Bug 505444 - Needs to start after NetworkManager plus SELinux issue
Summary: Needs to start after NetworkManager plus SELinux issue
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: shorewall
Version: 11
Hardware: x86_64
OS: Linux
low
medium
Target Milestone: ---
Assignee: Jonathan Underwood
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-06-11 22:16 UTC by Bill Gradwohl
Modified: 2009-06-24 19:41 UTC (History)
1 user (show)

Fixed In Version: 4.2.9-3.fc11
Clone Of:
Environment:
Last Closed: 2009-06-24 19:41:52 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Bill Gradwohl 2009-06-11 22:16:02 UTC 
Description of problem:
Shorewall attempts to start before the nics are up because Network Manager starts after it.


Version-Release number of selected component (if applicable):


How reproducible:
Every time. Yum install drops it in. Its chkconfig comment line has it start before Network Manager.

Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

Manually changed its chkconfig to start after Network Manager and now SELinux stops it.

Summary:

SELinux is preventing .start (shorewall_t) "signal" shorewall_t.

Detailed Description:

SELinux denied access requested by .start. It is not expected that this access
is required by .start and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:shorewall_t:s0
Target Context                system_u:system_r:shorewall_t:s0
Target Objects                None [ process ]
Source                        .start
Source Path                   /bin/bash
Port                          <Unknown>
Host                          billlaptop.private.ycc
Source RPM Packages           bash-4.0-6.fc11
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.12-39.fc11
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     billlaptop.private.ycc
Platform                      Linux billlaptop.private.ycc
                              2.6.29.4-167.fc11.x86_64 #1 SMP Wed May 27
                              17:27:08 EDT 2009 x86_64 x86_64
Alert Count                   2
First Seen                    Thu Jun 11 15:25:56 2009
Last Seen                     Thu Jun 11 16:00:01 2009
Local ID                      419e9fe2-eb85-4112-8ebc-4bde2457f12b
Line Numbers                  

Raw Audit Messages            

node=billlaptop.private.ycc type=AVC msg=audit(1244757601.842:5): avc:  denied  { signal } for  pid=2081 comm=".start" scontext=system_u:system_r:shorewall_t:s0 tcontext=system_u:system_r:shorewall_t:s0 tclass=process

node=billlaptop.private.ycc type=SYSCALL msg=audit(1244757601.842:5): arch=c000003e syscall=62 success=no exit=1938472920 a0=821 a1=f a2=0 a3=821 items=0 ppid=1658 pid=2081 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=".start" exe="/bin/bash" subj=system_u:system_r:shorewall_t:s0 key=(null)
Comment 1 Jonathan Underwood 2009-06-11 22:58:52 UTC 
When reporting bugs, lease don't conflate different issues in one bug - please file separate bugs against the relevant packages for each issue. Please report the SElinux issue against the selinux-policy package. I'll have a look at the init level issue.
Comment 2 Fedora Update System 2009-06-11 23:18:59 UTC 
shorewall-4.2.9-3.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/shorewall-4.2.9-3.fc11
Comment 3 Jonathan Underwood 2009-06-11 23:20:52 UTC 
OK, have pushed new builds which should fix the start up order issue. Have
pushed them to updates-testing, but if you want to test in the meantime:

http://koji.fedoraproject.org/koji/taskinfo?taskID=1406381

Thanks for the report.
Comment 4 Bill Gradwohl 2009-06-13 14:43:38 UTC 
I noticed something else ...

NetworkManager takes an undetermined amount of time to bring up the NICs. Therefore, trying to start shorewall based on start priority doesn't work reliably.

Here's an example:   (Sorry about not editing this for length, but it shows other things of interest also)

Jun 13 05:03:01 billlaptop NetworkManager: <info>  starting...
Jun 13 05:03:01 billlaptop NetworkManager: <WARN>  nm_generic_enable_loopback(): error -17 returned from rtnl_addr_add():#012Sucess#012
Jun 13 05:03:01 billlaptop NetworkManager: <info>  Found radio killswitch /org/freedesktop/Hal/devices/platform_acer_wmi_rfkill_acer_wireless_wlan
Jun 13 05:03:01 billlaptop NetworkManager: <info>  (eth0): new Ethernet device (driver: 'forcedeth')
Jun 13 05:03:01 billlaptop NetworkManager: <info>  (eth0): exported as /org/freedesktop/Hal/devices/net_00_1e_ec_4c_57_07
Jun 13 05:03:01 billlaptop NetworkManager: <info>  (wlan0): driver supports SSID scans (scan_capa 0x01).
Jun 13 05:03:01 billlaptop NetworkManager: <info>  (wlan0): new 802.11 WiFi device (driver: 'ath5k')
Jun 13 05:03:01 billlaptop NetworkManager: <info>  (wlan0): exported as /org/freedesktop/Hal/devices/net_00_1f_e2_cb_08_01
Jun 13 05:03:01 billlaptop NetworkManager: <info>  (ttyUSB1): ignoring due to lack of mobile broadband capabilties
Jun 13 05:03:01 billlaptop NetworkManager: <info>  (ttyUSB0): found serial port (udev:GSM  hal:GSM)
Jun 13 05:03:01 billlaptop NetworkManager: <info>  (ttyUSB0): new Modem device (driver: 'option')
Jun 13 05:03:01 billlaptop NetworkManager: <info>  (ttyUSB0): exported as /org/freedesktop/Hal/devices/usb_device_1410_1430_011057007138021_if0_serial_usb_0
Jun 13 05:03:01 billlaptop NetworkManager: <info>  Trying to start the supplicant...
Jun 13 05:03:01 billlaptop NetworkManager: <info>  Trying to start the system settings daemon...
Jun 13 05:03:01 billlaptop NetworkManager: <info>  (wlan0): supplicant manager state:  down -> idle
Jun 13 05:03:01 billlaptop nm-system-settings: Loaded plugin ifcfg-rh: (c) 2007 - 2008 Red Hat, Inc.  To report bugs please use the NetworkManager mailing list.
Jun 13 05:03:01 billlaptop nm-system-settings:    ifcfg-rh: parsing /etc/sysconfig/network-scripts/ifcfg-eth0 ... 
Jun 13 05:03:01 billlaptop nm-system-settings:    ifcfg-rh:     read connection 'System eth0'
Jun 13 05:03:01 billlaptop nm-system-settings:    ifcfg-rh: parsing /etc/sysconfig/network-scripts/ifcfg-lo ... 
Jun 13 05:03:01 billlaptop shorewall[1670]: Compiling...
Jun 13 05:03:02 billlaptop shorewall[1670]: WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/.
Jun 13 05:03:02 billlaptop shorewall[1670]: WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/.
Jun 13 05:03:02 billlaptop shorewall[1670]: WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/.
Jun 13 05:03:02 billlaptop shorewall[1670]: WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/.
Jun 13 05:03:02 billlaptop shorewall[1670]: WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/.
Jun 13 05:03:02 billlaptop shorewall[1670]: WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/.
Jun 13 05:03:02 billlaptop shorewall[1670]: WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/.
Jun 13 05:03:02 billlaptop shorewall[1670]: WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/.
Jun 13 05:03:02 billlaptop shorewall[1670]: WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/.
Jun 13 05:03:02 billlaptop shorewall[1670]: WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/.
Jun 13 05:03:02 billlaptop shorewall[1670]: WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/.
Jun 13 05:03:02 billlaptop shorewall[1670]: WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/.
Jun 13 05:03:02 billlaptop shorewall[1670]: WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/.
Jun 13 05:03:02 billlaptop shorewall[1670]: WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/.
Jun 13 05:03:02 billlaptop shorewall[1670]: WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/.
Jun 13 05:03:02 billlaptop shorewall[1670]: WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/.
Jun 13 05:03:02 billlaptop shorewall[1670]: WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/.
Jun 13 05:03:02 billlaptop shorewall[1670]: WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/.
Jun 13 05:03:02 billlaptop shorewall[1670]: WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/.
Jun 13 05:03:02 billlaptop shorewall[1670]: WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/.
Jun 13 05:03:02 billlaptop shorewall[1670]: WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/.
Jun 13 05:03:02 billlaptop shorewall[1670]: WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/.
Jun 13 05:03:02 billlaptop shorewall[1670]: WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/.
Jun 13 05:03:02 billlaptop shorewall[1670]: WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/.
Jun 13 05:03:02 billlaptop shorewall[1670]: WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/.
Jun 13 05:03:02 billlaptop shorewall[1670]: WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/.
Jun 13 05:03:02 billlaptop shorewall[1670]: WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/.
Jun 13 05:03:02 billlaptop shorewall[1670]: WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/.
Jun 13 05:03:02 billlaptop shorewall[1670]: WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/.
Jun 13 05:03:02 billlaptop shorewall[1670]: WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/.
Jun 13 05:03:02 billlaptop shorewall[1670]: WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/.
Jun 13 05:03:02 billlaptop shorewall[1670]: WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/.
Jun 13 05:03:02 billlaptop shorewall[1670]: WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/.
Jun 13 05:03:02 billlaptop shorewall[1670]: WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/.
Jun 13 05:03:02 billlaptop shorewall[1670]: WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/.
Jun 13 05:03:02 billlaptop shorewall[1670]: WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/.
Jun 13 05:03:02 billlaptop shorewall[1670]: WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/.
Jun 13 05:03:02 billlaptop shorewall[1670]: WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/.
Jun 13 05:03:02 billlaptop shorewall[1670]: WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/.
Jun 13 05:03:02 billlaptop shorewall[1670]: WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/.
Jun 13 05:03:02 billlaptop shorewall[1670]: WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/.
Jun 13 05:03:02 billlaptop shorewall[1670]: WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/.
Jun 13 05:03:02 billlaptop shorewall[1670]: WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/.
Jun 13 05:03:02 billlaptop shorewall[1670]: WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/.
Jun 13 05:03:02 billlaptop shorewall[1670]: WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/.
Jun 13 05:03:02 billlaptop shorewall[1670]: WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/.
Jun 13 05:03:02 billlaptop shorewall[1670]: WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/.
Jun 13 05:03:02 billlaptop shorewall[1670]: WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/.
Jun 13 05:03:02 billlaptop shorewall[1670]: WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/.
Jun 13 05:03:02 billlaptop shorewall[1670]: WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/.
Jun 13 05:03:02 billlaptop shorewall[1670]: WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/.
Jun 13 05:03:02 billlaptop shorewall[1670]: WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/.
Jun 13 05:03:02 billlaptop shorewall[1670]: WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/.
Jun 13 05:03:02 billlaptop shorewall[1670]: WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/.
Jun 13 05:03:02 billlaptop shorewall[1670]: WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/.
Jun 13 05:03:02 billlaptop shorewall[1670]: WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/.
Jun 13 05:03:02 billlaptop shorewall[1670]: WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/.
Jun 13 05:03:02 billlaptop shorewall[1670]: WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/.
Jun 13 05:03:03 billlaptop shorewall[1670]: Compiling /etc/shorewall/zones...
Jun 13 05:03:03 billlaptop shorewall[1670]: Compiling /etc/shorewall/interfaces...
Jun 13 05:03:03 billlaptop shorewall[1670]: Determining Hosts in Zones...
Jun 13 05:03:03 billlaptop shorewall[1670]: Preprocessing Action Files...
Jun 13 05:03:03 billlaptop shorewall[1670]:    Pre-processing /usr/share/shorewall/action.Drop...
Jun 13 05:03:03 billlaptop shorewall[1670]:    Pre-processing /usr/share/shorewall/action.Reject...
Jun 13 05:03:03 billlaptop shorewall[1670]: Compiling /etc/shorewall/policy...
Jun 13 05:03:03 billlaptop shorewall[1670]: Adding Anti-smurf Rules
Jun 13 05:03:03 billlaptop shorewall[1670]: Compiling TCP Flags filtering...
Jun 13 05:03:03 billlaptop shorewall[1670]: Compiling Kernel Route Filtering...
Jun 13 05:03:03 billlaptop shorewall[1670]: Compiling Martian Logging...
Jun 13 05:03:03 billlaptop shorewall[1670]: Compiling /etc/shorewall/masq...
Jun 13 05:03:03 billlaptop shorewall[1670]: Compiling MAC Filtration -- Phase 1...
Jun 13 05:03:03 billlaptop shorewall[1670]: Compiling /etc/shorewall/rules...
Jun 13 05:03:03 billlaptop shorewall[1670]: Generating Transitive Closure of Used-action List...
Jun 13 05:03:03 billlaptop shorewall[1670]: Processing /usr/share/shorewall/action.Reject for chain Reject...
Jun 13 05:03:03 billlaptop shorewall[1670]: Processing /usr/share/shorewall/action.Drop for chain Drop...
Jun 13 05:03:03 billlaptop shorewall[1670]: Compiling MAC Filtration -- Phase 2...
Jun 13 05:03:03 billlaptop shorewall[1670]: Applying Policies...
Jun 13 05:03:03 billlaptop shorewall[1670]: Generating Rule Matrix...
Jun 13 05:03:03 billlaptop shorewall[1670]: Creating iptables-restore input...
Jun 13 05:03:03 billlaptop shorewall[1670]: Compiling iptables-restore input for chains blacklst,mangle:...
Jun 13 05:03:03 billlaptop shorewall[1670]: Shorewall configuration compiled to /var/lib/shorewall/.start
Jun 13 05:03:03 billlaptop shorewall[1670]: Processing /etc/shorewall/params ...
Jun 13 05:03:03 billlaptop shorewall[1670]: Starting Shorewall....
Jun 13 05:03:03 billlaptop shorewall[1670]: Initializing...
Jun 13 05:03:04 billlaptop shorewall[1670]: Processing /etc/shorewall/init ...
Jun 13 05:03:04 billlaptop shorewall[1670]:    ERROR: Unable to determine the routes through interface "eth0"
Jun 13 05:03:04 billlaptop shorewall[1670]: Processing /etc/shorewall/stop ...
Jun 13 05:03:04 billlaptop shorewall[1670]: IPv4 Forwarding Enabled
Jun 13 05:03:04 billlaptop shorewall[1670]: Processing /etc/shorewall/stopped ...
Jun 13 05:03:04 billlaptop shorewall[1670]: /sbin/shorewall: line 449:  2092 Terminated              ${VARDIR}/.start $debugging start
Jun 13 05:03:06 billlaptop NetworkManager: <info>  (eth0): device state change: 1 -> 2
Jun 13 05:03:06 billlaptop NetworkManager: <info>  (eth0): bringing up device.
Jun 13 05:03:06 billlaptop NetworkManager: <info>  (eth0): preparing device.
Jun 13 05:03:06 billlaptop NetworkManager: <info>  (eth0): deactivating device (reason: 2).
Jun 13 05:03:06 billlaptop NetworkManager: <info>  (wlan0): device state change: 1 -> 2
Jun 13 05:03:06 billlaptop NetworkManager: <info>  (wlan0): bringing up device.
Jun 13 05:03:06 billlaptop NetworkManager: <info>  (wlan0): preparing device.
Jun 13 05:03:06 billlaptop NetworkManager: <info>  (wlan0): deactivating device (reason: 2).
Jun 13 05:03:06 billlaptop NetworkManager: <info>  (ttyUSB0): device state change: 1 -> 2
Jun 13 05:03:06 billlaptop NetworkManager: <info>  (ttyUSB0): deactivating device (reason: 2).
Jun 13 05:03:06 billlaptop NetworkManager: nm_system_device_flush_ip4_routes_with_iface: assertion `iface_idx >= 0' failed
Jun 13 05:03:06 billlaptop NetworkManager: nm_system_device_flush_ip4_addresses_with_iface: assertion `iface_idx >= 0' failed
Jun 13 05:03:06 billlaptop NetworkManager: <info>  (eth0): carrier now ON (device state 2)
Jun 13 05:03:06 billlaptop NetworkManager: <info>  (eth0): device state change: 2 -> 3
Jun 13 05:03:06 billlaptop NetworkManager: <info>  (wlan0): device state change: 2 -> 3
Jun 13 05:03:06 billlaptop NetworkManager: <info>  (ttyUSB0): device state change: 2 -> 3
Jun 13 05:03:06 billlaptop NetworkManager: <info>  Activation (eth0) starting connection 'System eth0'
Jun 13 05:03:06 billlaptop NetworkManager: <info>  (eth0): device state change: 3 -> 4
Jun 13 05:03:06 billlaptop NetworkManager: <info>  Activation (eth0) Stage 1 of 5 (Device Prepare) scheduled...
Jun 13 05:03:06 billlaptop NetworkManager: <info>  Activation (eth0) Stage 1 of 5 (Device Prepare) started...
Jun 13 05:03:06 billlaptop NetworkManager: <info>  Activation (eth0) Stage 2 of 5 (Device Configure) scheduled...
Jun 13 05:03:06 billlaptop NetworkManager: <info>  Activation (eth0) Stage 1 of 5 (Device Prepare) complete.
Jun 13 05:03:06 billlaptop NetworkManager: <info>  Activation (eth0) Stage 2 of 5 (Device Configure) starting...
Jun 13 05:03:06 billlaptop NetworkManager: <info>  (eth0): device state change: 4 -> 5
Jun 13 05:03:06 billlaptop NetworkManager: <info>  Activation (eth0) Stage 2 of 5 (Device Configure) successful.
Jun 13 05:03:06 billlaptop NetworkManager: <info>  Activation (eth0) Stage 3 of 5 (IP Configure Start) scheduled.
Jun 13 05:03:06 billlaptop NetworkManager: <info>  Activation (eth0) Stage 2 of 5 (Device Configure) complete.
Jun 13 05:03:06 billlaptop NetworkManager: <info>  Activation (eth0) Stage 3 of 5 (IP Configure Start) started...
Jun 13 05:03:06 billlaptop NetworkManager: <info>  (eth0): device state change: 5 -> 7
Jun 13 05:03:06 billlaptop NetworkManager: <info>  Activation (eth0) Stage 4 of 5 (IP Configure Get) scheduled...
Jun 13 05:03:06 billlaptop NetworkManager: <info>  Activation (eth0) Stage 3 of 5 (IP Configure Start) complete.
Jun 13 05:03:06 billlaptop NetworkManager: <info>  Activation (eth0) Stage 4 of 5 (IP Configure Get) started...
Jun 13 05:03:06 billlaptop NetworkManager: <info>  Activation (eth0) Stage 5 of 5 (IP Configure Commit) scheduled...
Jun 13 05:03:06 billlaptop NetworkManager: <info>  Activation (eth0) Stage 4 of 5 (IP Configure Get) complete.
Jun 13 05:03:06 billlaptop NetworkManager: <info>  Activation (eth0) Stage 5 of 5 (IP Configure Commit) started...
Jun 13 05:03:07 billlaptop NetworkManager: <info>  (eth0): device state change: 7 -> 8
Jun 13 05:03:07 billlaptop NetworkManager: <info>  Activation (eth0) successful, device activated.
Jun 13 05:03:07 billlaptop NetworkManager: <info>  Activation (eth0) Stage 5 of 5 (IP Configure Commit) complete.
Jun 13 05:03:07 billlaptop NetworkManager: <info>  (wlan0): supplicant interface state:  starting -> ready
Jun 13 05:09:46 billlaptop NetworkManager: <info>  Activation (ttyUSB0) starting connection 'Auto Mobile Broadband (GSM) connection'
Jun 13 05:09:46 billlaptop NetworkManager: <info>  (ttyUSB0): device state change: 3 -> 4
Jun 13 05:09:46 billlaptop NetworkManager: <info>  Activation (ttyUSB0) Stage 1 of 5 (Device Prepare) scheduled...
Jun 13 05:09:46 billlaptop NetworkManager: <info>  Activation (ttyUSB0) Stage 1 of 5 (Device Prepare) started...
Jun 13 05:09:46 billlaptop NetworkManager: <info>  Activation (ttyUSB0) Stage 1 of 5 (Device Prepare) complete.
Jun 13 05:09:46 billlaptop NetworkManager: <info>  (ttyUSB0): powering up...
Jun 13 05:09:46 billlaptop NetworkManager: <info>  Registered on Home network
Jun 13 05:09:46 billlaptop NetworkManager: <info>  Associated with network: +COPS: 0,0,"Unknown",2
Jun 13 05:09:46 billlaptop NetworkManager: <info>  Connected, Woo!
Jun 13 05:09:46 billlaptop NetworkManager: <info>  Activation (ttyUSB0) Stage 2 of 5 (Device Configure) scheduled...
Jun 13 05:09:46 billlaptop NetworkManager: <info>  Activation (ttyUSB0) Stage 2 of 5 (Device Configure) starting...
Jun 13 05:09:46 billlaptop NetworkManager: <info>  (ttyUSB0): device state change: 4 -> 5
Jun 13 05:09:46 billlaptop NetworkManager: <info>  Starting pppd connection
Jun 13 05:09:47 billlaptop NetworkManager: <info>  Activation (ttyUSB0) Stage 2 of 5 (Device Configure) complete.
Jun 13 05:09:47 billlaptop NetworkManager: <info>  (ttyUSB0): device state change: 5 -> 6
Jun 13 05:09:47 billlaptop NetworkManager: <info>  (ttyUSB0): device state change: 6 -> 7
Jun 13 05:09:49 billlaptop NetworkManager: <info>  PPP manager(IP Config Get) reply received.
Jun 13 05:09:49 billlaptop NetworkManager: <info>  Activation (ttyUSB0) Stage 4 of 5 (IP Configure Get) scheduled...
Jun 13 05:09:49 billlaptop NetworkManager: <info>  Activation (ttyUSB0) Stage 4 of 5 (IP Configure Get) started...
Jun 13 05:09:49 billlaptop NetworkManager: <info>  Activation (ttyUSB0) Stage 5 of 5 (IP Configure Commit) scheduled...
Jun 13 05:09:49 billlaptop NetworkManager: <info>  Activation (ttyUSB0) Stage 4 of 5 (IP Configure Get) complete.
Jun 13 05:09:49 billlaptop NetworkManager: <info>  Activation (ttyUSB0) Stage 5 of 5 (IP Configure Commit) started...
Jun 13 05:09:50 billlaptop NetworkManager: <info>  (ttyUSB0): device state change: 7 -> 8
Jun 13 05:09:50 billlaptop NetworkManager: <info>  Policy set 'Auto Mobile Broadband (GSM) connection' (ppp0) as default for routing and DNS.
Jun 13 05:09:50 billlaptop NetworkManager: <info>  Activation (ttyUSB0) successful, device activated.
Jun 13 05:09:50 billlaptop NetworkManager: <info>  Activation (ttyUSB0) Stage 5 of 5 (IP Configure Commit) complete.
root@billlaptop ~# 




Essentially, shorewall has to wait till NetworkManager has finished doing its job for my traditional NIC on eth0. Or, shorewall has to be told to ignore checking the routes and just start assuming everything will eventually be OK.

I could always add a script to /etc/NetworkManager/dispatcher.d/ to start shorewall, but that's crude. 

The real problem here is NetworkManager. The boot priority scheme would work as expected if the old style of getting NIC's up were used, as that brought them up so fast that by time shorewall went looking for resources, they were there.
Comment 5 Jonathan Underwood 2009-06-13 14:57:31 UTC 
Yes, what you see is a very real problem, but it's due to the conflicting design scopes of shorewall and NetworkManager. At the end of the day the use case for shorewall is really on a firewall with static network interface configuration, whereas NM is designed to deal with the case of network interfaces and connections coming and going. 

The workaround you propose i.e. disabling the shorewall service and having a script in /etc/NetworkManager/dispatcher.d/ to start shorewall is probably the best solution presently, unfortunately.

Actually, firewalling in Fedora is pretty dismal presently, because other things poke at iptables directly, such as libvirtd, while traditional firewalls generators such as shorewall assume they have sole control over iptables configuration. What is really needed is a centralised firewall service that responds to events via dbus, IMO.

But, to get back on topic, I don't really see a way to solve your problem at the level of packaging changes, alas. Happy to hear suggestions though.
Comment 6 Fedora Update System 2009-06-16 01:37:53 UTC 
shorewall-4.2.9-3.fc11 has been pushed to the Fedora 11 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update shorewall'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2009-6094
Comment 7 Fedora Update System 2009-06-24 19:41:45 UTC 
shorewall-4.2.9-3.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.