Red Hat Bugzilla – Bug 179248
Firestarter fails to start on boot - SElinux issue?
Last modified: 2007-11-30 17:11:22 EST
Description of problem: Upon installing firestarter, on next boot, firestarter fails to start claiming the kernel does not support iptables (when clearly it does). A number of messages spew out, but alas are not logged via syslog (this in itself is probably a bug). It seems that SElinux is preventing firestarter from loading the required kernel modules. I will attach the relevant part of /var/log/messages which contains the SElinux errors, but unfortunately not the firestarter errors. Version-Release number of selected component (if applicable): firestarter-1.0.3-3 How reproducible: Everytime Steps to Reproduce: 1.Install firestarter rpm and configure 2.reboot 3. Actual results: firestarter fails to start Expected results: firestarter should start Additional info:
Created attachment 123844 [details] tail of /var/log/messages
Here is a previous list message on this issue -=- The firestarter RPM cause selinux errors on shutdown and other errors on startup. These errors have ben tracked down to the line "sh /etc/firestarter/firestarter.sh start" which starts firestarter independent of the firestater init script. Removing this line solves the selinux errors and the firewall policy still seems to be in effect. I am theroizing that the line above is executed when the dhclient daemon attempts to shutdown as well as start thus attempting to start the firewall while closing the interface. I think this is what selinux is flagging. The line also causes some errors on interface startup. Does this line have a useful purpose? Mark Bidewell -=-
I'm not quite sure which file MB is referring to which has the line "sh /etc/firestarter/firestarter.sh start" - certainly the firestarter script in /etc/init.d looks fine to me, and has the line "$FS_CONTROL start > /dev/null" where "FS_CONTROL="/etc/firestarter/firestarter.sh". So I think MB's comment perhaps refers to a previous version of firestarter. Interestingly, on my latest boot, messages to the console reported that /var/lock/firestarter could not be deleted, permission denied. Once i had booted, I looked for this file, but it's not there. There is a /var/lock/subsys/firestarter file though. How should we proceed with this ? I'm not sure whether it's best to ask on the selinux list, or the firestarter list, or where, as I'm not sure quite where the problem lies.
I'll look into the /var/lock issue. The "sh /etc/firestarter/firestarter.sh start" I believe is from the dhcp-exit-hooks script.
Looks like the problem here is hooking the dhclient program. This causes the firestarter script to run in dhclient mode, and dhclient is not allowed to do modutil and iptables. A better solution would be to use dbus. Basically we want to confine the dhclient program to a locked down domain, and starting up random applications from it is not a good idea.
Reported upstream: http://bugzilla.gnome.org/show_bug.cgi?id=329806
Reassign to current maintainer.
FC3 and FC4 have now been EOL'd. Please check the ticket against a current Fedora release, and either adjust the release number, or close it if appropriate. Thanks. Your friendly BZ janitor :-)
No idea I'm afraid. I gave up with firestarter having reported this bug upstream yielding no response. Firestarter seems somewhat dead. Will close as upstream.