On Tue, Jan 3, 2017 at 3:11 PM, jdow <[log in to unmask]> wrote:
> On 2017-01-03 09:56, David Sommerseth wrote:
>>
>> Remember that firewalld provides an API over D-Bus for dynamic
>> firewall updates, so this is kind of to "seal" the configuration
>> without breaking any component depending on manipulating the firewall
>> as the system is running. NetworkManager and libvirt are two
>> components which adjusts the firewall on-the-fly, depending on which
>> network you're connected to or which VMs have been started, and so on.
>
> That still leaves me mumbling and led me down a midget rabbit hole.
> The "iptables" command is 777 root root system_u:object_r:bin_t:s0;
> but, that's OK. It's a link - to xtables-multi, which is rwxr-xr-x.
> root root system_u:object_r:iptables_exec_t:s0. Waitaminit says I to
> meself. (or is it me to iself? Whatever) Let's give that a try.... The
> results are reassuring:
> ===8<---
> [jdow@whereever ~]$ xtables-multi iptables -L -v
> iptables v1.4.21: can't initialize iptables table `filter': Permission
> denied (you must be root)
> Perhaps iptables or your kernel needs to be upgraded.
> ===8<---
> I guess the ancient philosophy of one task one command is passe' and
> now a monstrosity like xtables-multi finds itself masquerading as
> iptables and about a dozen other things.
/usr/sbin/iptables-restore
/usr/sbin/iptables-save
/usr/sbin/iptables
/usr/sbin/ip6tables-restore
/usr/sbin/ip6tables-save
/usr/sbin/ip6tables
are symlinks to "/usr/sbin/xtables-multi" because it's a multi-call
binary, like busybox.
There are others.
Off the top of my head, dnsdomainname, domainname, nisdomainname,
ypdomainname are symlinks to hostname; halt, poweroff, reboot,
shutdown are symlinks to systemctl; view is a symlink to vi; etc.
It's normal for "iptables" to fail if you call it as jdow; but if you
have polkit installed, "pkexec iptables" might work (depending on your
polkit policies; "sudo ..." and "su -c ..." will work if you're
authorized).
|
