Bug 583986 - lokkit creates firewall in selinux only mode
Summary: lokkit creates firewall in selinux only mode
Alias: None
Product: Fedora
Classification: Fedora
Component: system-config-firewall
Version: 13
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Thomas Woerner
QA Contact: Fedora Extras Quality Assurance
Depends On:
Blocks: 568528 583987
TreeView+ depends on / blocked
Reported: 2010-04-20 12:58 UTC by Thomas Woerner
Modified: 2010-09-28 09:04 UTC (History)
4 users (show)

Fixed In Version: system-config-firewall-1.2.25-1.fc13
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 583987 (view as bug list)
Last Closed: 2010-04-30 23:38:19 UTC

Attachments (Terms of Use)
Poposed patch (2.94 KB, patch)
2010-04-20 13:40 UTC, Thomas Woerner
no flags Details | Diff

Description Thomas Woerner 2010-04-20 12:58:09 UTC
Description of problem:
Using selinux options with lokkit results in selinux and firewall configurations. This is a problem for anaconda, because it is using lokkit to set the initial selinux configuration before configuring the firewall with an addional lokkit call later on.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Remove all firewall configuration files from the system: rm -rf /etc/sysconfig/ip*tables /etc/sysconfig/system-config-firewall
2. Configure selinux: lokkit --selinux=enforcing
3. Check firewall configuration: ls -l /etc/sysconfig/ip*tables /etc/sysconfig/system-config-firewall
Actual results:
Firewall will be configured with by using selinux options only.

Expected results:
Using selinux options will not touch the firewall.

Additional info:
There are two ways to solve this problem:
1) selinux options will not be usable with firewall options. They will conflict with firewall options. No default firewall will be created by turning off default option "--enabled".

2) A new option like "--nofw" will turn off firewall defaults and therefore the firewall will not be touched at all. Will conflict with firewall options supplied by the user.

Comment 1 Thomas Woerner 2010-04-20 13:40:53 UTC
Created attachment 407820 [details]
Poposed patch

Comment 2 James Laska 2010-04-23 16:26:50 UTC
Bug#568528 (a Fedora 13 Release blocker) depends on this issue to move forward.  I'm adding this bug to F13Blocker as well.

Comment 3 Adam Williamson 2010-04-23 16:28:58 UTC
Thomas, just to be sure the situation's clear, bug #568528 depends on this one, and is a Fedora 13 blocker bug, so we'd like to have this applied and built into F13 as soon as possible so we can be sure to have 568528 fixed in plenty of time for the final release. Can you please prioritize this issue? Thanks!

Fedora Bugzappers volunteer triage team

Comment 4 Thomas Woerner 2010-04-26 14:51:06 UTC
Fixed in system-config-firewall-1.2.25-1.fc13.


Comment 5 Fedora Update System 2010-04-26 15:13:06 UTC
system-config-firewall-1.2.25-1.fc13 has been submitted as an update for Fedora 13.

Comment 6 Fedora Update System 2010-04-27 05:49:50 UTC
system-config-firewall-1.2.25-1.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update system-config-firewall'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/system-config-firewall-1.2.25-1.fc13

Comment 7 Fedora Update System 2010-04-30 23:38:08 UTC
system-config-firewall-1.2.25-1.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.