+++ This bug was initially created as a clone of Bug #1250842 +++
Description of problem:
Running firewall.cmd to change the permanent config fails like this with setenforce 1:
# firewall-cmd --add-port 1234/tcp --permanent
Error: Backup of '/etc/firewalld/zones/public.xml' failed: [Errno 13] Permission denied: '/etc/firewalld/zones/public.xml.old'
It succeeds with setenforce 0.
Version-Release number of selected component (if applicable):
firewalld-0.3.14.2-4.fc23.noarch
--- Additional comment from Marius Vollmer on 2015-08-06 03:03:34 EDT ---
Ahh, selinux version:
selinux-policy-targeted-3.13.1-138.fc23.noarch
--- Additional comment from Alessandro Suardi on 2015-11-13 08:35:22 EST ---
Just updated to F23, same issue:
[root@torrent ~]# firewall-cmd --runtime-to-permanent
Error: RT_TO_PERM_FAILED: zone 'public' : org.fedoraproject.FirewallD1.Exception: Backup of '/etc/firewalld/zones/public.xml' failed: [Errno 13] Permission denied: '/etc/firewalld/zones/public.xml.old'
[root@torrent ~]# rpm -q firewalld
firewalld-0.3.14.2-4.fc23.noarch
[root@torrent ~]# rpm -q selinux-policy-targeted
selinux-policy-targeted-3.13.1-152.fc23.noarch
[root@torrent ~]# setenforce 0
[root@torrent ~]# firewall-cmd --runtime-to-permanent
success
--- Additional comment from Alessandro Suardi on 2015-11-13 08:42:35 EST ---
[root@torrent audit]# grep firewalld audit.log|grep AVC | audit2why
type=AVC msg=audit(1447421196.268:487): avc: denied { relabelfrom } for pid=812 comm="firewalld" name="public.xml.old" dev="dm-1" ino=395314 scontext=system_u:system_r:firewalld_t:s0 tcontext=unconfined_u:object_r:firewalld_etc_rw_t:s0 tclass=file permissive=0
Was caused by:
#Constraint rule:
# constrain file { create relabelfrom relabelto } ((u1 == u2 -Fail-) or (t1 == can_change_object_identity -Fail-) ); Constraint DENIED
# Possible cause is the source user (system_u) and target user (unconfined_u) are different.
--- Additional comment from Alessandro Suardi on 2015-11-30 05:58:01 EST ---
Good news - Firewall-cmd --permanent has started working for me even with setenforce 1 in recent FC23 updates...
I'm not setting this to CLOSED RESOLVED because I'm not the original bug filer and can't verify the issue on the machine it was originally reported on.
--- Additional comment from on 2015-12-20 17:25:45 EST ---
Same error here on up to date F23:
[root@T14 ~] # firewall-cmd --runtime-to-permanent
Error: RT_TO_PERM_FAILED: zone 'public' : org.fedoraproject.FirewallD1.Exception: Backup of '/etc/firewalld/zones/public.xml' failed: [Errno 13] Permission denied: '/etc/firewalld/zones/public.xml.old'
[root@T14 ~] # lsb_release -a
LSB Version: :core-4.1-amd64:core-4.1-noarch:cxx-4.1-amd64:cxx-4.1-noarch:desktop-4.1-amd64:desktop-4.1-noarch:languages-4.1-amd64:languages-4.1-noarch:printing-4.1-amd64:printing-4.1-noarch
Distributor ID: Fedora
Description: Fedora release 23 (Twenty Three)
Release: 23
Codename: TwentyThree
[root@T14 ~] #
[root@T14 ~] # grep firewalld /var/log/audit/audit.log | grep AVC
type=AVC msg=audit(1450649588.201:1178): avc: denied { relabelfrom } for pid=2492 comm="firewalld" name="public.xml.old" dev="dm-1" ino=2365085 scontext=system_u:system_r:firewalld_t:s0 tcontext=unconfined_u:object_r:firewalld_etc_rw_t:s0 tclass=file permissive=0
type=AVC msg=audit(1450649602.675:1179): avc: denied { relabelfrom } for pid=2492 comm="firewalld" name="public.xml.old" dev="dm-1" ino=2365085 scontext=system_u:system_r:firewalld_t:s0 tcontext=unconfined_u:object_r:firewalld_etc_rw_t:s0 tclass=file permissive=0
type=AVC msg=audit(1450649690.120:1183): avc: denied { relabelfrom } for pid=2492 comm="firewalld" name="public.xml.old" dev="dm-1" ino=2365085 scontext=system_u:system_r:firewalld_t:s0 tcontext=unconfined_u:object_r:firewalld_etc_rw_t:s0 tclass=file permissive=0
type=AVC msg=audit(1450649722.071:1184): avc: denied { relabelfrom } for pid=2492 comm="firewalld" name="public.xml.old" dev="dm-1" ino=2365085 scontext=system_u:system_r:firewalld_t:s0 tcontext=unconfined_u:object_r:firewalld_etc_rw_t:s0 tclass=file permissive=0
type=AVC msg=audit(1450649843.488:1192): avc: denied { relabelfrom } for pid=2492 comm="firewalld" name="public.xml.old" dev="dm-1" ino=2365085 scontext=system_u:system_r:firewalld_t:s0 tcontext=unconfined_u:object_r:firewalld_etc_rw_t:s0 tclass=file permissive=0
[root@T14 ~] #
--- Additional comment from Thomas Woerner on 2016-01-25 11:38:12 EST ---
(In reply to strasharo2000 from comment #5)
> Same error here on up to date F23:
>
> [root@T14 ~] # firewall-cmd --runtime-to-permanent
> Error: RT_TO_PERM_FAILED: zone 'public' :
> org.fedoraproject.FirewallD1.Exception: Backup of
> '/etc/firewalld/zones/public.xml' failed: [Errno 13] Permission denied:
> '/etc/firewalld/zones/public.xml.old'
> [root@T14 ~] # lsb_release -a
> LSB Version:
> :core-4.1-amd64:core-4.1-noarch:cxx-4.1-amd64:cxx-4.1-noarch:desktop-4.1-
> amd64:desktop-4.1-noarch:languages-4.1-amd64:languages-4.1-noarch:printing-4.
> 1-amd64:printing-4.1-noarch
> Distributor ID: Fedora
> Description: Fedora release 23 (Twenty Three)
> Release: 23
> Codename: TwentyThree
> [root@T14 ~] #
>
>
> [root@T14 ~] # grep firewalld /var/log/audit/audit.log | grep AVC
> type=AVC msg=audit(1450649588.201:1178): avc: denied { relabelfrom } for
> pid=2492 comm="firewalld" name="public.xml.old" dev="dm-1" ino=2365085
> scontext=system_u:system_r:firewalld_t:s0
> tcontext=unconfined_u:object_r:firewalld_etc_rw_t:s0 tclass=file permissive=0
> type=AVC msg=audit(1450649602.675:1179): avc: denied { relabelfrom } for
> pid=2492 comm="firewalld" name="public.xml.old" dev="dm-1" ino=2365085
> scontext=system_u:system_r:firewalld_t:s0
> tcontext=unconfined_u:object_r:firewalld_etc_rw_t:s0 tclass=file permissive=0
> type=AVC msg=audit(1450649690.120:1183): avc: denied { relabelfrom } for
> pid=2492 comm="firewalld" name="public.xml.old" dev="dm-1" ino=2365085
> scontext=system_u:system_r:firewalld_t:s0
> tcontext=unconfined_u:object_r:firewalld_etc_rw_t:s0 tclass=file permissive=0
> type=AVC msg=audit(1450649722.071:1184): avc: denied { relabelfrom } for
> pid=2492 comm="firewalld" name="public.xml.old" dev="dm-1" ino=2365085
> scontext=system_u:system_r:firewalld_t:s0
> tcontext=unconfined_u:object_r:firewalld_etc_rw_t:s0 tclass=file permissive=0
> type=AVC msg=audit(1450649843.488:1192): avc: denied { relabelfrom } for
> pid=2492 comm="firewalld" name="public.xml.old" dev="dm-1" ino=2365085
> scontext=system_u:system_r:firewalld_t:s0
> tcontext=unconfined_u:object_r:firewalld_etc_rw_t:s0 tclass=file permissive=0
> [root@T14 ~] #
Please add the output of "restorecon -rv /etc/firewalld"
--- Additional comment from on 2016-01-27 02:37:23 EST ---
[root@T14 ~] # restorecon -rv /etc/firewalld
[root@T14 ~] #
--- Additional comment from Thomas Woerner on 2016-02-03 10:23:41 EST ---
I also managed to run into this now. The backup files are not correctly labeled.
Assingning to selinux-policy-targetd-
--- Additional comment from Thomas Woerner on 2016-02-04 07:57:59 EST ---
This happens if the root user was running firewalld directly or if the user root copied a file into the firewalld configuration directory.
firewalld will create a backup of the old file by renaming it to <filename>.old
Here are steps to reproduce:
1) cp /usr/lib/firewalld/zones/public.xml /etc/firewalld/zones/foobar.xml
2) After 5 seconds when firewalld picked it up, do a change with firewalld:
firewall-cmd --permanent --zone=foobar --add-service=samba
Error: Backup of '/etc/firewalld/zones/foobar.xml' failed: [Errno 13] Permission denied: '/etc/firewalld/zones/foobar.xml.old'
# ls -Z /etc/firewalld/zones/foobar.xml*
unconfined_u:object_r:firewalld_etc_rw_t:s0 /etc/firewalld/zones/foobar.xml
system_u:object_r:firewalld_etc_rw_t:s0 /etc/firewalld/zones/foobar.xml.old
# sesearch -A -s firewalld_t -t firewalld_etc_rw_t -c file | grep relabelfrom
allow firewalld_t firewalld_etc_rw_t : file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ;
Looks like this issue is fixed in current version of selinux-policy.
Moving to MODIFIED.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://rhn.redhat.com/errata/RHBA-2016-2283.html