Bug 179248
| Summary: | Firestarter fails to start on boot - SElinux issue? | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Jonathan Underwood <jonathan.underwood> | ||||
| Component: | firestarter | Assignee: | Damien Durand <splinux> | ||||
| Status: | CLOSED UPSTREAM | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | 4 | CC: | Christian.Iseli, extras-qa, jvdias | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2007-02-05 11:42:49 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
|
Description
Jonathan Underwood
2006-01-29 03:57:23 UTC
Created attachment 123844 [details]
tail of /var/log/messages
Here is a previous list message on this issue -=- The firestarter RPM cause selinux errors on shutdown and other errors on startup. These errors have ben tracked down to the line "sh /etc/firestarter/firestarter.sh start" which starts firestarter independent of the firestater init script. Removing this line solves the selinux errors and the firewall policy still seems to be in effect. I am theroizing that the line above is executed when the dhclient daemon attempts to shutdown as well as start thus attempting to start the firewall while closing the interface. I think this is what selinux is flagging. The line also causes some errors on interface startup. Does this line have a useful purpose? Mark Bidewell -=- I'm not quite sure which file MB is referring to which has the line "sh /etc/firestarter/firestarter.sh start" - certainly the firestarter script in /etc/init.d looks fine to me, and has the line "$FS_CONTROL start > /dev/null" where "FS_CONTROL="/etc/firestarter/firestarter.sh". So I think MB's comment perhaps refers to a previous version of firestarter. Interestingly, on my latest boot, messages to the console reported that /var/lock/firestarter could not be deleted, permission denied. Once i had booted, I looked for this file, but it's not there. There is a /var/lock/subsys/firestarter file though. How should we proceed with this ? I'm not sure whether it's best to ask on the selinux list, or the firestarter list, or where, as I'm not sure quite where the problem lies. I'll look into the /var/lock issue. The "sh /etc/firestarter/firestarter.sh start" I believe is from the dhcp-exit-hooks script. Looks like the problem here is hooking the dhclient program. This causes the firestarter script to run in dhclient mode, and dhclient is not allowed to do modutil and iptables. A better solution would be to use dbus. Basically we want to confine the dhclient program to a locked down domain, and starting up random applications from it is not a good idea. Reported upstream: http://bugzilla.gnome.org/show_bug.cgi?id=329806 Reassign to current maintainer. FC3 and FC4 have now been EOL'd. Please check the ticket against a current Fedora release, and either adjust the release number, or close it if appropriate. Thanks. Your friendly BZ janitor :-) No idea I'm afraid. I gave up with firestarter having reported this bug upstream yielding no response. Firestarter seems somewhat dead. Will close as upstream. |