Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora User (http://www.linux-archive.org/fedora-user/)
-   -   firewalld this doesn't seem right.... (http://www.linux-archive.org/fedora-user/709179-firewalld-doesnt-seem-right.html)

Ed Greshko 10-03-2012 12:07 AM

firewalld this doesn't seem right....
 
On 10/03/2012 02:53 AM, Daniel J Walsh wrote:
> On 10/01/2012 07:34 PM, Ed Greshko wrote:
> > On 10/01/2012 10:04 PM, Stephen John Smoogen wrote:
> >> On 30 September 2012 23:09, Ed Greshko <Ed.Greshko@greshko.com> wrote:
> >>> I just started playing around with firewalld and I found something that
> >>> doesn't seem right to me.
> >>>
> >>> If any user starts firewall-applet and then selects "Block all network
> >>> traffic" it will do as asked without any prompt for root's password or
> >>> any other authentication.
> >>>
> >>> This seems crazy to me.
> >> Does the opposite work? Can the person turn off the firewall?
> >>
>
> > I imagine that the on/off setting is what is labeled "Shields UP". Not
> > sure of their jargon. But, here is the "strange" thing.
>
> > When the applet is started the "Shields UP" is unchecked. But, for sure
> > the firewall is running.
>
> > If you check the box, you get an authentication dialog. If you hit
> > "cancel" I would expect the box to remain unchecked. However, it switches
> > to being checked....even though nothing is done.
>
> > Checking the box and providing the root password results in a error message
> > (iptables: Invalid argument) in the terminal where the applet was started
> > as well as an selinux AVC denial.
>
> > Uggh...
>
> What is the SELinux denial?

type=AVC msg=audit(1349049826.875:414): avc: denied { getattr } for pid=2428 comm="sh" path="/usr/sbin/setfiles" dev="sda3" ino=1451202 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:setfiles_exec_t:s0 tclass=file

type=AVC msg=audit(1349049827.010:415): avc: denied { getattr } for pid=2429 comm="sh" path="/usr/sbin/setfiles" dev="sda3" ino=1451202 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:setfiles_exec_t:s0 tclass=file
--
Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning. -- Rick Cook, The Wizardry Compiled

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org


All times are GMT. The time now is 08:25 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.