Bug 583986 - lokkit creates firewall in selinux only mode
lokkit creates firewall in selinux only mode
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: system-config-firewall (Show other bugs)
13
All Linux
low Severity medium
: ---
: ---
Assigned To: Thomas Woerner
Fedora Extras Quality Assurance
:
Depends On:
Blocks: 568528 583987
  Show dependency treegraph
 
Reported: 2010-04-20 08:58 EDT by Thomas Woerner
Modified: 2010-09-28 05:04 EDT (History)
4 users (show)

See Also:
Fixed In Version: system-config-firewall-1.2.25-1.fc13
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 583987 (view as bug list)
Environment:
Last Closed: 2010-04-30 19:38:19 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Poposed patch (2.94 KB, patch)
2010-04-20 09:40 EDT, Thomas Woerner
no flags Details | Diff

  None (edit)
Description Thomas Woerner 2010-04-20 08:58:09 EDT
Description of problem:
Using selinux options with lokkit results in selinux and firewall configurations. This is a problem for anaconda, because it is using lokkit to set the initial selinux configuration before configuring the firewall with an addional lokkit call later on.

Version-Release number of selected component (if applicable):
system-config-firewall-1.2.24-1

How reproducible:
Always

Steps to Reproduce:
1. Remove all firewall configuration files from the system: rm -rf /etc/sysconfig/ip*tables /etc/sysconfig/system-config-firewall
2. Configure selinux: lokkit --selinux=enforcing
3. Check firewall configuration: ls -l /etc/sysconfig/ip*tables /etc/sysconfig/system-config-firewall
  
Actual results:
Firewall will be configured with by using selinux options only.

Expected results:
Using selinux options will not touch the firewall.

Additional info:
There are two ways to solve this problem:
1) selinux options will not be usable with firewall options. They will conflict with firewall options. No default firewall will be created by turning off default option "--enabled".

2) A new option like "--nofw" will turn off firewall defaults and therefore the firewall will not be touched at all. Will conflict with firewall options supplied by the user.
Comment 1 Thomas Woerner 2010-04-20 09:40:53 EDT
Created attachment 407820 [details]
Poposed patch
Comment 2 James Laska 2010-04-23 12:26:50 EDT
Bug#568528 (a Fedora 13 Release blocker) depends on this issue to move forward.  I'm adding this bug to F13Blocker as well.
Comment 3 Adam Williamson 2010-04-23 12:28:58 EDT
Thomas, just to be sure the situation's clear, bug #568528 depends on this one, and is a Fedora 13 blocker bug, so we'd like to have this applied and built into F13 as soon as possible so we can be sure to have 568528 fixed in plenty of time for the final release. Can you please prioritize this issue? Thanks!



-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers
Comment 4 Thomas Woerner 2010-04-26 10:51:06 EDT
Fixed in system-config-firewall-1.2.25-1.fc13.

http://koji.fedoraproject.org/koji/buildinfo?buildID=168776
Comment 5 Fedora Update System 2010-04-26 11:13:06 EDT
system-config-firewall-1.2.25-1.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/system-config-firewall-1.2.25-1.fc13
Comment 6 Fedora Update System 2010-04-27 01:49:50 EDT
system-config-firewall-1.2.25-1.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update system-config-firewall'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/system-config-firewall-1.2.25-1.fc13
Comment 7 Fedora Update System 2010-04-30 19:38:08 EDT
system-config-firewall-1.2.25-1.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.