Bug 1449754

Summary: /usr/share/polkit-1/actions/org.fedoraproject.FirewallD1.*.policy all active at the same time
Product: Red Hat Enterprise Linux 7 Reporter: Miloslav Trmač <mitr>
Component: firewalldAssignee: Thomas Woerner <twoerner>
Status: CLOSED ERRATA QA Contact: Tomas Dolezal <todoleza>
Severity: medium Docs Contact:
Priority: high    
Version: 7.4CC: todoleza
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-01 16:24:48 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Miloslav Trmač 2017-05-10 15:15:13 UTC 
Description of problem:
firewalld, in most versions which support product-specific policies, at least including firewalld-0.4.4.3-2.fc24.noarch but also in RHEL packages, ships

> /usr/share/polkit-1/actions/org.fedoraproject.FirewallD1.desktop.policy
> /usr/share/polkit-1/actions/org.fedoraproject.FirewallD1.policy
> /usr/share/polkit-1/actions/org.fedoraproject.FirewallD1.server.policy

This does not do what firewalld wants (allow using the *1.policy symlink to choose the active configuration) because polkit simply reads *.policy from that directory, with an unspecified handling of duplicate action IDs.

(In fact the duplicate action IDs trigger a memory corruption, a likely cause of bug 1442840 .)
Comment 4 Thomas Woerner 2017-05-17 16:07:07 UTC 
Fixed upstream: https://github.com/t-woerner/firewalld/commit/0c480ec760c3ecaeea325041bdffc6d3d1153d88
Comment 7 errata-xmlrpc 2017-08-01 16:24:48 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1934