diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 50393a8e2..9147cb3e7 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -2315,7 +2315,7 @@ sub qt( $ ) { print "SYS----> @_\n"; system( "@_ 2>&1" ); } else { - system( "@_ > /dev/null 2>&1" ) == 0; + system( "@_ > /dev/null 2>&1 < /dev/null" ) == 0; } } diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm index 07f50a04a..6d9bb7682 100644 --- a/Shorewall/Perl/Shorewall/Misc.pm +++ b/Shorewall/Perl/Shorewall/Misc.pm @@ -1989,8 +1989,8 @@ EOF emit <<'EOF'; if [ -f ${VARDIR}/proxyarp ]; then while read address interface external haveroute; do - qt $IP -4 neigh del proxy $address dev $external - [ -z "${haveroute}${g_noroutes}" ] && qt $IP -4 route del $address/32 dev $interface + qtnoin $IP -4 neigh del proxy $address dev $external + [ -z "${haveroute}${g_noroutes}" ] && qtnoin $IP -4 route del $address/32 dev $interface f=/proc/sys/net/ipv4/conf/$interface/proxy_arp [ -f $f ] && echo 0 > $f done < ${VARDIR}/proxyarp @@ -2003,8 +2003,8 @@ EOF emit <<'EOF'; if [ -f ${VARDIR}/proxyndp ]; then while read address interface external haveroute; do - qt $IP -6 neigh del proxy $address dev $external - [ -z "${haveroute}${g_noroutes}" ] && qt $IP -6 route del $address/128 dev $interface + qtnoin $IP -6 neigh del proxy $address dev $external + [ -z "${haveroute}${g_noroutes}" ] && qtnoin $IP -6 route del $address/128 dev $interface f=/proc/sys/net/ipv4/conf/$interface/proxy_ndp [ -f $f ] && echo 0 > $f done < ${VARDIR}/proxyndp diff --git a/Shorewall/Perl/prog.header b/Shorewall/Perl/prog.header index 4c334d7fe..8e021ac02 100644 --- a/Shorewall/Perl/prog.header +++ b/Shorewall/Perl/prog.header @@ -270,7 +270,7 @@ get_interface_bcasts() # $1 = interface # del_ip_addr() # $1 = address, $2 = interface { - [ $(find_first_interface_address_if_any $2) = $1 ] || qt $IP addr del $1 dev $2 + [ $(find_first_interface_address_if_any $2) = $1 ] || qtnoin $IP addr del $1 dev $2 } # Add IP Aliases @@ -622,8 +622,8 @@ conditionally_flush_conntrack() { delete_proxyarp() { if [ -f ${VARDIR}/proxyarp ]; then while read address interface external haveroute; do - qt $IP -4 neigh del proxy $address dev $external - [ -z "${haveroute}${g_noroutes}" ] && qt $IP -4 route del $address/32 dev $interface + qtnoin $IP -4 neigh del proxy $address dev $external + [ -z "${haveroute}${g_noroutes}" ] && qtnoin $IP -4 route del $address/32 dev $interface f=/proc/sys/net/ipv4/conf/$interface/proxy_arp [ -f $f ] && echo 0 > $f done < ${VARDIR}/proxyarp diff --git a/Shorewall/lib.common b/Shorewall/lib.common index 9f62c4b7b..50f034eb4 100644 --- a/Shorewall/lib.common +++ b/Shorewall/lib.common @@ -164,12 +164,21 @@ qt() "$@" >/dev/null 2>&1 } +# +# Suppress all output and input - mainly for preventing leaked file descriptors +# to avoid SELinux denials +# +qtnoin() +{ + "$@" /dev/null 2>&1 +} + qt1() { local status while [ 1 ]; do - "$@" >/dev/null 2>&1 + "$@" /dev/null 2>&1 status=$? [ $status -ne 4 ] && return $status done @@ -179,7 +188,7 @@ qt1() # Determine if Shorewall is "running" # shorewall_is_started() { - qt $IPTABLES -L shorewall -n + qt1 $IPTABLES -L shorewall -n } # diff --git a/Shorewall6/lib.common b/Shorewall6/lib.common index 0b4022ce1..4aee7ff32 100644 --- a/Shorewall6/lib.common +++ b/Shorewall6/lib.common @@ -186,12 +186,21 @@ qt() "$@" >/dev/null 2>&1 } +# +# Suppress all output and input - mainly for preventing leaked file descriptors +# to avoid SELinux denials +# +qtnoin() +{ + "$@" /dev/null 2>&1 +} + qt1() { local status while [ 1 ]; do - "$@" >/dev/null 2>&1 + "$@" /dev/null 2>&1 status=$? [ $status -ne 4 ] && return $status done