Description of problem: I have a kickstart in which the following directives exist: selinux --disabled firewall --enabled --service=ssh I find that livecd-creator will generate images in which port 22 (ssh) is not opened. I've investigated and believe the problem is with python-imgcreate and the way it calls lokkit in FirewallConfig.apply() and SelinuxConfig.apply(). In both cases the '-f' option is passed, which causes lokkit to ignore any preexisting configuration. While that's fine for the first call (opening port 22), the second call (to disable SEL) causes /etc/sysconfig/iptables to be rewritten this time without port 22 being opened, thus losing the changes from the first call. Version-Release number of selected component (if applicable): livecd-tools-16.9-1.fc16.x86_64 python-imgcreate-16.9-1.fc16.x86_64 system-config-firewall-base-1.2.29-4.fc16.noarch How reproducible: always Steps to Reproduce: 1. Modify an existing kickstart to have the directives shown above. 2. Run livecd-creator to create the image. 3. Boot the image and observe the iptables configuration. Actual results: Port 22 will not be open. Expected results: Port 22 should be open. Additional info: I would have filed this under python-imgcreate, but that does not seem to be in the Components list on BZ for some reason. You can also use the --shell option to livecd-creator and confirm the problem there by alternately running: /usr/sbin/lokkit -f --verbose --nostart --enabled --service=ssh and /usr/sbin/lokkit -f --nostart --selinux=enabled (as does python-imgcreate) and looking at /etc/sysconfig/iptables after each command. When I do this, I can clearly see one invocation squashing the settings of the other rather than accumulating those settings as needed. Dropping the '-f' option on all but the first invocation would seem necessary to get a cumulative effect.
Created attachment 549088 [details] Patch that fixes the problem I cannot clone the project, so this patch is made against an actual install of python-imgcreate-16.9-1.fc16.x86_64. I've tried various combinations of having the firewall enabled (with specific ports opened)/disabled and selinux disabled/enforcing and all seemed to work perfectly with this patch.
*** Bug 746213 has been marked as a duplicate of this bug. ***
livecd-tools-16.10-1.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/livecd-tools-16.10-1.fc16
Package livecd-tools-16.10-1.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing livecd-tools-16.10-1.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2011-17365/livecd-tools-16.10-1.fc16 then log in and leave karma (feedback).
livecd-tools-16.10-1.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
I believe this has re-surfaced on RHEL 6. To reproduce: 1. Install python-imgcreate-13.4.7, system-config-firewall-1.2.27 2. Add `firewall --enabled --ssh` and `selinux --permissive` to the Kickstart file 3. Create the image At this point, the image contains /etc/sysconfig/iptables.old with port 22 open and /etc/sysconfig/iptables with port 22 closed. It seems this is still being stamped over by `SelinuxConfig.apply` which now runs `/usr/sbin/lokkit -f`. This was introduced by commit d20abcc1cec55a01b937a358a70c8c29b6c2661b <http://pkgs.fedoraproject.org/cgit/livecd-tools.git/commit/?h=el6&id=d20abcc1cec55a01b937a358a70c8c29b6c2661b>. After installing python-imgcreate-13.4.5 <http://koji.fedoraproject.org/koji/buildinfo?buildID=495333> it works.
(In reply to Victor Engmark from comment #6) > I believe this has re-surfaced on RHEL 6. To reproduce: Please open a new bug for the correct component. I'm not sure why 13.4.5 would work, the selinux apply was moved to the bottom of that block back in 13.2