Bug 172390 - REQUEST: system-config-securitylevel should not combine iptables and SELinux
REQUEST: system-config-securitylevel should not combine iptables and SELinux
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: system-config-securitylevel (Show other bugs)
4
All Linux
medium Severity medium
: ---
: ---
Assigned To: Chris Lumens
: FutureFeature
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-11-03 13:08 EST by Anthony Messina
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-11-15 00:33:29 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Anthony Messina 2005-11-03 13:08:46 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20050922 Fedora/1.0.7-1.1.fc4 Firefox/1.0.7

Description of problem:
system-config-securitylevel should not commit functions of iptables and selinux in one sweep. if you have custom iptables rules or scripts (not configured with system-config-securitylevel) and you open system-config-securitylevel to make a change for selinux, your iptables rules are lost.

Version-Release number of selected component (if applicable):
system-config-securitylevel-1.5.8.1-1

How reproducible:
Always

Steps to Reproduce:
1. create and enable some custom iptables rules without system-config-securitylevel
2. open system-config-securitylevel and make a change to a selinux boolean
3. apply changes
  

Actual Results:  the custom iptables rules that were either too complicated or too specific for system-config-securitylevel to create (so you created them manually with iptables) are deleted and you are left with no firewall.

Expected Results:  the functions of a firewall and selinux, while both security related and both important, are very separate things and should not be combined in one gui especially when the gui has not been designed to take into account each and every variable that you may want to include in an iptables rule.

optimally, this gui would be split into it's two parts.

or, one should be allowed to choose which part they want to work with

or, the gui should encompass and pull all possible iptables rules/targets from current configurations.

Additional info:
Comment 1 Rahul Sundaram 2005-11-15 00:33:29 EST
(In reply to comment #0)
> From Bugzilla Helper:
> User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20050922
Fedora/1.0.7-1.1.fc4 Firefox/1.0.7
> 
> Description of problem:
> system-config-securitylevel should not commit functions of iptables and
selinux in one sweep. if you have custom iptables rules or scripts (not
configured with system-config-securitylevel) and you open
system-config-securitylevel to make a change for selinux, your iptables rules
are lost.
> 

The GUI settings for Firewall and SELinux is in seperate tabs in the GUI

SELinux configuration in the GUI is completely unrelated to the iptables related
firewall settings. Changing SELinux configuration would not affect any iptables
rules. If it does so thats a bug thats needs to filed as a seperate bug report
with the relevant information to reproduce this.

Comment 2 Anthony Messina 2005-11-15 09:11:22 EST
ok, see the new bug #173231: 
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=173231

system-config-securitylevel deletes /etc/sysconfig/iptables and if you reboot or
restart iptables, you lose your firewall.

Note You need to log in before you can comment on or make changes to this bug.