Bug 1250537

Summary: Deploy of roles fails with: Backup of '/etc/firewalld/zones/FedoraServer.xml' failed
Product: [Fedora] Fedora Reporter: Petr Schindler <pschindl>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 23CC: awilliam, dominick.grift, dwalsh, kevin, lvrabec, mgrepl, plautrba, pschindl, robatino, sgallagh, twoerner
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: AcceptedBlocker
Fixed In Version: selinux-policy-3.13.1-140.fc23 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-08-06 06:02:07 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1170817    

Description Petr Schindler 2015-08-05 12:20:56 UTC 
Description of problem:
When I try to deploy some role with rolectl (either domaincontroller or databaseserver) it fails with the message:
Error: Backup of '/etc/firewalld/zones/FedoraServer.xml' failed: [Errno 13] Permission denied: '/etc/firewalld/zones/FedoraServer.xml.old'

After that the rolectl status <role name> always says 'error'

I run rolectl as root.

Version-Release number of selected component (if applicable):
rolekit-0.4.0-2.beta1.fc23.noarch

How reproducible:
always

Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
I propose it as alpha blocker as it violates the criterion: Release-blocking roles and the supported role configuration interfaces must meet the core functional Role Definition Requirements to the extent that supported roles can be successfully deployed, started, stopped, brought to a working configuration, and queried.
Comment 1 Thomas Woerner 2015-08-05 12:32:33 UTC 
Are there AVC messages (SELinux denials)? 
Is /etc read-only?
Comment 2 Stephen Gallagher 2015-08-05 12:57:18 UTC 
Found AVCs, it's definitely SELinux.

type=AVC msg=audit(1438779216.611:476): avc:  denied  { relabelto } for  pid=744 comm="firewalld" name="FedoraServer.xml.old" dev="dm-0" ino=5060052 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:firewalld_etc_rw_t:s0 tclass=file permissive=0
Comment 3 Miroslav Grepl 2015-08-05 13:27:47 UTC 
commit a6718904510bf5fbca51632df8eaeae4620bdb5f
Author: Miroslav Grepl <mgrepl>
Date:   Wed Aug 5 15:26:43 2015 +0200

    firewalld needs to relabel own config files
    BZ(#1250537)
Comment 4 Adam Williamson 2015-08-05 16:19:43 UTC 
+1 blocker, per criterion in #c0.
Comment 5 Fedora Update System 2015-08-05 16:24:56 UTC 
selinux-policy-3.13.1-140.fc23 has been submitted as an update for Fedora 23.
https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-140.fc23
Comment 6 Kevin Fenzi 2015-08-05 16:57:40 UTC 
+1 blocker
Comment 7 Adam Williamson 2015-08-05 17:54:01 UTC 
That's 3 +1s (counting sgallagh, which I reckon I can :>). Marking as accepted.
Comment 8 Stephen Gallagher 2015-08-05 17:58:41 UTC 
Right, +1 blocker for the record.
Comment 9 Fedora Update System 2015-08-06 06:02:07 UTC 
selinux-policy-3.13.1-140.fc23 has been pushed to the Fedora 23 stable repository.  If problems still persist, please make note of it in this bug report.