Bug 1259862 - firewall rules in kickstart script are overwritten due to lokkit -f call in /usr/lib/python2.6/site-packages/imgcreate/kickstart.py
firewall rules in kickstart script are overwritten due to lokkit -f call in /...
Status: CLOSED DUPLICATE of bug 1259864
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: livecd-tools (Show other bugs)
x86_64 Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Brian Lane
Release Test Team
Depends On:
  Show dependency treegraph
Reported: 2015-09-03 12:35 EDT by Richard Clark
Modified: 2015-09-08 13:04 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2015-09-08 13:04:11 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
remove "-f" switch from selinux lokkit call (483 bytes, patch)
2015-09-03 12:35 EDT, Richard Clark
no flags Details | Diff

  None (edit)
Description Richard Clark 2015-09-03 12:35:47 EDT
Created attachment 1069990 [details]
remove "-f" switch from selinux lokkit call

Description of problem: When creating an image using a kickstart script, using the standard notation (e.g: firewall --enabled --service ssh), the iptables config file (/etc/sysconfig/iptables) in the resulting image does not contain the ssh rule. It appears that this is overwritten by lokkit, and our "correct" configuration file gets written to /etc/sysconfig/iptables.old

There appear to be several fedora-related bugs, such as https://bugzilla.redhat.com/show_bug.cgi?id=769457

There is an older patch in the EL6 spec added in 2012 that removes the "-f" switch from lokkit being called in context of updating the firewall - only thing I can think of is that for some reason newer versions imgcreate is now running lokkit for selinux  _after_ the firewall has been configured, so overwriting firewall config.

Attached patch is basically the same as the older one, but removes the "-f" switch from lokkit in context of updating selinux config.
Comment 1 Richard Clark 2015-09-03 12:42:48 EDT
This is an EPEL bug, not core RHEL. EPEL issue here: https://bugzilla.redhat.com/show_bug.cgi?id=1259864
Comment 3 Brian Lane 2015-09-08 13:04:11 EDT
We only need one bug for this.

*** This bug has been marked as a duplicate of bug 1259864 ***

Note You need to log in before you can comment on or make changes to this bug.