Bug 614887
| Summary: | system-configure-printer completely disables firewall | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | David Hampton <bugzilla> | ||||||||||||||||
| Component: | system-config-firewall | Assignee: | Thomas Woerner <twoerner> | ||||||||||||||||
| Status: | CLOSED WONTFIX | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||||||||||||
| Severity: | urgent | Docs Contact: | |||||||||||||||||
| Priority: | low | ||||||||||||||||||
| Version: | 13 | CC: | jpopelka, oliver.henshaw, twaugh, twoerner | ||||||||||||||||
| Target Milestone: | --- | ||||||||||||||||||
| Target Release: | --- | ||||||||||||||||||
| Hardware: | All | ||||||||||||||||||
| OS: | Linux | ||||||||||||||||||
| Whiteboard: | |||||||||||||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||||||||||||
| Doc Text: | Story Points: | --- | |||||||||||||||||
| Clone Of: | Environment: | ||||||||||||||||||
| Last Closed: | 2011-06-29 13:29:33 UTC | Type: | --- | ||||||||||||||||
| Regression: | --- | Mount Type: | --- | ||||||||||||||||
| Documentation: | --- | CRM: | |||||||||||||||||
| Verified Versions: | Category: | --- | |||||||||||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||||||||||
| Embargoed: | |||||||||||||||||||
| Attachments: |
|
||||||||||||||||||
Firstly, *don't* run system-config-printer as root. It does not need to run as root, and doing so may in fact be harmful. As to your particular problem, this is most likely a bug in the firewall handling packaging system-config-firewall. Changing component and reassigning. Do you have deactivated the firewall before using system-config-printer? If yes: How? The firewall is enabled when I run the system-config-printer command. Please attach the firewall configuration before and after using system-config-printer: /etc/sysconfig/system-config-firewall or /etc/sysconfig/system-config-securitylevel /etc/sysconfig/ip*tables* [david@hampton-pc ~]$ sudo iptables -L -v
[sudo] password for david:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
576 92812 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- any any anywhere anywhere
0 0 ACCEPT all -- lo any anywhere anywhere
0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:ssh
0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:imap
0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:EtherNet/IP-1
17 22110 REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 639 packets, 90419 bytes)
pkts bytes target prot opt in out source destination
[david@hampton-pc ~]$ system-config-printer
Caught non-fatal exception. Traceback:
File "/usr/share/system-config-printer/system-config-printer.py", line 5071, in fillDeviceTab
f.write ()
File "/usr/share/system-config-printer/firewall.py", line 51, in write
self._firewall.write (pickle.dumps (self._fw_data[0]))
File "/usr/lib/python2.6/site-packages/dbus/proxies.py", line 140, in __call__
**keywords)
File "/usr/lib/python2.6/site-packages/dbus/connection.py", line 630, in call_blocking
message, timeout)
DBusException: org.freedesktop.DBus.Python.IOError: Traceback (most recent call last):
File "/usr/lib/python2.6/site-packages/slip/dbus/service.py", line 121, in reply_handler
result = method(self, *p, **k)
File "/usr/share/system-config-firewall/fw_dbus.py", line 113, in write
ip6t_status, log) = fw_lokkit.updateFirewall(config, old_config)
File "/usr/share/system-config-firewall/fw_lokkit.py", line 199, in updateFirewall
ip4tables.write(config)
File "/usr/share/system-config-firewall/fw_iptables.py", line 282, in write
fd = open(self.filename, "w")
IOError: [Errno 13] Permission denied: '/etc/sysconfig/iptables'
Continuing anyway..
[david@hampton-pc ~]$ sudo iptables -L -v
Chain INPUT (policy ACCEPT 247 packets, 26822 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 226 packets, 26219 bytes)
pkts bytes target prot opt in out source destination
[david@hampton-pc ~]$ ls -l /etc/sysconfig/before
total 20
-rw-------. 1 root root 614 Jul 20 09:20 ip6tables
-rw-------. 1 root root 1753 Jul 20 09:20 ip6tables-config
-rw-------. 1 root root 609 Jul 20 09:20 iptables
-rw-------. 1 root root 1740 Jul 20 09:20 iptables-config
-rw-------. 1 root root 104 Jul 20 09:20 system-config-firewall
[david@hampton-pc ~]$ ls -l /etc/sysconfig/after
total 24
-rw-------. 1 root root 614 Jul 20 09:22 ip6tables
-rw-------. 1 root root 1753 Jul 20 09:22 ip6tables-config
-rw-------. 1 root root 609 Jul 20 09:22 iptables
-rw-------. 1 root root 1740 Jul 20 09:22 iptables-config
-rw-------. 1 root root 609 Jul 20 09:22 iptables.old
-rw-------. 1 root root 169 Jul 20 09:22 system-config-firewall
[david@hampton-pc ~]$ sudo chmod 644 /etc/sysconfig/before/* /etc/sysconfig/after/*
[david@hampton-pc ~]$ diff -u /etc/sysconfig/before /etc/sysconfig/after
Only in /etc/sysconfig/after: iptables.old
diff -u /etc/sysconfig/before/system-config-firewall /etc/sysconfig/after/system-config-firewall
--- /etc/sysconfig/before/system-config-firewall 2010-07-20 09:20:30.510578670 -0400
+++ /etc/sysconfig/after/system-config-firewall 2010-07-20 09:22:18.389714342 -0400
@@ -3,4 +3,8 @@
--enabled
--port=143:tcp
--port=2222:tcp
+--port=161:udp
--service=ssh
+--service=ipp-client
+--service=mdns
+--service=ipp
[david@hampton-pc ~]$
Created attachment 433159 [details]
ip6tables (unchanged)
Created attachment 433160 [details]
ip6tables-config (unchanged)
Created attachment 433161 [details]
iptables (unchanged)
Created attachment 433162 [details]
iptables-config (unchanged)
Created attachment 433163 [details]
system-config-firewall (before)
Created attachment 433164 [details]
system-config-firewall (after)
Created attachment 433165 [details]
iptables.old (new, after)
The system-config-firewall file appears correct, but those rules didn't get installed as shown by the iptables command following the system-config-printer command. Please add the output of "ls -laZ /etc/sysconfig/ip*tables*" There seems to be a problem opening /etc/sysconfig/iptables for writing. Yes, I mentioned that in my initial bug report. /etc/sysconfig/iptables was configured with type etc_t instead of system_config_t. Regardless of this misconfiguration, running system-config-printer shouldn't result in the erasure of all firewall rules. At best it should leave the firewall rules unchanged. At worst it should leave the firewall in a closed state, not a completely open state like it does now. I see something similar when trying to configure the firewall on the livecd. If I launch system-config-firewall, make a change and apply it I get a similar backtrace to that in comment #0. If I first do 'restorecon /etc/sysconfig/ip*tables*' then I can configure the firewall without any problems. I've seen this issue on at least the F13 and F14 live images, and on both the kde and desktop spins. I wonder if some tool is creating the ip*tables.old files with the wrong context? As the original report is about the firewall being left in a bad state after system-config-firewall crashes, I've opened a new bug for the selinux issues: bug #663935 This message is a reminder that Fedora 13 is nearing its end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 13. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '13'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 13's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 13 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug to the applicable version. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping Fedora 13 changed to end-of-life (EOL) status on 2011-06-25. Fedora 13 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. Thank you for reporting this bug and we are sorry it could not be fixed. |
Description of problem: System-config-printer asks to modify the firewall to let three specific types of packets through. When given permission to do so, it completely erases all firewall rules Version-Release number of selected component (if applicable): system-config-printer-1.2.3-3.fc13.x86_64 How reproducible: Every time Steps to Reproduce: 1. start system-config-printer 2. allow it to modify the firewall rules 3. Actual results: All firewall rules erased. Expected results: Three new rules added to the firewall to allow the specific types of packets mentioned in the dialog. Additional info: Running system-config-firewall, clicking "disable, enable, apply" restores all the previous rules. The following information appears on the console while running system-config-printer... Caught non-fatal exception. Traceback: File "/usr/share/system-config-printer/system-config-printer.py", line 5071, in fillDeviceTab f.write () File "/usr/share/system-config-printer/firewall.py", line 51, in write self._firewall.write (pickle.dumps (self._fw_data[0])) File "/usr/lib/python2.6/site-packages/dbus/proxies.py", line 140, in __call__ **keywords) File "/usr/lib/python2.6/site-packages/dbus/connection.py", line 630, in call_blocking message, timeout) DBusException: org.freedesktop.DBus.Python.IOError: Traceback (most recent call last): File "/usr/lib/python2.6/site-packages/slip/dbus/service.py", line 121, in reply_handler result = method(self, *p, **k) File "/usr/share/system-config-firewall/fw_dbus.py", line 113, in write ip6t_status, log) = fw_lokkit.updateFirewall(config, old_config) File "/usr/share/system-config-firewall/fw_lokkit.py", line 199, in updateFirewall ip4tables.write(config) File "/usr/share/system-config-firewall/fw_iptables.py", line 268, in write shutil.copy2(self.filename, "%s.old" % self.filename) File "/usr/lib64/python2.6/shutil.py", line 99, in copy2 copyfile(src, dst) File "/usr/lib64/python2.6/shutil.py", line 53, in copyfile fdst = open(dst, 'wb') IOError: [Errno 13] Permission denied: '/etc/sysconfig/iptables.old' Continuing anyway.. I checked, and system-config-printer does run as root. [root@mypc ~]# ps axl | grep printer 4 0 13171 8806 20 0 639064 38592 poll_s S pts/2 0:00 python /usr/share/system-config-printer/system-config-printer.py [root@mypc ~]# ls -lZ /etc/sysconfig/iptables* -rw-------. root root system_u:object_r:etc_t:s0 /etc/sysconfig/iptables -rw-------. root root system_u:object_r:system_conf_t:s0 /etc/sysconfig/iptables-config -rw-------. root root system_u:object_r:etc_t:s0 /etc/sysconfig/iptables.old [root@mypc ~]# ls -lZ /etc/sysconfig/ip6tables* -rw-------. root root unconfined_u:object_r:etc_t:s0 /etc/sysconfig/ip6tables -rw-------. root root system_u:object_r:system_conf_t:s0 /etc/sysconfig/ip6tables-config -rw-------. root root unconfined_u:object_r:etc_t:s0 /etc/sysconfig/ip6tables.old Correcting the selinux type on ip*tables and ip*tables.old solves my immediate problem. The error message goes away, and system-config-printer no longer erases my firewall settings. However, I still consider this an urgent bug. (I'd mark it critical, but there's no such category.) No program should be allowed to convert a secure system into an insecure system just because of a simple permission error. This program is smart enough to catch the permission error and not crash. It should be enhanced to restore the firewall to its original settings. It obviously has the permission needed to modify the kernel iptables, and the original rules are still available in the /etc/sysconfig/iptables file.