Shorewall And Upgrade From 6.3 To 6.4

Home » CentOS » Shorewall And Upgrade From 6.3 To 6.4
CentOS 3 Comments

Just got burnt by this one this morning.

If you are upgrading from 6.3 to 6.4 and you use shorewall, you will want to run

restorecon -Rv /sbin

before rebooting. Original solution from:



3 thoughts on - Shorewall And Upgrade From 6.3 To 6.4

  • That’s odd. Part of the selinux postinstall script involves running
    “fixfiles” on any files whose context has changed. I confirmed that the iptables contexts changed when I ran restorecon on one system, but I
    can’t understand why they weren’t fixed by the postinstall script.

  • My thoughts exactly. Just doubled checked the postinstall script and can’t see any obvious bugs. Hmmm …

    If I compare the old and new file_context files …

    diff file_contexts.old | grep ip6?tables-multi
    < /sbin/ip6?tables-multi.* -- system_u:object_r:iptables_exec_t:s0 so the postinstall script runs (esentially) fixfiles -C file_contexts.old restore which tries to fix the context for a /sbin/ip6?tables-multi which does not exist on the updated system (which now uses alternatives trickery to version these). K

  • There is a bug in the fixfiles script which was causing triggered by the weird regex, so the change was not being caught.