Please see https://bugzilla.redhat.com/show_bug.cgi?id=727648 for more info.
Shorewall executes some bash code like the following:
while read address interface external haveroute; do
qt $IP -4 neigh del proxy $address dev $external
[ -z "${haveroute}${g_noroutes}" ] && qt $IP -4
route del
$address/32 dev $interface
f=/proc/sys/net/ipv4/conf/$interface/proxy_arp
[ -f $f ] && echo 0 > $f
done < ${VARDIR}/proxyarp
qt is defined as:
qt()
{
"$@" >/dev/null 2>&1
}
This can trigger some selinux denial messages because the /sbin/ip command has
read access via stdin to /var/lib/shorewall/proxyarp (which it doesn''t
really
need). I think the proper fix is to define qtnoin() as:
qtnoin()
{
"$@" </dev/null >/dev/null 2>&1
}
As use that where appropriate. I actually only see one instance where qt is
used in a pipe, but it is probably still clearer with qtnoin.
So, before I put a lot of effort into this, would a patch implementing this
change be accepted? Thoughts/concerns?
--
Orion Poplawski
Technical Manager 303-415-9701 x222
NWRA/CoRA Division FAX: 303-415-9702
3380 Mitchell Lane orion@cora.nwra.com
Boulder, CO 80301 http://www.cora.nwra.com
------------------------------------------------------------------------------
BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA
The must-attend event for mobile developers. Connect with experts.
Get tools for creating Super Apps. See the latest technologies.
Sessions, hands-on labs, demos & much more. Register early & save!
http://p.sf.net/sfu/rim-blackberry-1
On Aug 2, 2011, at 3:22 PM, Orion Poplawski wrote:> Please see https://bugzilla.redhat.com/show_bug.cgi?id=727648 for more info. > > Shorewall executes some bash code like the following: > > while read address interface external haveroute; do > qt $IP -4 neigh del proxy $address dev $external > [ -z "${haveroute}${g_noroutes}" ] && qt $IP -4 route del > $address/32 dev $interface > f=/proc/sys/net/ipv4/conf/$interface/proxy_arp > [ -f $f ] && echo 0 > $f > done < ${VARDIR}/proxyarp > > qt is defined as: > > qt() > { > "$@" >/dev/null 2>&1 > } > > This can trigger some selinux denial messages because the /sbin/ip command has > read access via stdin to /var/lib/shorewall/proxyarp (which it doesn''t really > need). I think the proper fix is to define qtnoin() as: > > qtnoin() > { > "$@" </dev/null >/dev/null 2>&1 > } > > As use that where appropriate. I actually only see one instance where qt is > used in a pipe, but it is probably still clearer with qtnoin. > > So, before I put a lot of effort into this, would a patch implementing this > change be accepted? Thoughts/concerns?I''ll be happy to accept a patch. Please look through both the Shorewall and Shorewall6 directories and subdirectories to try to find any other places where qtnoin() would be appropriate. And please make the patch against the current GIT master. Thanks!, -Tom Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA The must-attend event for mobile developers. Connect with experts. Get tools for creating Super Apps. See the latest technologies. Sessions, hands-on labs, demos & much more. Register early & save! http://p.sf.net/sfu/rim-blackberry-1
On 08/02/2011 04:34 PM, Tom Eastep wrote:> I''ll be happy to accept a patch. Please look through both the Shorewall and Shorewall6 directories and subdirectories to > try to find any other places where qtnoin() would be appropriate. And please make the patch against the current GIT master.Great. First issues: - shorewall6_is_started uses qt1, shorewall_is_started uses qt. Should both use qt1? - should qt1 be changed to redirect input from /dev/null? My thought is yes. -- Orion Poplawski Technical Manager 303-415-9701 x222 NWRA/CoRA Division FAX: 303-415-9702 3380 Mitchell Lane orion@cora.nwra.com Boulder, CO 80301 http://www.cora.nwra.com ------------------------------------------------------------------------------ BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA The must-attend event for mobile developers. Connect with experts. Get tools for creating Super Apps. See the latest technologies. Sessions, hands-on labs, demos & much more. Register early & save! http://p.sf.net/sfu/rim-blackberry-1
On 08/02/2011 04:56 PM, Orion Poplawski wrote:> On 08/02/2011 04:34 PM, Tom Eastep wrote: >> I''ll be happy to accept a patch. Please look through both the Shorewall and Shorewall6 directories and subdirectories to >> try to find any other places where qtnoin() would be appropriate. And please make the patch against the current GIT master. > > Great. First issues: > > - shorewall6_is_started uses qt1, shorewall_is_started uses qt. Should both > use qt1? > - should qt1 be changed to redirect input from /dev/null? My thought is yes. >here is my first draft. -- Orion Poplawski Technical Manager 303-415-9701 x222 NWRA/CoRA Division FAX: 303-415-9702 3380 Mitchell Lane orion@cora.nwra.com Boulder, CO 80301 http://www.cora.nwra.com ------------------------------------------------------------------------------ BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA The must-attend event for mobile developers. Connect with experts. Get tools for creating Super Apps. See the latest technologies. Sessions, hands-on labs, demos & much more. Register early & save! http://p.sf.net/sfu/rim-blackberry-1
Orion Poplawski wrote:> On 08/02/2011 04:34 PM, Tom Eastep wrote: >> I''ll be happy to accept a patch. Please look through both the Shorewall and Shorewall6 directories and subdirectories to >> try to find any other places where qtnoin() would be appropriate. And please make the patch against the current GIT master. > > Great. First issues: > > - shorewall6_is_started uses qt1, shorewall_is_started uses qt. Should both > use qt1? > - should qt1 be changed to redirect input from /dev/null? My thought is yes. >I think ''Yes'' to both. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA The must-attend event for mobile developers. Connect with experts. Get tools for creating Super Apps. See the latest technologies. Sessions, hands-on labs, demos & much more. Register early & save! http://p.sf.net/sfu/rim-blackberry-1
On Aug 2, 2011, at 4:10 PM, Orion Poplawski wrote:> On 08/02/2011 04:56 PM, Orion Poplawski wrote: >> On 08/02/2011 04:34 PM, Tom Eastep wrote: >>> I''ll be happy to accept a patch. Please look through both the Shorewall and Shorewall6 directories and subdirectories to >>> try to find any other places where qtnoin() would be appropriate. And please make the patch against the current GIT master. >> >> Great. First issues: >> >> - shorewall6_is_started uses qt1, shorewall_is_started uses qt. Should both >> use qt1? >> - should qt1 be changed to redirect input from /dev/null? My thought is yes. >> > > here is my first draft.Applied. Thanks, -Tom Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA The must-attend event for mobile developers. Connect with experts. Get tools for creating Super Apps. See the latest technologies. Sessions, hands-on labs, demos & much more. Register early & save! http://p.sf.net/sfu/rim-blackberry-1