Proposed F19 Feature: firewalld Lockdown

Miloslav Trmač mitr at volny.cz
Wed Feb 6 11:52:25 UTC 2013 

On Wed, Feb 6, 2013 at 1:34 AM, Adam Williamson <awilliam at redhat.com> wrote:
> On Tue, 2013-02-05 at 17:20 -0500, Matthew Miller wrote:
>> On Wed, Jan 30, 2013 at 12:51:49PM +0000, Jaroslav Reznik wrote:
>> > This feature adds a simple configuration setting for firewalld to be able to
>> > lock down configuration changes from local applications.
>> > == Detailed description ==
>> > Local applications are able to change the firewall configuration. With this
>> > feature the administator can lock the firewall configuration and these
>> > applications are not able to modify the firewall anymore.
>> >
>> > The lockdown feature is the first part of user and application policies for
>> > firewalld and will be disabled by default.
>>
>> Without this feature, the available changes users can make are not limited
>> in any way, right? That is, with current firewalld, any local user can
>> change the firewall without additional authentication?
>
> I'm not sure that's correct, no. When I launch firewall-config I'm asked
> for auth. It's as my local user, but I think that's because my local
> user is set as an admin account. I don't believe regular (non-admin)
> users can modify the config. I'm willing to be wrong, though.

Looking at /usr/share/polkit-1/actions/org.fedoraproject.FirewallD1.policy
quoted below, the default seems locked down to administrators already.
 Hm, so what does the feature really do?
   Mirek

   <action id="org.fedoraproject.FirewallD1.config">
    <description>Firewall configuration</description>
    <message>System policy prevents to change the firewall
configuration</message>
    <defaults>
      <allow_any>auth_admin</allow_any>
      <allow_inactive>auth_admin</allow_inactive>
      <allow_active>auth_admin_keep</allow_active>
    </defaults>
  </action>

   <action id="org.fedoraproject.FirewallD1.direct">
    <description>Firewall direct interface</description>
    <message>System policy prevents to use the firewall direct
interface</message>
    <defaults>
      <allow_any>auth_admin</allow_any>
      <allow_inactive>auth_admin</allow_inactive>
      <allow_active>auth_admin_keep</allow_active>
    </defaults>
  </action>

More information about the devel mailing list