Red Hat Bugzilla – Bug 1259864
firewall rules in kickstart script are overwritten due to lokkit -f call in /usr/lib/python2.6/site-packages/imgcreate/kickstart.py
Last modified: 2016-02-04 17:55:51 EST
Created attachment 1069991 [details]
patch lokkit call to not overwrite
Description of problem: When creating an image using a kickstart script, using the standard notation (e.g: firewall --enabled --service ssh), the iptables config file (/etc/sysconfig/iptables) in the resulting image does not contain the ssh rule. It appears that this is overwritten by lokkit, and our "correct" configuration file gets written to /etc/sysconfig/iptables.old
There appear to be several fedora-related bugs, such as https://bugzilla.redhat.com/show_bug.cgi?id=769457
Version-Release number of selected component (if applicable): python-imgcreate-13.4.8-1
There is an older patch in the EL6 spec added in 2012 that removes the "-f" switch from lokkit being called in context of updating the firewall - only thing I can think of is that for some reason newer versions imgcreate is now running lokkit for selinux _after_ the firewall has been configured, so overwriting firewall config.
Attached patch is basically the same as the older one, but removes the "-f" switch from lokkit in context of updating selinux config.
*** Bug 1259862 has been marked as a duplicate of this bug. ***
Looks like this needs commit d00a4d83188fbc911bd55954a2011c91b650128f
livecd-tools-13.4.9-1.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-b5ec93dc2b
livecd-tools-13.4.9-1.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'yum --enablerepo=epel-testing update livecd-tools'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-b5ec93dc2b
livecd-tools-13.4.9-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.