rpms/firewalld
7
0
Fork 0
Code Issues Pull Requests Releases Activity

remove Fedora cruft

Browse Source
This commit is contained in:
Eric Garver 2024-04-15 16:25:36 -04:00
parent 45946aff0e
commit eb7f71d394
6 changed files with 114 additions and 1697 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

112
0001-RHEL-only-Add-cockpit-by-default-to-some-zones.patch Normal file
View File

@ -0,0 +1,112 @@
From f113f17734cfb964bd2b72f233c48e650e205cb9 Mon Sep 17 00:00:00 2001
From: Eric Garver <egarver@redhat.com>
Date: Tue, 25 May 2021 13:31:41 -0400
Subject: [PATCH 1/4] RHEL only: Add cockpit by default to some zones
Fixes: #1581578
---
config/zones/home.xml | 1 +
config/zones/internal.xml | 1 +
config/zones/public.xml | 1 +
config/zones/work.xml | 1 +
src/tests/features/startup_failsafe.at | 1 +
src/tests/functions.at | 20 ++++++++++++++++++++
6 files changed, 25 insertions(+)
diff --git a/config/zones/home.xml b/config/zones/home.xml
index d73c9bdb16b6..33064688367e 100644
--- a/config/zones/home.xml
+++ b/config/zones/home.xml
@@ -6,5 +6,6 @@
<service name="mdns"/>
<service name="samba-client"/>
<service name="dhcpv6-client"/>
+ <service name="cockpit"/>
<forward/>
</zone>
diff --git a/config/zones/internal.xml b/config/zones/internal.xml
index 053c18ccda8b..852b16ad94dd 100644
--- a/config/zones/internal.xml
+++ b/config/zones/internal.xml
@@ -6,5 +6,6 @@
<service name="mdns"/>
<service name="samba-client"/>
<service name="dhcpv6-client"/>
+ <service name="cockpit"/>
<forward/>
</zone>
diff --git a/config/zones/public.xml b/config/zones/public.xml
index 49fc4c20af52..62bc751de448 100644
--- a/config/zones/public.xml
+++ b/config/zones/public.xml
@@ -4,5 +4,6 @@
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="ssh"/>
<service name="dhcpv6-client"/>
+ <service name="cockpit"/>
<forward/>
</zone>
diff --git a/config/zones/work.xml b/config/zones/work.xml
index f1a14a9b4682..27b54a7783c4 100644
--- a/config/zones/work.xml
+++ b/config/zones/work.xml
@@ -4,5 +4,6 @@
<description>For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="ssh"/>
<service name="dhcpv6-client"/>
+ <service name="cockpit"/>
<forward/>
</zone>
diff --git a/src/tests/features/startup_failsafe.at b/src/tests/features/startup_failsafe.at
index 3cdf7c3c307a..b9401d460114 100644
--- a/src/tests/features/startup_failsafe.at
+++ b/src/tests/features/startup_failsafe.at
@@ -20,6 +20,7 @@ NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl
chain filter_IN_public_allow {
tcp dport 22 accept
ip6 daddr fe80::/64 udp dport 546 accept
+ tcp dport 9090 accept
tcp dport 443 accept
}
}
diff --git a/src/tests/functions.at b/src/tests/functions.at
index 244d24686c86..ad3462c6715f 100644
--- a/src/tests/functions.at
+++ b/src/tests/functions.at
@@ -128,6 +128,14 @@ m4_define([FWD_START_TEST], [
fi
m4_ifdef([TESTING_FIREWALL_OFFLINE_CMD], [
+ AT_KEYWORDS(offline)
+ dnl cockpit is added by default downstream, but upstream tests don't expect
+ dnl it. Simply remove it at the start of every test.
+ dnl
+ FWD_OFFLINE_CHECK([--zone home --remove-service-from-zone cockpit], 0, [ignore])
+ FWD_OFFLINE_CHECK([--zone internal --remove-service-from-zone cockpit], 0, [ignore])
+ FWD_OFFLINE_CHECK([--zone public --remove-service-from-zone cockpit], 0, [ignore])
+ FWD_OFFLINE_CHECK([--zone work --remove-service-from-zone cockpit], 0, [ignore])
], [
dnl set the appropriate backend
AT_CHECK([sed -i 's/^FirewallBackend.*/FirewallBackend=FIREWALL_BACKEND/' ./firewalld.conf])
@@ -259,6 +267,18 @@ m4_define([FWD_START_TEST], [
])
FWD_START_FIREWALLD
+
+ dnl cockpit is added by default downstream, but upstream tests don't expect
+ dnl it. Simply remove it at the start of every test.
+ dnl
+ FWD_CHECK([--permanent --zone home --remove-service cockpit], 0, [ignore])
+ FWD_CHECK([ --zone home --remove-service cockpit], 0, [ignore])
+ FWD_CHECK([--permanent --zone internal --remove-service cockpit], 0, [ignore])
+ FWD_CHECK([ --zone internal --remove-service cockpit], 0, [ignore])
+ FWD_CHECK([--permanent --zone public --remove-service cockpit], 0, [ignore])
+ FWD_CHECK([ --zone public --remove-service cockpit], 0, [ignore])
+ FWD_CHECK([--permanent --zone work --remove-service cockpit], 0, [ignore])
+ FWD_CHECK([ --zone work --remove-service cockpit], 0, [ignore])
])
])
--
2.39.3

9
FedoraServer.xml
View File

@ -1,9 +0,0 @@
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="ssh"/>
<service name="dhcpv6-client"/>
<service name="cockpit"/>
<forward/>
</zone>

11
FedoraWorkstation.xml
View File

@ -1,11 +0,0 @@
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Fedora Workstation</short>
<description>Unsolicited incoming network packets are rejected from port 1 to 1024, except for select network services. Incoming packets that are related to outgoing network connections are accepted. Outgoing network connections are allowed.</description>
<service name="dhcpv6-client"/>
<service name="ssh"/>
<service name="samba-client"/>
<port protocol="udp" port="1025-65535"/>
<port protocol="tcp" port="1025-65535"/>
<forward/>
</zone>

42
fedora-only-MDNS-default.patch
View File

@ -1,42 +0,0 @@
From f8d7af68530d8a9aa0c972911d489fcd72a5ef74 Mon Sep 17 00:00:00 2001
From: Stef Walter <stefw@gnome.org>
Date: Mon, 6 Aug 2012 10:01:09 +0200
Subject: [PATCH] Make MDNS work in all but the most restrictive zones
* MDNS is a discovery protocol, and much like DNS or DHCP should
be available for the network to function as expected.
* Avahi (the main MDNS) implementation has taken steps to make sure
no private information is published by default.
* See: https://fedoraproject.org/wiki/Desktop/Whiteboards/AvahiDefault
---
config/zones/public.xml | 1 +
config/zones/work.xml | 1 +
2 files changed, 2 insertions(+)
diff --git a/config/zones/public.xml b/config/zones/public.xml
index 49fc4c20af52..95433962c259 100644
--- a/config/zones/public.xml
+++ b/config/zones/public.xml
@@ -3,6 +3,7 @@
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="ssh"/>
+ <service name="mdns"/>
<service name="dhcpv6-client"/>
<forward/>
</zone>
diff --git a/config/zones/work.xml b/config/zones/work.xml
index f1a14a9b4682..eaf509023137 100644
--- a/config/zones/work.xml
+++ b/config/zones/work.xml
@@ -3,6 +3,7 @@
<short>Work</short>
<description>For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="ssh"/>
+ <service name="mdns"/>
<service name="dhcpv6-client"/>
<forward/>
</zone>
--
2.31.1

1619
firewalld.spec
View File

File diff suppressed because it is too large Load Diff

18
org.fedoraproject.FirewallD1.desktop.rules.choice
View File

@ -1,18 +0,0 @@
// firewalld authorizations/policy for the wheel group.
//
// DO NOT EDIT THIS FILE, it will be overwritten on update.
//
// Allow users in the wheel group to use firewalld without being
// interrupted by a password dialog
polkit.addRule(function(action, subject) {
if ((action.id == "org.fedoraproject.FirewallD1.config" ||
action.id == "org.fedoraproject.FirewallD1.direct" ||
action.id == "org.fedoraproject.FirewallD1.ipset" ||
action.id == "org.fedoraproject.FirewallD1.policy" ||
action.id == "org.fedoraproject.FirewallD1.zone") &&
subject.active == true && subject.local == true &&
subject.isInGroup("wheel")) {
return polkit.Result.YES;
}
});