On 10/03/2012 02:53 AM, Daniel J Walsh wrote:
On 10/01/2012 07:34 PM, Ed Greshko wrote:
On 10/01/2012 10:04 PM, Stephen John Smoogen wrote:
On 30 September 2012 23:09, Ed Greshko Ed.Greshko@greshko.com wrote:
I just started playing around with firewalld and I found something that doesn't seem right to me.
If any user starts firewall-applet and then selects "Block all network traffic" it will do as asked without any prompt for root's password or any other authentication.
This seems crazy to me.
Does the opposite work? Can the person turn off the firewall?
I imagine that the on/off setting is what is labeled "Shields UP". Not sure of their jargon. But, here is the "strange" thing.
When the applet is started the "Shields UP" is unchecked. But, for sure the firewall is running.
If you check the box, you get an authentication dialog. If you hit "cancel" I would expect the box to remain unchecked. However, it switches to being checked....even though nothing is done.
Checking the box and providing the root password results in a error message (iptables: Invalid argument) in the terminal where the applet was started as well as an selinux AVC denial.
Uggh...
What is the SELinux denial?
type=AVC msg=audit(1349049826.875:414): avc: denied { getattr } for pid=2428 comm="sh" path="/usr/sbin/setfiles" dev="sda3" ino=1451202 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:setfiles_exec_t:s0 tclass=file
type=AVC msg=audit(1349049827.010:415): avc: denied { getattr } for pid=2429 comm="sh" path="/usr/sbin/setfiles" dev="sda3" ino=1451202 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:setfiles_exec_t:s0 tclass=file