LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Red Hat
User Name
Password
Red Hat This forum is for the discussion of Red Hat Linux.

Notices



Reply
 
Search this Thread
Old 06-15-2014, 05:54 PM   #1
dpu
LQ Newbie
 
Registered: May 2014
Posts: 8

Rep: Reputation: Disabled
RHEL7 firewalld.


I'm playing with the RHEL7 RC (I know the RHEL7 GA is there, but CentOS 7 is not) and I'm coming across some problems with firewalld.
I wanted to install the HAProxy package and set up the firewall configuration.
But there is no HAProxy/firewalld configuration, I had to create it myself!
In addition, I discovered that all the firewalld service configurations are in the firewalld package (they are stored in /usr/lib/firewalld/services) and not in each package: the HAProxy package should contain its own firewalld configuration but this is not the case!
Finally, there seems to be no SELinux contexts associated with these firewalld service configurations.
I have no idea how this behaves in case of SELinux relabel!
This is pretty strange!
Has anybody got some clue about this?
 
Old 06-15-2014, 05:58 PM   #2
John VV
Guru
 
Registered: Aug 2005
Posts: 13,217

Rep: Reputation: 1772Reputation: 1772Reputation: 1772Reputation: 1772Reputation: 1772Reputation: 1772Reputation: 1772Reputation: 1772Reputation: 1772Reputation: 1772Reputation: 1772
well rhel7 is so new that packages are not yet built

build from source and use rpmbuild to make a rpm

Quote:
Finally, there seems to be no SELinux contexts associated with these firewalld service configurations.
then as NORMAL
use "audit2allow" to make a rule

Last edited by John VV; 06-15-2014 at 05:59 PM.
 
Old 06-15-2014, 06:04 PM   #3
dpu
LQ Newbie
 
Registered: May 2014
Posts: 8

Original Poster
Rep: Reputation: Disabled
It's not only a practical problem, things don't seem to be correctly organized.
 
Old 06-15-2014, 07:08 PM   #4
John VV
Guru
 
Registered: Aug 2005
Posts: 13,217

Rep: Reputation: 1772Reputation: 1772Reputation: 1772Reputation: 1772Reputation: 1772Reputation: 1772Reputation: 1772Reputation: 1772Reputation: 1772Reputation: 1772Reputation: 1772
well it is a "release candidate" ( rc ) after all

Quote:
things don't seem to be correctly organized.
as in ....
how is it " not organized " ?
 
Old 06-19-2014, 05:48 AM   #5
jensd
LQ Newbie
 
Registered: Jun 2014
Posts: 10

Rep: Reputation: Disabled
Maybe not what you're looking for but you can easily go back to iptables as follows:

yum install iptables-services

systemctl mask firewalld
systemctl enable iptables
systemctl enable ip6tables

systemctl stop firewalld
systemctl start iptables
systemctl start ip6tables
 
Old 06-23-2014, 10:12 AM   #6
TB0ne
Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 14,931

Rep: Reputation: 2670Reputation: 2670Reputation: 2670Reputation: 2670Reputation: 2670Reputation: 2670Reputation: 2670Reputation: 2670Reputation: 2670Reputation: 2670Reputation: 2670
Quote:
Originally Posted by dpu View Post
I'm playing with the RHEL7 RC (I know the RHEL7 GA is there, but CentOS 7 is not) and I'm coming across some problems with firewalld.
I wanted to install the HAProxy package and set up the firewall configuration. But there is no HAProxy/firewalld configuration, I had to create it myself!
Right...including a base configuration would tell everyone who had RHEL7 what is done for everyone else, and expose vulnerabilities. By making you create a configuration, the system winds up being more secure.
Quote:
In addition, I discovered that all the firewalld service configurations are in the firewalld package (they are stored in /usr/lib/firewalld/services) and not in each package: the HAProxy package should contain its own firewalld configuration but this is not the case! Finally, there seems to be no SELinux contexts associated with these firewalld service configurations. I have no idea how this behaves in case of SELinux relabel! This is pretty strange!
Has anybody got some clue about this?
Yes, Red Hat does. Did you check their knowledgebase?
http://rhelblog.redhat.com/2014/01/2...ment/#more-150
https://access.redhat.com/site/sites...,d.cWc&cad=rja
https://access.redhat.com/site/node/...y_Threats.html

Since you're using RHEL, you're also paying for support; have you contacted them with your questions, or read the release notes on RHEL7? As JohnVV said, it's only a release candidate, but given what they did (and why), it's a good thing. Should make things better, I think, except for people who just want to get a 'certification', since they sample test/questions won't match for a good while.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
when is RHEL7 getting released? thirstonlinux Linux - Newbie 4 12-18-2013 03:01 AM
Fedora 18 firewalld specify source ip vonedaddy Fedora 2 06-18-2013 01:49 AM
firewalld sunveer Fedora 1 02-03-2013 04:41 PM
Permanent Configuration for firewalld wmakowski Fedora 1 01-24-2013 10:01 AM


All times are GMT -5. The time now is 07:37 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration