On 10/03/2012 02:53 AM, Daniel J Walsh wrote: > On 10/01/2012 07:34 PM, Ed Greshko wrote: > > On 10/01/2012 10:04 PM, Stephen John Smoogen wrote: > >> On 30 September 2012 23:09, Ed Greshko <Ed.Greshko@xxxxxxxxxxx> wrote: > >>> I just started playing around with firewalld and I found something that > >>> doesn't seem right to me. > >>> > >>> If any user starts firewall-applet and then selects "Block all network > >>> traffic" it will do as asked without any prompt for root's password or > >>> any other authentication. > >>> > >>> This seems crazy to me. > >> Does the opposite work? Can the person turn off the firewall? > >> > > > I imagine that the on/off setting is what is labeled "Shields UP". Not > > sure of their jargon. But, here is the "strange" thing. > > > When the applet is started the "Shields UP" is unchecked. But, for sure > > the firewall is running. > > > If you check the box, you get an authentication dialog. If you hit > > "cancel" I would expect the box to remain unchecked. However, it switches > > to being checked....even though nothing is done. > > > Checking the box and providing the root password results in a error message > > (iptables: Invalid argument) in the terminal where the applet was started > > as well as an selinux AVC denial. > > > Uggh... > > What is the SELinux denial? type=AVC msg=audit(1349049826.875:414): avc: denied { getattr } for pid=2428 comm="sh" path="/usr/sbin/setfiles" dev="sda3" ino=1451202 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:setfiles_exec_t:s0 tclass=file type=AVC msg=audit(1349049827.010:415): avc: denied { getattr } for pid=2429 comm="sh" path="/usr/sbin/setfiles" dev="sda3" ino=1451202 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:setfiles_exec_t:s0 tclass=file -- Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning. -- Rick Cook, The Wizardry Compiled -- test mailing list test@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test