Bug 769457

Summary: lokkit squashing its own settings in python-imgcreate
Product: [Fedora] Fedora Reporter: John Florian <john>
Component: livecd-toolsAssignee: Brian Lane <bcl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 16CC: adam.stokes, bcl, bruno, dhuff, Jasper.Hartline, katzj, pbrobinson, richard, tim+redhat.com, victor.engmark
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: livecd-tools-16.10-1.fc16 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-01-07 23:10:44 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
Patch that fixes the problem none

Description John Florian 2011-12-20 21:58:54 UTC 
Description of problem:
I have a kickstart in which the following directives exist:
selinux --disabled
firewall --enabled --service=ssh

I find that livecd-creator will generate images in which port 22 (ssh) is not opened.  I've investigated and believe the problem is with python-imgcreate and the way it calls lokkit in FirewallConfig.apply() and SelinuxConfig.apply().  In both cases the '-f' option is passed, which causes lokkit to ignore any preexisting configuration.  While that's fine for the first call (opening port 22), the second call (to disable SEL) causes /etc/sysconfig/iptables to be rewritten this time without port 22 being opened, thus losing the changes from the first call.


Version-Release number of selected component (if applicable):
livecd-tools-16.9-1.fc16.x86_64
python-imgcreate-16.9-1.fc16.x86_64
system-config-firewall-base-1.2.29-4.fc16.noarch

How reproducible:
always

Steps to Reproduce:
1. Modify an existing kickstart to have the directives shown above.
2. Run livecd-creator to create the image.
3. Boot the image and observe the iptables configuration.
  
Actual results:
Port 22 will not be open.

Expected results:
Port 22 should be open.

Additional info:
I would have filed this under python-imgcreate, but that does not seem to be in the Components list on BZ for some reason.

You can also use the --shell option to livecd-creator and confirm the problem there by alternately running:
/usr/sbin/lokkit -f --verbose --nostart --enabled --service=ssh
and
/usr/sbin/lokkit -f --nostart --selinux=enabled
(as does python-imgcreate) and looking at /etc/sysconfig/iptables after each command.  When I do this, I can clearly see one invocation squashing the settings of the other rather than accumulating those settings as needed.  Dropping the '-f' option on all but the first invocation would seem necessary to get a cumulative effect.
Comment 1 John Florian 2011-12-21 22:00:20 UTC 
Created attachment 549088 [details]
Patch that fixes the problem

I cannot clone the project, so this patch is made against an actual install of python-imgcreate-16.9-1.fc16.x86_64.  I've tried various combinations of having the firewall enabled (with specific ports opened)/disabled and selinux disabled/enforcing and all seemed to work perfectly with this patch.
Comment 2 Brian Lane 2011-12-21 22:14:02 UTC 
*** Bug 746213 has been marked as a duplicate of this bug. ***
Comment 3 Fedora Update System 2011-12-22 17:02:21 UTC 
livecd-tools-16.10-1.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/livecd-tools-16.10-1.fc16
Comment 4 Fedora Update System 2011-12-23 03:27:16 UTC 
Package livecd-tools-16.10-1.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing livecd-tools-16.10-1.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2011-17365/livecd-tools-16.10-1.fc16
then log in and leave karma (feedback).
Comment 5 Fedora Update System 2012-01-07 23:10:44 UTC 
livecd-tools-16.10-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Victor Engmark 2015-03-27 11:33:33 UTC 
I believe this has re-surfaced on RHEL 6. To reproduce:

1. Install python-imgcreate-13.4.7, system-config-firewall-1.2.27
2. Add `firewall --enabled --ssh` and `selinux --permissive` to the Kickstart file
3. Create the image

At this point, the image contains /etc/sysconfig/iptables.old with port 22 open and /etc/sysconfig/iptables with port 22 closed.

It seems this is still being stamped over by `SelinuxConfig.apply` which now runs `/usr/sbin/lokkit -f`. This was introduced by commit d20abcc1cec55a01b937a358a70c8c29b6c2661b <http://pkgs.fedoraproject.org/cgit/livecd-tools.git/commit/?h=el6&id=d20abcc1cec55a01b937a358a70c8c29b6c2661b>.

After installing python-imgcreate-13.4.5 <http://koji.fedoraproject.org/koji/buildinfo?buildID=495333> it works.
Comment 7 Brian Lane 2015-03-27 16:38:59 UTC 
(In reply to Victor Engmark from comment #6)
> I believe this has re-surfaced on RHEL 6. To reproduce:

Please open a new bug for the correct component.

I'm not sure why 13.4.5 would work, the selinux apply was moved to the bottom of that block back in 13.2