Re: firewalld this doesn't seem right....

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 10/03/2012 02:53 AM, Daniel J Walsh wrote:
> On 10/01/2012 07:34 PM, Ed Greshko wrote:
> > On 10/01/2012 10:04 PM, Stephen John Smoogen wrote:
> >> On 30 September 2012 23:09, Ed Greshko <Ed.Greshko@xxxxxxxxxxx> wrote:
> >>> I just started playing around with firewalld and I found something that
> >>> doesn't seem right to me.
> >>>
> >>> If any user starts firewall-applet and then selects "Block all network
> >>> traffic" it will do as asked without any prompt for root's password or
> >>> any other authentication.
> >>>
> >>> This seems crazy to me.
> >> Does the opposite work? Can the person turn off the firewall?
> >>
>
> > I imagine that the on/off setting is what is labeled "Shields UP".  Not
> > sure of their jargon.  But, here is the "strange" thing.
>
> > When the applet is started the "Shields UP" is unchecked.  But, for sure
> > the firewall is running.
>
> > If you check the box, you get an authentication dialog.  If you hit
> > "cancel" I would expect the box to remain unchecked.  However, it switches
> > to being checked....even though nothing is done.
>
> > Checking the box and providing the root password results in a error message
> > (iptables: Invalid argument) in the terminal where the applet was started
> > as well as an selinux AVC denial.
>
> > Uggh...
>
> What is the SELinux denial?

type=AVC msg=audit(1349049826.875:414): avc:  denied  { getattr } for  pid=2428 comm="sh" path="/usr/sbin/setfiles" dev="sda3" ino=1451202 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:setfiles_exec_t:s0 tclass=file

type=AVC msg=audit(1349049827.010:415): avc:  denied  { getattr } for  pid=2429 comm="sh" path="/usr/sbin/setfiles" dev="sda3" ino=1451202 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:setfiles_exec_t:s0 tclass=file
-- 
Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning.
            -- Rick Cook, The Wizardry Compiled
-- 
test mailing list
test@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe:
https://admin.fedoraproject.org/mailman/listinfo/test
[Index of Archives]     [Fedora Desktop]     [Fedora SELinux]     [Photo Sharing]     [Yosemite Forum]     [KDE Users]

  Powered by Linux