Red Hat Summit Red Hat SummitSuporteConsoleDesenvolvedoresComeçar um testeContato

Este conteúdo não está disponível no idioma selecionado.

5.16. Configuring Firewall Lockdown

Local applications or services are able to change the firewall configuration if they are running as root (for example, libvirt). With this feature, the administrator can lock the firewall configuration so that either no applications or only applications that are added to the lockdown whitelist are able to request firewall changes. The lockdown settings default to disabled. If enabled, the user can be sure that there are no unwanted configuration changes made to the firewall by local applications or services.

5.16.1. Configuring Lockdown with the Command-Line Client
Copiar o link

To query whether lockdown is enabled, use the following command as root: 
~]# firewall-cmd --query-lockdown
Copy to Clipboard Toggle word wrap
The command prints yes with exit status 0 if lockdown is enabled. It prints no with exit status 1 otherwise.
To enable lockdown, enter the following command as root: 
~]# firewall-cmd --lockdown-on
Copy to Clipboard Toggle word wrap
To disable lockdown, use the following command as root: 
~]# firewall-cmd --lockdown-off
Copy to Clipboard Toggle word wrap

5.16.2. Configuring Lockdown Whitelist Options with the Command-Line Client
Copiar o link

The lockdown whitelist can contain commands, security contexts, users and user IDs. If a command entry on the whitelist ends with an asterisk *, then all command lines starting with that command will match. If the * is not there then the absolute command including arguments must match.
The context is the security (SELinux) context of a running application or service. To get the context of a running application use the following command: 
~]$ ps -e --context
Copy to Clipboard Toggle word wrap
That command returns all running applications. Pipe the output through the grep tool to get the application of interest. For example: 
~]$ ps -e --context | grep example_programps -e --context | grep example_program
Copy to Clipboard Toggle word wrap
To list all command lines that are on the whitelist, enter the following command as root: 
~]# firewall-cmd --list-lockdown-whitelist-commands
Copy to Clipboard Toggle word wrap
To add a command command to the whitelist, enter the following command as root: 
~]# firewall-cmd --add-lockdown-whitelist-command='/usr/bin/python -Es /usr/bin/command'firewall-cmd --add-lockdown-whitelist-command='/usr/bin/python -Es /usr/bin/command'firewall-cmd --add-lockdown-whitelist-command='/usr/bin/python -Es /usr/bin/command'
Copy to Clipboard Toggle word wrap
To remove a command command from the whitelist, enter the following command as root: 
~]# firewall-cmd --remove-lockdown-whitelist-command='/usr/bin/python -Es /usr/bin/command'firewall-cmd --remove-lockdown-whitelist-command='/usr/bin/python -Es /usr/bin/command'firewall-cmd --remove-lockdown-whitelist-command='/usr/bin/python -Es /usr/bin/command'
Copy to Clipboard Toggle word wrap
To query whether the command command is on the whitelist, enter the following command as root: 
~]# firewall-cmd --query-lockdown-whitelist-command='/usr/bin/python -Es /usr/bin/command'firewall-cmd --query-lockdown-whitelist-command='/usr/bin/python -Es /usr/bin/command'firewall-cmd --query-lockdown-whitelist-command='/usr/bin/python -Es /usr/bin/command'
Copy to Clipboard Toggle word wrap
The command prints yes with exit status 0 if true. It prints no with exit status 1 otherwise.
To list all security contexts that are on the whitelist, enter the following command as root: 
~]# firewall-cmd --list-lockdown-whitelist-contexts
Copy to Clipboard Toggle word wrap
To add a context context to the whitelist, enter the following command as root: 
~]# firewall-cmd --add-lockdown-whitelist-context=contextfirewall-cmd --add-lockdown-whitelist-context=context
Copy to Clipboard Toggle word wrap
To remove a context context from the whitelist, enter the following command as root: 
~]# firewall-cmd --remove-lockdown-whitelist-context=contextfirewall-cmd --remove-lockdown-whitelist-context=context
Copy to Clipboard Toggle word wrap
To query whether the context context is on the whitelist, enter the following command as root: 
~]# firewall-cmd --query-lockdown-whitelist-context=contextfirewall-cmd --query-lockdown-whitelist-context=context
Copy to Clipboard Toggle word wrap
Prints yes with exit status 0, if true, prints no with exit status 1 otherwise.
To list all user IDs that are on the whitelist, enter the following command as root: 
~]# firewall-cmd --list-lockdown-whitelist-uids
Copy to Clipboard Toggle word wrap
To add a user ID uid to the whitelist, enter the following command as root: 
~]# firewall-cmd --add-lockdown-whitelist-uid=uidfirewall-cmd --add-lockdown-whitelist-uid=uid
Copy to Clipboard Toggle word wrap
To remove a user ID uid from the whitelist, enter the following command as root: 
~]# firewall-cmd --remove-lockdown-whitelist-uid=uidfirewall-cmd --remove-lockdown-whitelist-uid=uid
Copy to Clipboard Toggle word wrap
To query whether the user ID uid is on the whitelist, enter the following command: 
~]$ firewall-cmd --query-lockdown-whitelist-uid=uidfirewall-cmd --query-lockdown-whitelist-uid=uid
Copy to Clipboard Toggle word wrap
Prints yes with exit status 0, if true, prints no with exit status 1 otherwise.
To list all user names that are on the whitelist, enter the following command as root: 
~]# firewall-cmd --list-lockdown-whitelist-users
Copy to Clipboard Toggle word wrap
To add a user name user to the whitelist, enter the following command as root: 
~]# firewall-cmd --add-lockdown-whitelist-user=userfirewall-cmd --add-lockdown-whitelist-user=user
Copy to Clipboard Toggle word wrap
To remove a user name user from the whitelist, enter the following command as root: 
~]# firewall-cmd --remove-lockdown-whitelist-user=userfirewall-cmd --remove-lockdown-whitelist-user=user
Copy to Clipboard Toggle word wrap
To query whether the user name user is on the whitelist, enter the following command: 
~]$ firewall-cmd --query-lockdown-whitelist-user=userfirewall-cmd --query-lockdown-whitelist-user=user
Copy to Clipboard Toggle word wrap
Prints yes with exit status 0, if true, prints no with exit status 1 otherwise.

5.16.3. Configuring Lockdown Whitelist Options with Configuration Files
Copiar o link

The default whitelist configuration file contains the NetworkManager context and the default context of libvirt. The user ID 0 is also on the list. 
<?xml version="1.0" encoding="utf-8"?>
	<whitelist>
	  <selinux context="system_u:system_r:NetworkManager_t:s0"/>
	  <selinux context="system_u:system_r:virtd_t:s0-s0:c0.c1023"/>
	  <user id="0"/>
	</whitelist>
Copy to Clipboard Toggle word wrap
Following is an example whitelist configuration file enabling all commands for the firewall-cmd utility, for a user called user whose user ID is 815: 
<?xml version="1.0" encoding="utf-8"?>
	<whitelist>
	  <command name="/usr/bin/python -Es /bin/firewall-cmd*"/>
	  <selinux context="system_u:system_r:NetworkManager_t:s0"/>
	  <user id="815"/>
	  <user name="user"/>
	</whitelist>
Copy to Clipboard Toggle word wrap
This example shows both user id and user name, but only one option is required. Python is the interpreter and is prepended to the command line. You can also use a specific command, for example: 
/usr/bin/python /bin/firewall-cmd --lockdown-on
Copy to Clipboard Toggle word wrap
In that example, only the --lockdown-on command is allowed.

Note

In Red Hat Enterprise Linux 7, all utilities are placed in the /usr/bin/ directory and the /bin/ directory is sym-linked to the /usr/bin/ directory. In other words, although the path for firewall-cmd when run as root might resolve to /bin/firewall-cmd, /usr/bin/firewall-cmd can now be used. All new scripts should use the new location. But be aware that if scripts that run as root have been written to use the /bin/firewall-cmd path, then that command path must be whitelisted in addition to the /usr/bin/firewall-cmd path traditionally used only for non-root users.
The * at the end of the name attribute of a command means that all commands that start with this string will match. If the * is not there then the absolute command including arguments must match.
Voltar ao topo
Red Hat logoGithubredditYoutubeTwitter

Aprender

Experimente, compre e venda

Comunidades

Sobre a documentação da Red Hat

Ajudamos os usuários da Red Hat a inovar e atingir seus objetivos com nossos produtos e serviços com conteúdo em que podem confiar. Explore nossas atualizações recentes.

Tornando o open source mais inclusivo

A Red Hat está comprometida em substituir a linguagem problemática em nosso código, documentação e propriedades da web. Para mais detalhes veja o Blog da Red Hat.

Sobre a Red Hat

Fornecemos soluções robustas que facilitam o trabalho das empresas em plataformas e ambientes, desde o data center principal até a borda da rede.

Theme

© 2025 Red Hat