Bug 1285986

Summary:	python-lago opens firewall ports without user consent
Product:	[Community] ovirt-system-tests	Reporter:	Sandro Bonazzola <sbonazzo>
Component:	Packaging.rpm	Assignee:	David Caro <dcaroest>
Status:	CLOSED DEFERRED	QA Contact:	Pavel Stehlik <pstehlik>
Severity:	high	Docs Contact:
Priority:	unspecified
Version:	0.4	CC:	bugs, eedri
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2016-01-27 18:59:22 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Sandro Bonazzola 2015-11-27 07:08:19 UTC

Description of problem:
while installing lago on FC23 I have:

Installazione in corso: python-lago-ovirt-0.4-0.4.fc23.noarch               3/4 
FirewallD is not running
FirewallD is not running
FirewallD is not running
avvertimento: scriptlet %post(python-lago-ovirt-0.4-0.4.fc23.noarch) fallita, uscita con stato 252
Non-fatal POSTIN scriptlet failure in rpm package python-lago-ovirt
Non-fatal POSTIN scriptlet failure in rpm package python-lago-ovirt

Rpms shouldn't mess with the firewall in %post. Especially it shouldn't open ports without user consent.

I see in %post:
if [ "$1" -eq 1 ]; then
	firewall-cmd --reload
	firewall-cmd --permanent --zone=public --add-service=lago
	firewall-cmd --reload
fi

Adding lago to services in firewalld is a security issue and should be dropped.
It's admin task to open it if needed.

See https://fedoraproject.org/wiki/PackagingDrafts/ScriptletSnippets/Firewalld
about firewalld reload.


version: lago-0.4

Comment 1 David Caro 2016-01-27 18:59:22 UTC

Moved to https://github.com/lago-project/lago/issues/46