Bug 179248 - Firestarter fails to start on boot - SElinux issue?
Firestarter fails to start on boot - SElinux issue?
Status: CLOSED UPSTREAM
Product: Fedora
Classification: Fedora
Component: firestarter (Show other bugs)
4
All Linux
medium Severity medium
: ---
: ---
Assigned To: Damien Durand
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-01-28 22:57 EST by Jonathan Underwood
Modified: 2007-11-30 17:11 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-02-05 06:42:49 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
tail of /var/log/messages (11.80 KB, text/plain)
2006-01-28 22:57 EST, Jonathan Underwood
no flags Details

  None (edit)
Description Jonathan Underwood 2006-01-28 22:57:23 EST
Description of problem:
Upon installing firestarter, on next boot, firestarter fails to start claiming
the kernel does not support iptables (when clearly it does). A number of
messages spew out, but alas are not logged via syslog (this in itself is
probably a bug). It seems that SElinux is preventing firestarter from loading
the required kernel modules. I will attach the relevant part of
/var/log/messages which contains the SElinux errors, but unfortunately not the
firestarter errors.

Version-Release number of selected component (if applicable):
firestarter-1.0.3-3


How reproducible:
Everytime

Steps to Reproduce:
1.Install firestarter rpm and configure
2.reboot
3.
  
Actual results:
firestarter fails to start

Expected results:
firestarter should start

Additional info:
Comment 1 Jonathan Underwood 2006-01-28 22:57:24 EST
Created attachment 123844 [details]
tail of /var/log/messages
Comment 2 Michael A. Peters 2006-01-29 00:45:37 EST
Here is a previous list message on this issue

-=-
The firestarter RPM cause selinux errors on shutdown and other errors on 
startup.  These errors have ben tracked down to the line "sh 
/etc/firestarter/firestarter.sh start" which
starts firestarter independent of the firestater init script.  Removing 
this line solves the selinux errors and the firewall policy still seems 
to be in effect.  I am theroizing that the line above is executed when 
the dhclient daemon attempts to shutdown  as well as start thus 
attempting to start the firewall while closing the interface.  I think 
this is what selinux is flagging.  The line also causes some errors on 
interface startup.  Does this line have a useful purpose?

Mark Bidewell
-=-
Comment 3 Jonathan Underwood 2006-01-29 10:17:37 EST
I'm not quite sure which file MB is referring to which has the line "sh 
/etc/firestarter/firestarter.sh start" - certainly the firestarter script in
/etc/init.d looks fine to me, and has the line "$FS_CONTROL start > /dev/null"
where "FS_CONTROL="/etc/firestarter/firestarter.sh". So I think MB's comment
perhaps refers to a previous version of firestarter. 

Interestingly, on my latest boot, messages to the console reported that
/var/lock/firestarter could not be deleted, permission denied. Once i had
booted, I looked for this file, but it's not there. There is a
/var/lock/subsys/firestarter file though.

How should we proceed with this ? I'm not sure whether it's best to ask on the
selinux list, or the firestarter list, or where, as I'm not sure quite where the
problem lies.
Comment 4 Michael A. Peters 2006-01-30 17:39:52 EST
I'll look into the /var/lock issue.

The "sh /etc/firestarter/firestarter.sh start" I believe is from the
dhcp-exit-hooks script.
Comment 5 Daniel Walsh 2006-01-31 16:43:03 EST
Looks like the problem here is hooking the dhclient program.  This causes the
firestarter script to run in dhclient mode,  and dhclient is not allowed to do
modutil and iptables.

A better solution would be to use dbus.  Basically we want to confine the
dhclient program to a locked down domain, and starting up random applications
from it is not a good idea.
Comment 6 Jonathan Underwood 2006-02-03 11:30:56 EST
Reported upstream:
http://bugzilla.gnome.org/show_bug.cgi?id=329806
Comment 7 Ville Skyttä 2006-09-27 14:00:57 EDT
Reassign to current maintainer.
Comment 8 Christian Iseli 2007-01-17 18:21:29 EST
FC3 and FC4 have now been EOL'd.

Please check the ticket against a current Fedora release, and either adjust the
release number, or close it if appropriate.

Thanks.

Your friendly BZ janitor :-)
Comment 9 Jonathan Underwood 2007-02-05 06:42:49 EST
No idea I'm afraid. I gave up with firestarter having reported this bug upstream
yielding no response. Firestarter seems somewhat dead. Will close as upstream.

Note You need to log in before you can comment on or make changes to this bug.