On Aug 2, 2011, at 3:22 PM, Orion Poplawski wrote: > Please see https://bugzilla.redhat.com/show_bug.cgi?id=727648 for more info. > > Shorewall executes some bash code like the following: > > while read address interface external haveroute; do > qt $IP -4 neigh del proxy $address dev $external > [ -z "${haveroute}${g_noroutes}" ] && qt $IP -4 route del > $address/32 dev $interface > f=/proc/sys/net/ipv4/conf/$interface/proxy_arp > [ -f $f ] && echo 0 > $f > done < ${VARDIR}/proxyarp > > qt is defined as: > > qt() > { > "$@" >/dev/null 2>&1 > } > > This can trigger some selinux denial messages because the /sbin/ip command > has > read access via stdin to /var/lib/shorewall/proxyarp (which it doesn't really > need). I think the proper fix is to define qtnoin() as: > > qtnoin() > { > "$@" </dev/null >/dev/null 2>&1 > } > > As use that where appropriate. I actually only see one instance where qt is > used in a pipe, but it is probably still clearer with qtnoin. > > So, before I put a lot of effort into this, would a patch implementing this > change be accepted? Thoughts/concerns?
I'll be happy to accept a patch. Please look through both the Shorewall and Shorewall6 directories and subdirectories to try to find any other places where qtnoin() would be appropriate. And please make the patch against the current GIT master. Thanks!, -Tom Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA The must-attend event for mobile developers. Connect with experts. Get tools for creating Super Apps. See the latest technologies. Sessions, hands-on labs, demos & much more. Register early & save! http://p.sf.net/sfu/rim-blackberry-1 _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
