Re: Adventures with 7.2
On 03/01/17 05:59, jdow wrote: > On 2017-01-02 18:40, Tom H wrote: >> On Mon, Jan 2, 2017 at 5:06 PM, jdow wrote: > ... >>> Erasing: firewalld-0.4.3.2-8.el7.noarch >>> 7/7 >>> warning: /etc/firewalld/lockdown-whitelist.xml saved as >>> /etc/firewalld/lockdown-whitelist.xml.rpmsave >>> >>> That smells amusing and puzzling but not dangerous to me. >> >> So it's not fully or properly installed, :) and :( > > ... > > One wonders about the missing EULA info. > > The lockdown-whitelist thing is more or less a "but why?" component. lockdown in firewalld jargon is more like "which component/user may modify the firewall if the firewall configuration have been locked down". When firewalld is set into locked-down mode, no-one is able to manipulate the firewall. Otherwise, anyone granted admin privileges (as defined in the PolicyKit policy for the firewalld component) may manipulate the firewall. So it tightens the access, regardless if PolicyKit grants access. The default policy have uid=0, firewall-config, NetworkManager and libvirtd in this whitelist. Remember that firewalld provides an API over D-Bus for dynamic firewall updates, so this is kind of to "seal" the configuration without breaking any component depending on manipulating the firewall as the system is running. NetworkManager and libvirt are two components which adjusts the firewall on-the-fly, depending on which network you're connected to or which VMs have been started, and so on. -- kind regards, David Sommerseth
Re: Adventures with 7.2
On 2017-01-03 09:56, David Sommerseth wrote:
On 03/01/17 05:59, jdow wrote:
...
The lockdown-whitelist thing is more or less a "but why?" component.
lockdown in firewalld jargon is more like "which component/user may
modify the firewall if the firewall configuration have been locked down".
When firewalld is set into locked-down mode, no-one is able to
manipulate the firewall. Otherwise, anyone granted admin privileges (as
defined in the PolicyKit policy for the firewalld component) may
manipulate the firewall. So it tightens the access, regardless if
PolicyKit grants access. The default policy have uid=0,
firewall-config, NetworkManager and libvirtd in this whitelist.
Remember that firewalld provides an API over D-Bus for dynamic firewall
updates, so this is kind of to "seal" the configuration without breaking
any component depending on manipulating the firewall as the system is
running. NetworkManager and libvirt are two components which adjusts
the firewall on-the-fly, depending on which network you're connected to
or which VMs have been started, and so on.
That still leaves me mumbling and led me down a midget rabbit hole. The
"iptables" command is 777 root root system_u:object_r:bin_t:s0; but, that's OK.
It's a link - to xtables-multi, which is rwxr-xr-x. root root
system_u:object_r:iptables_exec_t:s0. Waitaminit says I to meself. (or is it me
to iself? Whatever) Let's give that a try The results are reassuring:
===8<---
[jdow@whereever ~]$ xtables-multi iptables -L -v
iptables v1.4.21: can't initialize iptables table `filter': Permission denied
(you must be root)
Perhaps iptables or your kernel needs to be upgraded.
===8<---
I guess the ancient philosophy of one task one command is passe' and now a
monstrosity like xtables-multi finds itself masquerading as iptables and about a
dozen other things. I have a skew sense of humor so I find that amusing. I see
it's been that way for some years now even in 6.x. I just never had cause to
look for this. Somebody liked the inetd model later called xinetd. (Speaking of
which, I notice systemd seems to have subsumed even that functionality. It's
good from a central management standpoint. It's yet another unclear puzzle when
initially trying to wrap one's mind around systemd.)
Preserving the lockdown file for something that is removed from the system,
though, seems to be silly to my fevered brain.
Gee, my rant has led to some good learning and a slightly fascinating rabbit
hole, as well as the frustrating systemd mile deep rabbit hole.
{^_^}
Re: Adventures with 7.2
On Tue, Jan 3, 2017 at 3:11 PM, jdow wrote: > On 2017-01-03 09:56, David Sommerseth wrote: >> >> Remember that firewalld provides an API over D-Bus for dynamic >> firewall updates, so this is kind of to "seal" the configuration >> without breaking any component depending on manipulating the firewall >> as the system is running. NetworkManager and libvirt are two >> components which adjusts the firewall on-the-fly, depending on which >> network you're connected to or which VMs have been started, and so on. > > That still leaves me mumbling and led me down a midget rabbit hole. > The "iptables" command is 777 root root system_u:object_r:bin_t:s0; > but, that's OK. It's a link - to xtables-multi, which is rwxr-xr-x. > root root system_u:object_r:iptables_exec_t:s0. Waitaminit says I to > meself. (or is it me to iself? Whatever) Let's give that a try The > results are reassuring: > ===8<--- > [jdow@whereever ~]$ xtables-multi iptables -L -v > iptables v1.4.21: can't initialize iptables table `filter': Permission > denied (you must be root) > Perhaps iptables or your kernel needs to be upgraded. > ===8<--- > I guess the ancient philosophy of one task one command is passe' and > now a monstrosity like xtables-multi finds itself masquerading as > iptables and about a dozen other things. /usr/sbin/iptables-restore /usr/sbin/iptables-save /usr/sbin/iptables /usr/sbin/ip6tables-restore /usr/sbin/ip6tables-save /usr/sbin/ip6tables are symlinks to "/usr/sbin/xtables-multi" because it's a multi-call binary, like busybox. There are others. Off the top of my head, dnsdomainname, domainname, nisdomainname, ypdomainname are symlinks to hostname; halt, poweroff, reboot, shutdown are symlinks to systemctl; view is a symlink to vi; etc. It's normal for "iptables" to fail if you call it as jdow; but if you have polkit installed, "pkexec iptables" might work (depending on your polkit policies; "sudo ..." and "su -c ..." will work if you're authorized).
Re: Adventures with 7.2
On 2017-01-03 14:31, Tom H wrote:
On Tue, Jan 3, 2017 at 3:11 PM, jdow wrote:
On 2017-01-03 09:56, David Sommerseth wrote:
Remember that firewalld provides an API over D-Bus for dynamic
firewall updates, so this is kind of to "seal" the configuration
without breaking any component depending on manipulating the firewall
as the system is running. NetworkManager and libvirt are two
components which adjusts the firewall on-the-fly, depending on which
network you're connected to or which VMs have been started, and so on.
That still leaves me mumbling and led me down a midget rabbit hole.
The "iptables" command is 777 root root system_u:object_r:bin_t:s0;
but, that's OK. It's a link - to xtables-multi, which is rwxr-xr-x.
root root system_u:object_r:iptables_exec_t:s0. Waitaminit says I to
meself. (or is it me to iself? Whatever) Let's give that a try The
results are reassuring:
===8<---
[jdow@whereever ~]$ xtables-multi iptables -L -v
iptables v1.4.21: can't initialize iptables table `filter': Permission
denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
===8<---
I guess the ancient philosophy of one task one command is passe' and
now a monstrosity like xtables-multi finds itself masquerading as
iptables and about a dozen other things.
/usr/sbin/iptables-restore
/usr/sbin/iptables-save
/usr/sbin/iptables
/usr/sbin/ip6tables-restore
/usr/sbin/ip6tables-save
/usr/sbin/ip6tables
Notice the command I issued. I started, of course, with something like
xtables-multi -L -v as a first approximation. It coughed up a list of some 14
different things it can be called as. That was not reassuring since I called it
as a user rather than root. Then I tried the command listed. If failed but the
message was informative enough. I, of course, escalated to prepending "sudo " to
the command, giving my password as usual, and admired the results.
are symlinks to "/usr/sbin/xtables-multi" because it's a multi-call
binary, like busybox.
I was simply bemused that the old UNIX philosophy of one small task one command
with results chained into the next command ad nauseum has finally been
discovered to be silly and furthermore good sense is catching on past busybox.
(I have the same attitude about "goto". (And despite dogma even at UniSys many
see Dijkstra's pontification on the subject as flawed er and harmful. I live
with one such.) {^_-}
There are others.
Off the top of my head, dnsdomainname, domainname, nisdomainname,
ypdomainname are symlinks to hostname; halt, poweroff, reboot,
shutdown are symlinks to systemctl; view is a symlink to vi; etc.
I hadn't dug that far. But, again, it makes sense in a weird sort of way. It is
really an ultimate reuse of code, right? {^_-}
It's normal for "iptables" to fail if you call it as jdow; but if you
have polkit installed, "pkexec iptables" might work (depending on your
polkit policies; "sudo ..." and "su -c ..." will work if you're
authorized).
But of course. I've been using sudo for a very long time. (I don't remember if I
did it with the real SVR4 machine I had. But certainly I've been using it from
the first RH 5 or so - not RHEL or Fedora, Hurricane if my memory works tonight.
If sudo didn't work I'd have made a scene about it, probably.
{^_^}
