rpms/system-config-securitylevel/F-7 system-config-securitylevel-1.7.0-icmp6.patch, NONE, 1.1 system-config-securitylevel-1.7.0-ipv6header.patch, NONE, 1.1 system-config-securitylevel-1.7.0-nfs4.patch, NONE, 1.1 system-config-securitylevel-1.7.0-restart.patch, NONE, 1.1 system-config-securitylevel.spec, 1.98, 1.99
Thomas Woerner (twoerner)
fedora-extras-commits at redhat.com
Tue Nov 6 13:59:36 UTC 2007
Author: twoerner
Update of /cvs/pkgs/rpms/system-config-securitylevel/F-7
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv11823
Modified Files:
system-config-securitylevel.spec
Added Files:
system-config-securitylevel-1.7.0-icmp6.patch
system-config-securitylevel-1.7.0-ipv6header.patch
system-config-securitylevel-1.7.0-nfs4.patch
system-config-securitylevel-1.7.0-restart.patch
Log Message:
- restart ipXtables in lokkit instead of start only (rhbz#337861)
- use ipv6header match for protocols (rhbz#303851)
- use icmp6-adm-prohibited as reject type (rhbz#250915)
- using ipv6-icmp instead of icmpv6
- nfs4 also opens 2049/udp (rhbz#250916)
system-config-securitylevel-1.7.0-icmp6.patch:
--- NEW FILE system-config-securitylevel-1.7.0-icmp6.patch ---
diff -up system-config-securitylevel-1.7.0/src/lokkit.c.icmp6 system-config-securitylevel-1.7.0/src/lokkit.c
--- system-config-securitylevel-1.7.0/src/lokkit.c.icmp6 2007-11-06 14:12:08.000000000 +0100
+++ system-config-securitylevel-1.7.0/src/lokkit.c 2007-11-06 14:12:09.000000000 +0100
@@ -1039,7 +1039,7 @@ int write_firewall6(char **devs, char **
fprintf(fw, "-A %s -i %s -j ACCEPT\n", CHAIN_NAME, devs[i]);
/* Allow ICMP. */
- fprintf(fw, "-A %s -p icmpv6 -j ACCEPT\n", CHAIN_NAME);
+ fprintf(fw, "-A %s -p ipv6-icmp -j ACCEPT\n", CHAIN_NAME);
/* Allow IPSec traffic. This matches Lokkit 0.50 behavior and seems reasonable. */
fprintf(fw, "-A %s -m ipv6header --header 50 -j ACCEPT\n", CHAIN_NAME);
@@ -1066,8 +1066,8 @@ int write_firewall6(char **devs, char **
}
- fprintf(fw, "-A %s -j REJECT --reject-with icmp6-port-unreachable\n", CHAIN_NAME);
- fprintf(fw, "-A FORWARD -j REJECT --reject-with icmp6-port-unreachable\n");
+ fprintf(fw, "-A %s -j REJECT --reject-with icmp6-adm-prohibited\n", CHAIN_NAME);
+ fprintf(fw, "-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited\n");
/* The nat table has not yet been implemented for ipv6.
The following should be uncommented when it has
system-config-securitylevel-1.7.0-ipv6header.patch:
--- NEW FILE system-config-securitylevel-1.7.0-ipv6header.patch ---
diff -up system-config-securitylevel-1.7.0/src/lokkit.c.ipv6header system-config-securitylevel-1.7.0/src/lokkit.c
--- system-config-securitylevel-1.7.0/src/lokkit.c.ipv6header 2007-11-06 13:48:38.000000000 +0100
+++ system-config-securitylevel-1.7.0/src/lokkit.c 2007-11-06 13:49:20.000000000 +0100
@@ -1042,8 +1042,8 @@ int write_firewall6(char **devs, char **
fprintf(fw, "-A %s -p icmpv6 -j ACCEPT\n", CHAIN_NAME);
/* Allow IPSec traffic. This matches Lokkit 0.50 behavior and seems reasonable. */
- fprintf(fw, "-A %s -p 50 -j ACCEPT\n", CHAIN_NAME);
- fprintf(fw, "-A %s -p 51 -j ACCEPT\n", CHAIN_NAME);
+ fprintf(fw, "-A %s -m ipv6header --header 50 -j ACCEPT\n", CHAIN_NAME);
+ fprintf(fw, "-A %s -m ipv6header --header 51 -j ACCEPT\n", CHAIN_NAME);
/* Allow mDNS. */
fprintf(fw, "-A %s -p udp --dport 5353 -d ff02::fb -j ACCEPT\n", CHAIN_NAME);
system-config-securitylevel-1.7.0-nfs4.patch:
--- NEW FILE system-config-securitylevel-1.7.0-nfs4.patch ---
diff -up system-config-securitylevel-1.7.0/src/lokkit.c.nfs4 system-config-securitylevel-1.7.0/src/lokkit.c
--- system-config-securitylevel-1.7.0/src/lokkit.c.nfs4 2007-11-06 14:14:39.000000000 +0100
+++ system-config-securitylevel-1.7.0/src/lokkit.c 2007-11-06 14:14:43.000000000 +0100
@@ -865,6 +865,7 @@ void runInterface() {
if (nfs_state == '*') {
add_port(strdup("2049:tcp"));
+ add_port(strdup("2049:udp"));
}
answer = newtRadioGetCurrent(enabled_rb);
diff -up system-config-securitylevel-1.7.0/src/securitylevel.py.nfs4 system-config-securitylevel-1.7.0/src/securitylevel.py
--- system-config-securitylevel-1.7.0/src/securitylevel.py.nfs4 2007-11-06 14:15:56.000000000 +0100
+++ system-config-securitylevel-1.7.0/src/securitylevel.py 2007-11-06 14:15:57.000000000 +0100
@@ -99,7 +99,8 @@ class childWindow:
ports=[("ftp", "tcp")],
modules=["ip_conntrack_ftp"]),
Service(name="nfs", description="NFS4",
- ports=[("nfs", "tcp")]),
+ ports=[("nfs", "tcp"),
+ ("nfs", "udp")]),
Service(name="https", description=_("Secure WWW (HTTPS)"),
ports=[("https", "tcp")]),
Service(name="smtp", description=_("Mail (SMTP)"),
system-config-securitylevel-1.7.0-restart.patch:
--- NEW FILE system-config-securitylevel-1.7.0-restart.patch ---
diff -up system-config-securitylevel-1.7.0/src/lokkit.c.restart system-config-securitylevel-1.7.0/src/lokkit.c
--- system-config-securitylevel-1.7.0/src/lokkit.c.restart 2007-11-06 11:50:03.000000000 +0100
+++ system-config-securitylevel-1.7.0/src/lokkit.c 2007-11-06 11:50:05.000000000 +0100
@@ -1000,7 +1000,7 @@ int write_firewall(char **devs, char **m
sprintf(buffer,"/sbin/modprobe iptables >/dev/null 2>&1");
system(buffer);
- sprintf(buffer, "/sbin/service iptables start >/dev/null 2>&1");
+ sprintf(buffer, "/sbin/service iptables restart >/dev/null 2>&1");
system(buffer);
}
return 0;
@@ -1103,7 +1103,7 @@ int write_firewall6(char **devs, char **
sprintf(buffer,"/sbin/modprobe ip6_tables >/dev/null 2>&1");
system(buffer);
- sprintf(buffer, "/sbin/service ip6tables start >/dev/null 2>&1");
+ sprintf(buffer, "/sbin/service ip6tables restart >/dev/null 2>&1");
system(buffer);
}
return 0;
Index: system-config-securitylevel.spec
===================================================================
RCS file: /cvs/pkgs/rpms/system-config-securitylevel/F-7/system-config-securitylevel.spec,v
retrieving revision 1.98
retrieving revision 1.99
diff -u -r1.98 -r1.99
--- system-config-securitylevel.spec 2 Aug 2007 08:54:03 -0000 1.98
+++ system-config-securitylevel.spec 6 Nov 2007 13:59:03 -0000 1.99
@@ -1,7 +1,7 @@
Summary: A graphical interface for modifying the system security level
Name: system-config-securitylevel
Version: 1.7.0
-Release: 5%{?dist}
+Release: 6%{?dist}
URL: http://fedoraproject.org/wiki/SystemConfig/securitylevel
License: GPL
ExclusiveOS: Linux
@@ -15,6 +15,10 @@
Patch3: system-config-securitylevel-1.7.0-dirty.patch
Patch4: system-config-securitylevel-1.7.0-desktopfile.patch
Patch5: system-config-securitylevel-1.7.0-disable.patch
+Patch6: system-config-securitylevel-1.7.0-restart.patch
+Patch7: system-config-securitylevel-1.7.0-ipv6header.patch
+Patch8: system-config-securitylevel-1.7.0-icmp6.patch
+Patch9: system-config-securitylevel-1.7.0-nfs4.patch
BuildRequires: desktop-file-utils newt-devel slang-devel popt
BuildRequires: gettext
BuildRequires: intltool
@@ -53,6 +57,10 @@
%patch3 -p1 -b .dirty
%patch4 -p1 -b .desktopfile
%patch5 -p1 -b .disable
+%patch6 -p1 -b .restart
+%patch7 -p1 -b .ipv6header
+%patch8 -p1 -b .icmp6
+%patch9 -p1 -b .nfs4
%build
make
@@ -105,6 +113,13 @@
/usr/bin/system-config-securitylevel-tui
%changelog
+* Tue Nov 6 2007 Thomas Woerner <twoerner at redhat.com> 1.7.0-6
+- restart ipXtables in lokkit instead of start only (rhbz#337861)
+- use ipv6header match for protocols (rhbz#303851)
+- use icmp6-adm-prohibited as reject type (rhbz#250915)
+- using ipv6-icmp instead of icmpv6
+- nfs4 also opens 2049/udp (rhbz#250916)
+
* Thu Aug 2 2007 Thomas Woerner <twoerner at redhat.com> 1.7.0-5
- rebuild for F-7
More information about the fedora-extras-commits
mailing list