Bug 1259862 – firewall rules in kickstart script are overwritten due to lokkit -f call in /usr/lib/python2.6/site-packages/imgcreate/kickstart.py

Bug 1259862 - firewall rules in kickstart script are overwritten due to lokkit -f call in /usr/lib/python2.6/site-packages/imgcreate/kickstart.py

Summary:	firewall rules in kickstart script are overwritten due to lokkit -f call in /...

Status:	CLOSED DUPLICATE of bug 1259864

Aliases:	None

Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	livecd-tools (Show other bugs)
Sub Component:
Version:	6.7
Hardware:	x86_64 Unspecified

Priority	unspecified Severity unspecified
Target Milestone:	rc
Target Release:	---
Assigned To:	Brian Lane
QA Contact:	Release Test Team
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2015-09-03 12:35 EDT by Richard Clark
Modified:	2015-09-08 13:04 EDT (History)
CC List:	1 user (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2015-09-08 13:04:11 EDT
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
remove "-f" switch from selinux lokkit call (483 bytes, patch) 2015-09-03 12:35 EDT, Richard Clark	no flags	Details \| Diff
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Richard Clark 2015-09-03 12:35:47 EDT

Created attachment 1069990 [details]
remove "-f" switch from selinux lokkit call

Description of problem: When creating an image using a kickstart script, using the standard notation (e.g: firewall --enabled --service ssh), the iptables config file (/etc/sysconfig/iptables) in the resulting image does not contain the ssh rule. It appears that this is overwritten by lokkit, and our "correct" configuration file gets written to /etc/sysconfig/iptables.old

There appear to be several fedora-related bugs, such as https://bugzilla.redhat.com/show_bug.cgi?id=769457

There is an older patch in the EL6 spec added in 2012 that removes the "-f" switch from lokkit being called in context of updating the firewall - only thing I can think of is that for some reason newer versions imgcreate is now running lokkit for selinux  _after_ the firewall has been configured, so overwriting firewall config.

Attached patch is basically the same as the older one, but removes the "-f" switch from lokkit in context of updating selinux config.

Comment 1 Richard Clark 2015-09-03 12:42:48 EDT

This is an EPEL bug, not core RHEL. EPEL issue here: https://bugzilla.redhat.com/show_bug.cgi?id=1259864

Comment 3 Brian Lane 2015-09-08 13:04:11 EDT

We only need one bug for this.

*** This bug has been marked as a duplicate of bug 1259864 ***

Note You need to log in before you can comment on or make changes to this bug.