From 5eb1ef41ac2c4b6895d679e13ae1d9e9f6bdcd73 Mon Sep 17 00:00:00 2001
From: Thomas Haller <thaller@redhat.com>
Date: Fri, 21 Apr 2017 12:05:14 +0200
Subject: [PATCH 1/3] firewall: fix supressing errors from D-Bus calls

We want to ignore certain errors from firewalld. In the past,
the error message contained only the error code.
Since recently ([1], [2]), the error message contains a longer text:

  NetworkManager[647]: <debug> [1492768494.7475] device[0x7f7f21e78f50] (eth0): Activation: setting firewall zone 'default'
  NetworkManager[647]: <debug> [1492768494.7475] firewall: [0x7f7f21ed8900,change:"eth0"]: firewall zone change eth0:default
  ...
  firewalld[2342]: ERROR: UNKNOWN_INTERFACE: 'eth0' is not in any zone
  NetworkManager[647]: <warn>  [1492768494.7832] firewall: [0x7f7f0400c780,remove:"eth0"]: complete: request failed (UNKNOWN_INTERFACE: 'eth0' is not in any zone)

[1] https://github.com/t-woerner/firewalld/commit/c77156d7f688a0be3f0a1b4869b1c659e9e18cd6
[2] https://github.com/t-woerner/firewalld/commit/7c6ab456c5c461ac40cd7bb979a5daec6a13e6e4

(cherry picked from commit 2ad8bb0ce377624eefafe3b626d3fe691a7b9b7c)
---
 src/nm-firewall-manager.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/src/nm-firewall-manager.c b/src/nm-firewall-manager.c
index 045d5abc4c..0d893652f8 100644
--- a/src/nm-firewall-manager.c
+++ b/src/nm-firewall-manager.c
@@ -263,14 +263,16 @@ _handle_dbus (GObject *proxy, GAsyncResult *result, gpointer user_data)
 			non_error = "UNKNOWN_INTERFACE";
 			break;
 		}
-		if (!g_strcmp0 (error->message, non_error)) {
+		if (   error->message
+		    && non_error
+		    && g_str_has_prefix (error->message, non_error)
+		    && NM_IN_SET (error->message[strlen (non_error)], '\0', ':')) {
 			_LOGD (info, "complete: request failed with a non-error (%s)", error->message);
 
 			/* The operation failed with an error reason that we don't want
 			 * to propagate. Instead, signal success. */
 			g_clear_error (&error);
-		}
-		else
+		} else
 			_LOGW (info, "complete: request failed (%s)", error->message);
 	} else
 		_LOGD (info, "complete: success");

From ebb3830e57ddb87e72699ed83df2765836228775 Mon Sep 17 00:00:00 2001
From: Thomas Haller <thaller@redhat.com>
Date: Fri, 21 Apr 2017 11:42:45 +0200
Subject: [PATCH 2/3] org.freedesktop.NetworkManager.conf: don't use tabs

(cherry picked from commit 8583e62276a23a7ea858edf6c71d122e22f41955)
---
 src/org.freedesktop.NetworkManager.conf | 28 ++++++++++++-------------
 1 file changed, 14 insertions(+), 14 deletions(-)

diff --git a/src/org.freedesktop.NetworkManager.conf b/src/org.freedesktop.NetworkManager.conf
index d130f7e271..e4d1b78ba6 100644
--- a/src/org.freedesktop.NetworkManager.conf
+++ b/src/org.freedesktop.NetworkManager.conf
@@ -11,8 +11,8 @@
 
                 <allow send_interface="org.freedesktop.NetworkManager.SecretAgent"/>
                 <!-- These are there because some broken policies do
-		     <deny send_interface="..." /> (see dbus-daemon(8) for details).
-		     This seems to override that for the known VPN plugins.
+                     <deny send_interface="..." /> (see dbus-daemon(8) for details).
+                     This seems to override that for the known VPN plugins.
                   -->
                 <allow send_destination="org.freedesktop.NetworkManager.openconnect"/>
                 <allow send_destination="org.freedesktop.NetworkManager.openswan"/>
@@ -39,7 +39,7 @@
 
                 <deny send_destination="org.freedesktop.NetworkManager"/>
 
-		<!-- Basic D-Bus API stuff -->
+                <!-- Basic D-Bus API stuff -->
                 <allow send_destination="org.freedesktop.NetworkManager"
                        send_interface="org.freedesktop.DBus.Introspectable"/>
                 <allow send_destination="org.freedesktop.NetworkManager"
@@ -47,7 +47,7 @@
                 <allow send_destination="org.freedesktop.NetworkManager"
                        send_interface="org.freedesktop.DBus.ObjectManager"/>
 
-		<!-- Devices (read-only properties, no methods) -->
+                <!-- Devices (read-only properties, no methods) -->
                 <allow send_destination="org.freedesktop.NetworkManager"
                        send_interface="org.freedesktop.NetworkManager.Device.Adsl"/>
                 <allow send_destination="org.freedesktop.NetworkManager"
@@ -83,17 +83,17 @@
                 <allow send_destination="org.freedesktop.NetworkManager"
                        send_interface="org.freedesktop.NetworkManager.AccessPoint"/>
 
-		<!-- Devices (read-only, no security required) -->
+                <!-- Devices (read-only, no security required) -->
                 <allow send_destination="org.freedesktop.NetworkManager"
                        send_interface="org.freedesktop.NetworkManager.Device.WiMax"/>
 
-		<!-- Devices (read/write, secured with PolicyKit) -->
+                <!-- Devices (read/write, secured with PolicyKit) -->
                 <allow send_destination="org.freedesktop.NetworkManager"
                        send_interface="org.freedesktop.NetworkManager.Device.Wireless"/>
                 <allow send_destination="org.freedesktop.NetworkManager"
                        send_interface="org.freedesktop.NetworkManager.Device"/>
 
-		<!-- Core stuff (read-only properties, no methods) -->
+                <!-- Core stuff (read-only properties, no methods) -->
                 <allow send_destination="org.freedesktop.NetworkManager"
                        send_interface="org.freedesktop.NetworkManager.Connection.Active"/>
                 <allow send_destination="org.freedesktop.NetworkManager"
@@ -107,7 +107,7 @@
                 <allow send_destination="org.freedesktop.NetworkManager"
                        send_interface="org.freedesktop.NetworkManager.VPN.Connection"/>
 
-		<!-- Core stuff (read/write, secured with PolicyKit) -->
+                <!-- Core stuff (read/write, secured with PolicyKit) -->
                 <allow send_destination="org.freedesktop.NetworkManager"
                        send_interface="org.freedesktop.NetworkManager"/>
                 <allow send_destination="org.freedesktop.NetworkManager"
@@ -115,13 +115,13 @@
                 <allow send_destination="org.freedesktop.NetworkManager"
                        send_interface="org.freedesktop.NetworkManager.Settings.Connection"/>
 
-		<!-- Agents; secured with PolicyKit.  Any process can talk to
-		     the AgentManager API, but only NetworkManager can talk
-		     to the agents themselves. -->
+                <!-- Agents; secured with PolicyKit.  Any process can talk to
+                     the AgentManager API, but only NetworkManager can talk
+                     to the agents themselves. -->
                 <allow send_destination="org.freedesktop.NetworkManager"
                        send_interface="org.freedesktop.NetworkManager.AgentManager"/>
 
-		<!-- Root-only functions -->
+                <!-- Root-only functions -->
                 <deny send_destination="org.freedesktop.NetworkManager"
                       send_interface="org.freedesktop.NetworkManager"
                       send_member="SetLogging"/>
@@ -139,7 +139,7 @@
                 <deny send_destination="org.freedesktop.NetworkManager.dnsmasq"/>
         </policy>
 
-	<limit name="max_replies_per_connection">1024</limit>
-	<limit name="max_match_rules_per_connection">2048</limit>
+        <limit name="max_replies_per_connection">1024</limit>
+        <limit name="max_match_rules_per_connection">2048</limit>
 </busconfig>
 

From ff5b7275a7584fcdabe4327f1a061c5610cf89dd Mon Sep 17 00:00:00 2001
From: Thomas Haller <thaller@redhat.com>
Date: Fri, 21 Apr 2017 11:56:28 +0200
Subject: [PATCH 3/3] dbus: allow firewalld to communicate with NetworkManager

Usually, this "<allow send_destination="..."/>" part is shipped
by firewalld's D-Bus policy. However, if firewalld is initially
not installed with NetworkManager already running, dbus-daemon
seems to cache the missing permission for the D-Bus connection.
As a result, when installing and starting firewalld, NetworkManager
requests fail until restart:

  firewall: [0x7f4b83643890,change:"eth1"]: complete: request failed (Rejected send message, 1 matched rules; type="method_call", sender=":1.3" (uid=0 pid=715 comm="/usr/sbin/NetworkManager --no-daemon ") interface="org.fedoraproject.FirewallD1.zone" member="changeZone" error name="(unset)" requested_reply="0" destination=":1.25" (uid=0 pid=1243 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -"))

https://bugzilla.redhat.com/show_bug.cgi?id=1436770
(cherry picked from commit cc1d409ba886e8e7c33f845790cfc700fcd2d854)
---
 src/org.freedesktop.NetworkManager.conf | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/org.freedesktop.NetworkManager.conf b/src/org.freedesktop.NetworkManager.conf
index e4d1b78ba6..6be1feb68e 100644
--- a/src/org.freedesktop.NetworkManager.conf
+++ b/src/org.freedesktop.NetworkManager.conf
@@ -27,6 +27,8 @@
                 <allow send_destination="org.freedesktop.NetworkManager.strongswan"/>
                 <allow send_interface="org.freedesktop.NetworkManager.VPN.Plugin"/>
 
+                <allow send_destination="org.fedoraproject.FirewallD1"/>
+
                 <!-- Allow the custom name for the dnsmasq instance spawned by NM
                      from the dns dnsmasq plugin to own it's dbus name, and for
                      messages to be sent to it.