Bug 179248 - Firestarter fails to start on boot - SElinux issue?
Summary: Firestarter fails to start on boot - SElinux issue?
Keywords:
Status: CLOSED UPSTREAM
Alias: None
Product: Fedora
Classification: Fedora
Component: firestarter
Version: 4
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Damien Durand
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-01-29 03:57 UTC by Jonathan Underwood
Modified: 2007-11-30 22:11 UTC (History)
3 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2007-02-05 11:42:49 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)
tail of /var/log/messages (11.80 KB, text/plain)
2006-01-29 03:57 UTC, Jonathan Underwood
no flags Details

Description Jonathan Underwood 2006-01-29 03:57:23 UTC
Description of problem:
Upon installing firestarter, on next boot, firestarter fails to start claiming
the kernel does not support iptables (when clearly it does). A number of
messages spew out, but alas are not logged via syslog (this in itself is
probably a bug). It seems that SElinux is preventing firestarter from loading
the required kernel modules. I will attach the relevant part of
/var/log/messages which contains the SElinux errors, but unfortunately not the
firestarter errors.

Version-Release number of selected component (if applicable):
firestarter-1.0.3-3


How reproducible:
Everytime

Steps to Reproduce:
1.Install firestarter rpm and configure
2.reboot
3.
  
Actual results:
firestarter fails to start

Expected results:
firestarter should start

Additional info:

Comment 1 Jonathan Underwood 2006-01-29 03:57:24 UTC
Created attachment 123844 [details]
tail of /var/log/messages

Comment 2 Michael A. Peters 2006-01-29 05:45:37 UTC
Here is a previous list message on this issue

-=-
The firestarter RPM cause selinux errors on shutdown and other errors on 
startup.  These errors have ben tracked down to the line "sh 
/etc/firestarter/firestarter.sh start" which
starts firestarter independent of the firestater init script.  Removing 
this line solves the selinux errors and the firewall policy still seems 
to be in effect.  I am theroizing that the line above is executed when 
the dhclient daemon attempts to shutdown  as well as start thus 
attempting to start the firewall while closing the interface.  I think 
this is what selinux is flagging.  The line also causes some errors on 
interface startup.  Does this line have a useful purpose?

Mark Bidewell
-=-

Comment 3 Jonathan Underwood 2006-01-29 15:17:37 UTC
I'm not quite sure which file MB is referring to which has the line "sh 
/etc/firestarter/firestarter.sh start" - certainly the firestarter script in
/etc/init.d looks fine to me, and has the line "$FS_CONTROL start > /dev/null"
where "FS_CONTROL="/etc/firestarter/firestarter.sh". So I think MB's comment
perhaps refers to a previous version of firestarter. 

Interestingly, on my latest boot, messages to the console reported that
/var/lock/firestarter could not be deleted, permission denied. Once i had
booted, I looked for this file, but it's not there. There is a
/var/lock/subsys/firestarter file though.

How should we proceed with this ? I'm not sure whether it's best to ask on the
selinux list, or the firestarter list, or where, as I'm not sure quite where the
problem lies.

Comment 4 Michael A. Peters 2006-01-30 22:39:52 UTC
I'll look into the /var/lock issue.

The "sh /etc/firestarter/firestarter.sh start" I believe is from the
dhcp-exit-hooks script.

Comment 5 Daniel Walsh 2006-01-31 21:43:03 UTC
Looks like the problem here is hooking the dhclient program.  This causes the
firestarter script to run in dhclient mode,  and dhclient is not allowed to do
modutil and iptables.

A better solution would be to use dbus.  Basically we want to confine the
dhclient program to a locked down domain, and starting up random applications
from it is not a good idea.

Comment 6 Jonathan Underwood 2006-02-03 16:30:56 UTC
Reported upstream:
http://bugzilla.gnome.org/show_bug.cgi?id=329806

Comment 7 Ville Skyttä 2006-09-27 18:00:57 UTC
Reassign to current maintainer.

Comment 8 Christian Iseli 2007-01-17 23:21:29 UTC
FC3 and FC4 have now been EOL'd.

Please check the ticket against a current Fedora release, and either adjust the
release number, or close it if appropriate.

Thanks.

Your friendly BZ janitor :-)

Comment 9 Jonathan Underwood 2007-02-05 11:42:49 UTC
No idea I'm afraid. I gave up with firestarter having reported this bug upstream
yielding no response. Firestarter seems somewhat dead. Will close as upstream.


Note You need to log in before you can comment on or make changes to this bug.