Red Hat Bugzilla – Bug 1259862
firewall rules in kickstart script are overwritten due to lokkit -f call in /usr/lib/python2.6/site-packages/imgcreate/kickstart.py
Last modified: 2015-09-08 13:04:11 EDT
Created attachment 1069990 [details]
remove "-f" switch from selinux lokkit call
Description of problem: When creating an image using a kickstart script, using the standard notation (e.g: firewall --enabled --service ssh), the iptables config file (/etc/sysconfig/iptables) in the resulting image does not contain the ssh rule. It appears that this is overwritten by lokkit, and our "correct" configuration file gets written to /etc/sysconfig/iptables.old
There appear to be several fedora-related bugs, such as https://bugzilla.redhat.com/show_bug.cgi?id=769457
There is an older patch in the EL6 spec added in 2012 that removes the "-f" switch from lokkit being called in context of updating the firewall - only thing I can think of is that for some reason newer versions imgcreate is now running lokkit for selinux _after_ the firewall has been configured, so overwriting firewall config.
Attached patch is basically the same as the older one, but removes the "-f" switch from lokkit in context of updating selinux config.
This is an EPEL bug, not core RHEL. EPEL issue here: https://bugzilla.redhat.com/show_bug.cgi?id=1259864
We only need one bug for this.
*** This bug has been marked as a duplicate of bug 1259864 ***