Bug 614887
Summary: | system-configure-printer completely disables firewall | ||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | David Hampton <bugzilla> | ||||||||||||||||
Component: | system-config-firewall | Assignee: | Thomas Woerner <twoerner> | ||||||||||||||||
Status: | CLOSED WONTFIX | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||||||||||||
Severity: | urgent | Docs Contact: | |||||||||||||||||
Priority: | low | ||||||||||||||||||
Version: | 13 | CC: | jpopelka, oliver.henshaw, twaugh, twoerner | ||||||||||||||||
Target Milestone: | --- | ||||||||||||||||||
Target Release: | --- | ||||||||||||||||||
Hardware: | All | ||||||||||||||||||
OS: | Linux | ||||||||||||||||||
Whiteboard: | |||||||||||||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||||||||||||
Doc Text: | Story Points: | --- | |||||||||||||||||
Clone Of: | Environment: | ||||||||||||||||||
Last Closed: | 2011-06-29 13:29:33 UTC | Type: | --- | ||||||||||||||||
Regression: | --- | Mount Type: | --- | ||||||||||||||||
Documentation: | --- | CRM: | |||||||||||||||||
Verified Versions: | Category: | --- | |||||||||||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||||||||||
Embargoed: | |||||||||||||||||||
Attachments: |
|
Description
David Hampton
2010-07-15 13:47:51 UTC
Firstly, *don't* run system-config-printer as root. It does not need to run as root, and doing so may in fact be harmful. As to your particular problem, this is most likely a bug in the firewall handling packaging system-config-firewall. Changing component and reassigning. Do you have deactivated the firewall before using system-config-printer? If yes: How? The firewall is enabled when I run the system-config-printer command. Please attach the firewall configuration before and after using system-config-printer: /etc/sysconfig/system-config-firewall or /etc/sysconfig/system-config-securitylevel /etc/sysconfig/ip*tables* [david@hampton-pc ~]$ sudo iptables -L -v [sudo] password for david: Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 576 92812 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED 0 0 ACCEPT icmp -- any any anywhere anywhere 0 0 ACCEPT all -- lo any anywhere anywhere 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:ssh 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:imap 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:EtherNet/IP-1 17 22110 REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 639 packets, 90419 bytes) pkts bytes target prot opt in out source destination [david@hampton-pc ~]$ system-config-printer Caught non-fatal exception. Traceback: File "/usr/share/system-config-printer/system-config-printer.py", line 5071, in fillDeviceTab f.write () File "/usr/share/system-config-printer/firewall.py", line 51, in write self._firewall.write (pickle.dumps (self._fw_data[0])) File "/usr/lib/python2.6/site-packages/dbus/proxies.py", line 140, in __call__ **keywords) File "/usr/lib/python2.6/site-packages/dbus/connection.py", line 630, in call_blocking message, timeout) DBusException: org.freedesktop.DBus.Python.IOError: Traceback (most recent call last): File "/usr/lib/python2.6/site-packages/slip/dbus/service.py", line 121, in reply_handler result = method(self, *p, **k) File "/usr/share/system-config-firewall/fw_dbus.py", line 113, in write ip6t_status, log) = fw_lokkit.updateFirewall(config, old_config) File "/usr/share/system-config-firewall/fw_lokkit.py", line 199, in updateFirewall ip4tables.write(config) File "/usr/share/system-config-firewall/fw_iptables.py", line 282, in write fd = open(self.filename, "w") IOError: [Errno 13] Permission denied: '/etc/sysconfig/iptables' Continuing anyway.. [david@hampton-pc ~]$ sudo iptables -L -v Chain INPUT (policy ACCEPT 247 packets, 26822 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 226 packets, 26219 bytes) pkts bytes target prot opt in out source destination [david@hampton-pc ~]$ ls -l /etc/sysconfig/before total 20 -rw-------. 1 root root 614 Jul 20 09:20 ip6tables -rw-------. 1 root root 1753 Jul 20 09:20 ip6tables-config -rw-------. 1 root root 609 Jul 20 09:20 iptables -rw-------. 1 root root 1740 Jul 20 09:20 iptables-config -rw-------. 1 root root 104 Jul 20 09:20 system-config-firewall [david@hampton-pc ~]$ ls -l /etc/sysconfig/after total 24 -rw-------. 1 root root 614 Jul 20 09:22 ip6tables -rw-------. 1 root root 1753 Jul 20 09:22 ip6tables-config -rw-------. 1 root root 609 Jul 20 09:22 iptables -rw-------. 1 root root 1740 Jul 20 09:22 iptables-config -rw-------. 1 root root 609 Jul 20 09:22 iptables.old -rw-------. 1 root root 169 Jul 20 09:22 system-config-firewall [david@hampton-pc ~]$ sudo chmod 644 /etc/sysconfig/before/* /etc/sysconfig/after/* [david@hampton-pc ~]$ diff -u /etc/sysconfig/before /etc/sysconfig/after Only in /etc/sysconfig/after: iptables.old diff -u /etc/sysconfig/before/system-config-firewall /etc/sysconfig/after/system-config-firewall --- /etc/sysconfig/before/system-config-firewall 2010-07-20 09:20:30.510578670 -0400 +++ /etc/sysconfig/after/system-config-firewall 2010-07-20 09:22:18.389714342 -0400 @@ -3,4 +3,8 @@ --enabled --port=143:tcp --port=2222:tcp +--port=161:udp --service=ssh +--service=ipp-client +--service=mdns +--service=ipp [david@hampton-pc ~]$ Created attachment 433159 [details]
ip6tables (unchanged)
Created attachment 433160 [details]
ip6tables-config (unchanged)
Created attachment 433161 [details]
iptables (unchanged)
Created attachment 433162 [details]
iptables-config (unchanged)
Created attachment 433163 [details]
system-config-firewall (before)
Created attachment 433164 [details]
system-config-firewall (after)
Created attachment 433165 [details]
iptables.old (new, after)
The system-config-firewall file appears correct, but those rules didn't get installed as shown by the iptables command following the system-config-printer command. Please add the output of "ls -laZ /etc/sysconfig/ip*tables*" There seems to be a problem opening /etc/sysconfig/iptables for writing. Yes, I mentioned that in my initial bug report. /etc/sysconfig/iptables was configured with type etc_t instead of system_config_t. Regardless of this misconfiguration, running system-config-printer shouldn't result in the erasure of all firewall rules. At best it should leave the firewall rules unchanged. At worst it should leave the firewall in a closed state, not a completely open state like it does now. I see something similar when trying to configure the firewall on the livecd. If I launch system-config-firewall, make a change and apply it I get a similar backtrace to that in comment #0. If I first do 'restorecon /etc/sysconfig/ip*tables*' then I can configure the firewall without any problems. I've seen this issue on at least the F13 and F14 live images, and on both the kde and desktop spins. I wonder if some tool is creating the ip*tables.old files with the wrong context? As the original report is about the firewall being left in a bad state after system-config-firewall crashes, I've opened a new bug for the selinux issues: bug #663935 This message is a reminder that Fedora 13 is nearing its end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 13. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '13'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 13's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 13 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug to the applicable version. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping Fedora 13 changed to end-of-life (EOL) status on 2011-06-25. Fedora 13 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. Thank you for reporting this bug and we are sorry it could not be fixed. |