[CentOS] Shorewall and upgrade from 6.3 to 6.4

Thu Mar 14 12:52:49 UTC 2013
Daniel J Walsh <dwalsh at redhat.com>

Hash: SHA1

On 03/14/2013 01:03 AM, Kahlil Hodgson wrote:
> On 14/03/13 06:23, Gordon Messmer wrote:
>> On 03/12/2013 04:07 PM, Kahlil Hodgson wrote:
>>> If you are upgrading from 6.3 to 6.4 and you use shorewall, you will 
>>> want to run
>>> restorecon -Rv /sbin
>> That's odd.  Part of the selinux postinstall script involves running 
>> "fixfiles" on any files whose context has changed.  I confirmed that the 
>> iptables contexts changed when I ran restorecon on one system, but I 
>> can't understand why they weren't fixed by the postinstall script.
> My thoughts exactly.  Just doubled checked the postinstall script and can't
> see any obvious bugs. Hmmm ...
> If I compare the old and new file_context files ...
> <rizo:~> diff file_contexts.new file_contexts.old | grep ip6?tables-multi
>> /sbin/ip6?tables-multi	--	system_u:object_r:iptables_exec_t:s0
> < /sbin/ip6?tables-multi.*	--	system_u:object_r:iptables_exec_t:s0
> so the postinstall script runs (esentially)
> fixfiles -C file_contexts.old restore
> which tries to fix the context for a /sbin/ip6?tables-multi which does not
> exist on the updated system (which now uses alternatives trickery to 
> version these).
> K
There is a bug in the fixfiles script which was causing triggered by the weird
regex, so the change was not being caught.
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/