Red Hat Bugzilla – Bug 179248
Firestarter fails to start on boot - SElinux issue?
Last modified: 2007-11-30 17:11:22 EST
Description of problem:
Upon installing firestarter, on next boot, firestarter fails to start claiming
the kernel does not support iptables (when clearly it does). A number of
messages spew out, but alas are not logged via syslog (this in itself is
probably a bug). It seems that SElinux is preventing firestarter from loading
the required kernel modules. I will attach the relevant part of
/var/log/messages which contains the SElinux errors, but unfortunately not the
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1.Install firestarter rpm and configure
firestarter fails to start
firestarter should start
Created attachment 123844 [details]
tail of /var/log/messages
Here is a previous list message on this issue
The firestarter RPM cause selinux errors on shutdown and other errors on
startup. These errors have ben tracked down to the line "sh
/etc/firestarter/firestarter.sh start" which
starts firestarter independent of the firestater init script. Removing
this line solves the selinux errors and the firewall policy still seems
to be in effect. I am theroizing that the line above is executed when
the dhclient daemon attempts to shutdown as well as start thus
attempting to start the firewall while closing the interface. I think
this is what selinux is flagging. The line also causes some errors on
interface startup. Does this line have a useful purpose?
I'm not quite sure which file MB is referring to which has the line "sh
/etc/firestarter/firestarter.sh start" - certainly the firestarter script in
/etc/init.d looks fine to me, and has the line "$FS_CONTROL start > /dev/null"
where "FS_CONTROL="/etc/firestarter/firestarter.sh". So I think MB's comment
perhaps refers to a previous version of firestarter.
Interestingly, on my latest boot, messages to the console reported that
/var/lock/firestarter could not be deleted, permission denied. Once i had
booted, I looked for this file, but it's not there. There is a
/var/lock/subsys/firestarter file though.
How should we proceed with this ? I'm not sure whether it's best to ask on the
selinux list, or the firestarter list, or where, as I'm not sure quite where the
I'll look into the /var/lock issue.
The "sh /etc/firestarter/firestarter.sh start" I believe is from the
Looks like the problem here is hooking the dhclient program. This causes the
firestarter script to run in dhclient mode, and dhclient is not allowed to do
modutil and iptables.
A better solution would be to use dbus. Basically we want to confine the
dhclient program to a locked down domain, and starting up random applications
from it is not a good idea.
Reassign to current maintainer.
FC3 and FC4 have now been EOL'd.
Please check the ticket against a current Fedora release, and either adjust the
release number, or close it if appropriate.
Your friendly BZ janitor :-)
No idea I'm afraid. I gave up with firestarter having reported this bug upstream
yielding no response. Firestarter seems somewhat dead. Will close as upstream.