firewalld this doesn't seem right....

Daniel J Walsh dwalsh at redhat.com
Wed Oct 3 21:04:24 UTC 2012 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/02/2012 08:39 PM, Ed Greshko wrote:
> On 10/03/2012 02:53 AM, Daniel J Walsh wrote:
>> On 10/01/2012 07:34 PM, Ed Greshko wrote:
>>> On 10/01/2012 10:04 PM, Stephen John Smoogen wrote:
>>>> On 30 September 2012 23:09, Ed Greshko <Ed.Greshko at greshko.com>
>>>> wrote:
>>>>> I just started playing around with firewalld and I found something
>>>>> that doesn't seem right to me.
>>>>> 
>>>>> If any user starts firewall-applet and then selects "Block all
>>>>> network traffic" it will do as asked without any prompt for root's
>>>>> password or any other authentication.
>>>>> 
>>>>> This seems crazy to me.
>>>> Does the opposite work? Can the person turn off the firewall?
>>>> 
>> 
>>> I imagine that the on/off setting is what is labeled "Shields UP".
>>> Not sure of their jargon.  But, here is the "strange" thing.
>> 
>>> When the applet is started the "Shields UP" is unchecked.  But, for
>>> sure the firewall is running.
>> 
>>> If you check the box, you get an authentication dialog.  If you hit 
>>> "cancel" I would expect the box to remain unchecked.  However, it
>>> switches to being checked....even though nothing is done.
>> 
>>> Checking the box and providing the root password results in a error
>>> message (iptables: Invalid argument) in the terminal where the applet
>>> was started as well as an selinux AVC denial.
>> 
>>> Uggh...
>> 
>> What is the SELinux denial?
> 
> type=AVC msg=audit(1349049826.875:414): avc:  denied  { getattr } for
> pid=2428 comm="sh" path="/usr/sbin/setfiles" dev="sda3" ino=1451202
> scontext=system_u:system_r:firewalld_t:s0
> tcontext=system_u:object_r:setfiles_exec_t:s0 tclass=file
> 
> type=AVC msg=audit(1349049827.010:415): avc:  denied  { getattr } for
> pid=2429 comm="sh" path="/usr/sbin/setfiles" dev="sda3" ino=1451202
> scontext=system_u:system_r:firewalld_t:s0
> tcontext=system_u:object_r:setfiles_exec_t:s0 tclass=file
> 

firewalld should not be running setfiles, or restorecon.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlBsqFgACgkQrlYvE4MpobPtaACguXwwrWVt21w1qUDYvE6pGRL6
6YAAnR2kKUBkAdsHE+Tbrv8OelNtPJW2
=fS4e
-----END PGP SIGNATURE-----

More information about the test mailing list