Bug 663935

Summary: /etc/sysconfig/*.old files are mislabeled on the livecd
Product: [Fedora] Fedora Reporter: Oliver Henshaw <oliver.henshaw>
Component: system-config-firewallAssignee: Thomas Woerner <twoerner>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: low    
Version: rawhideCC: twoerner
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: livecd-tools-15.5-1.fc15 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-03-16 17:04:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Oliver Henshaw 2010-12-17 12:39:16 UTC 
Description of problem:

When I try to configure the firewall with system-config-firewall on the livecd, it fails and I get a traceback as noted in bug #614887. The root cause seems to be that various .old files are mislabeled:

# ll -Z /etc/sysconfig/ip*
-rw-------. root root system_u:object_r:system_conf_t:s0 /etc/sysconfig/ip6tables
-rw-------. root root system_u:object_r:system_conf_t:s0 /etc/sysconfig/ip6tables-config
-rw-------. root root unconfined_u:object_r:etc_t:s0   /etc/sysconfig/ip6tables.old
-rw-------. root root system_u:object_r:system_conf_t:s0 /etc/sysconfig/iptables
-rw-------. root root system_u:object_r:system_conf_t:s0 /etc/sysconfig/iptables-config
-rw-------. root root unconfined_u:object_r:etc_t:s0   /etc/sysconfig/iptables.old
# ll -Z /etc/sysconfig/system-config-firewall*
-rw-------. root root system_u:object_r:system_conf_t:s0 /etc/sysconfig/system-config-firewall
-rw-------. root root unconfined_u:object_r:etc_t:s0   /etc/sysconfig/system-config-firewall.old

If I restorecon or rm these .old files before starting system-config-firewall then I can configure the firewall without problem.


I notice that fedora-live-base.ks has the line "firewall --enabled --mdns", perhaps this is responsible for leaving the .old files mislabeled? Or perhaps this is a selinux policy oversight?

I've tested this on a F15 nightly, but I can also reproduce this bug at least as far back as the F13 release spin iso.


Version-Release number of selected component (if applicable):

system-config-firewall-1.2.27-1.fc15.noarch
selinux-policy-3.9.10-12.fc15.noarch
Comment 1 Oliver Henshaw 2011-03-16 16:57:56 UTC 
This could be the cause of the abrt-reported crashes at bug #654053.
Comment 2 Oliver Henshaw 2011-03-16 17:04:37 UTC 
Appears to be fixed on the kde-x86_64-20110315.01.iso nightly, most probably as a result of the fix for bug #648591.

Bug #614887 (system-config-firewall crash leaves iptables rules in a bad state) remains, however.