On 03/01/17 05:59, jdow wrote: > On 2017-01-02 18:40, Tom H wrote: >> On Mon, Jan 2, 2017 at 5:06 PM, jdow <j...@earthlink.net> wrote: > ... >>> Erasing : firewalld-0.4.3.2-8.el7.noarch >>> 7/7 >>> warning: /etc/firewalld/lockdown-whitelist.xml saved as >>> /etc/firewalld/lockdown-whitelist.xml.rpmsave >>> >>> That smells amusing and puzzling but not dangerous to me. >> >> So it's not fully or properly installed, :) and :( > > ... > > One wonders about the missing EULA info. > > The lockdown-whitelist thing is more or less a "but why?" component.
lockdown in firewalld jargon is more like "which component/user may modify the firewall if the firewall configuration have been locked down". When firewalld is set into locked-down mode, no-one is able to manipulate the firewall. Otherwise, anyone granted admin privileges (as defined in the PolicyKit policy for the firewalld component) may manipulate the firewall. So it tightens the access, regardless if PolicyKit grants access. The default policy have uid=0, firewall-config, NetworkManager and libvirtd in this whitelist. Remember that firewalld provides an API over D-Bus for dynamic firewall updates, so this is kind of to "seal" the configuration without breaking any component depending on manipulating the firewall as the system is running. NetworkManager and libvirt are two components which adjusts the firewall on-the-fly, depending on which network you're connected to or which VMs have been started, and so on. -- kind regards, David Sommerseth
