Please see https://bugzilla.redhat.com/show_bug.cgi?id=727648 for more info.
Shorewall executes some bash code like the following:
while read address interface external haveroute; do
qt $IP -4 neigh del proxy $address dev $external
[ -z "${haveroute}${g_noroutes}" ] && qt $IP -4 route del
$address/32 dev $interface
f=/proc/sys/net/ipv4/conf/$interface/proxy_arp
[ -f $f ] && echo 0 > $f
done < ${VARDIR}/proxyarp
qt is defined as:
qt()
{
"$@" >/dev/null 2>&1
}
This can trigger some selinux denial messages because the /sbin/ip command has
read access via stdin to /var/lib/shorewall/proxyarp (which it doesn't really
need). I think the proper fix is to define qtnoin() as:
qtnoin()
{
"$@" </dev/null >/dev/null 2>&1
}
As use that where appropriate. I actually only see one instance where qt is
used in a pipe, but it is probably still clearer with qtnoin.
So, before I put a lot of effort into this, would a patch implementing this
change be accepted? Thoughts/concerns?
--
Orion Poplawski
Technical Manager 303-415-9701 x222
NWRA/CoRA Division FAX: 303-415-9702
3380 Mitchell Lane [email protected]
Boulder, CO 80301 http://www.cora.nwra.com
------------------------------------------------------------------------------
BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA
The must-attend event for mobile developers. Connect with experts.
Get tools for creating Super Apps. See the latest technologies.
Sessions, hands-on labs, demos & much more. Register early & save!
http://p.sf.net/sfu/rim-blackberry-1
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
