-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/02/2012 08:39 PM, Ed Greshko wrote: > On 10/03/2012 02:53 AM, Daniel J Walsh wrote: >> On 10/01/2012 07:34 PM, Ed Greshko wrote: >>> On 10/01/2012 10:04 PM, Stephen John Smoogen wrote: >>>> On 30 September 2012 23:09, Ed Greshko <Ed.Greshko@xxxxxxxxxxx> >>>> wrote: >>>>> I just started playing around with firewalld and I found something >>>>> that doesn't seem right to me. >>>>> >>>>> If any user starts firewall-applet and then selects "Block all >>>>> network traffic" it will do as asked without any prompt for root's >>>>> password or any other authentication. >>>>> >>>>> This seems crazy to me. >>>> Does the opposite work? Can the person turn off the firewall? >>>> >> >>> I imagine that the on/off setting is what is labeled "Shields UP". >>> Not sure of their jargon. But, here is the "strange" thing. >> >>> When the applet is started the "Shields UP" is unchecked. But, for >>> sure the firewall is running. >> >>> If you check the box, you get an authentication dialog. If you hit >>> "cancel" I would expect the box to remain unchecked. However, it >>> switches to being checked....even though nothing is done. >> >>> Checking the box and providing the root password results in a error >>> message (iptables: Invalid argument) in the terminal where the applet >>> was started as well as an selinux AVC denial. >> >>> Uggh... >> >> What is the SELinux denial? > > type=AVC msg=audit(1349049826.875:414): avc: denied { getattr } for > pid=2428 comm="sh" path="/usr/sbin/setfiles" dev="sda3" ino=1451202 > scontext=system_u:system_r:firewalld_t:s0 > tcontext=system_u:object_r:setfiles_exec_t:s0 tclass=file > > type=AVC msg=audit(1349049827.010:415): avc: denied { getattr } for > pid=2429 comm="sh" path="/usr/sbin/setfiles" dev="sda3" ino=1451202 > scontext=system_u:system_r:firewalld_t:s0 > tcontext=system_u:object_r:setfiles_exec_t:s0 tclass=file > firewalld should not be running setfiles, or restorecon. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlBsqFgACgkQrlYvE4MpobPtaACguXwwrWVt21w1qUDYvE6pGRL6 6YAAnR2kKUBkAdsHE+Tbrv8OelNtPJW2 =fS4e -----END PGP SIGNATURE----- -- test mailing list test@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test