Management Software The most intuitive, comprehensive, and cost-effective network management toolset available today. Delivers lowest initial acquisition cost and overall TCO of any competing solution. http://p.sf.net/sfu/whatsupgold-sd
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
