On 03/01/17 05:59, jdow wrote:
> On 2017-01-02 18:40, Tom H wrote:
>> On Mon, Jan 2, 2017 at 5:06 PM, jdow <[log in to unmask]> wrote:
> ...
>>>   Erasing    : firewalld-0.4.3.2-8.el7.noarch
>>> 7/7
>>> warning: /etc/firewalld/lockdown-whitelist.xml saved as
>>> /etc/firewalld/lockdown-whitelist.xml.rpmsave
>>>
>>> That smells amusing and puzzling but not dangerous to me.
>>
>> So it's not fully or properly installed, :) and :(
> 
> ...
> 
> One wonders about the missing EULA info.
> 
> The lockdown-whitelist thing is more or less a "but why?" component.

lockdown in firewalld jargon is more like "which component/user may
modify the firewall if the firewall configuration have been locked down".

When firewalld is set into locked-down mode, no-one is able to
manipulate the firewall.  Otherwise, anyone granted admin privileges (as
defined in the PolicyKit policy for the firewalld component) may
manipulate the firewall.  So it tightens the access, regardless if
PolicyKit grants access.  The default policy have uid=0,
firewall-config, NetworkManager and libvirtd in this whitelist.

Remember that firewalld provides an API over D-Bus for dynamic firewall
updates, so this is kind of to "seal" the configuration without breaking
any component depending on manipulating the firewall as the system is
running.  NetworkManager and libvirt are two components which adjusts
the firewall on-the-fly, depending on which network you're connected to
or which VMs have been started, and so on.


-- 
kind regards,

David Sommerseth