Bug 1304721

Summary: firewall-cmd broken with setenforce 1
Product: Red Hat Enterprise Linux 7 Reporter: Thomas Woerner <twoerner>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Jan Zarsky <jzarsky>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.3CC: alessandro.suardi, alexey.brodkin, dwalsh, jpopelka, jzarsky, lvrabec, mgrepl, mmalik, mvollmer, plautrba, pvrabec, ssekidde, strasharo2000, szidek, twoerner
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-80.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1250842
: 1332122 (view as bug list) Environment:
Last Closed: 2016-11-04 02:41:49 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1250842    
Bug Blocks: 1332122    

Description Thomas Woerner 2016-02-04 13:08:23 UTC 
+++ This bug was initially created as a clone of Bug #1250842 +++

Description of problem:

Running firewall.cmd to change the permanent config fails like this with setenforce 1:

# firewall-cmd --add-port 1234/tcp --permanent
Error: Backup of '/etc/firewalld/zones/public.xml' failed: [Errno 13] Permission denied: '/etc/firewalld/zones/public.xml.old'

It succeeds with setenforce 0.

Version-Release number of selected component (if applicable):

firewalld-0.3.14.2-4.fc23.noarch

--- Additional comment from Marius Vollmer on 2015-08-06 03:03:34 EDT ---

Ahh, selinux version:

selinux-policy-targeted-3.13.1-138.fc23.noarch

--- Additional comment from Alessandro Suardi on 2015-11-13 08:35:22 EST ---

Just updated to F23, same issue:

[root@torrent ~]# firewall-cmd --runtime-to-permanent
Error: RT_TO_PERM_FAILED: zone 'public' : org.fedoraproject.FirewallD1.Exception: Backup of '/etc/firewalld/zones/public.xml' failed: [Errno 13] Permission denied: '/etc/firewalld/zones/public.xml.old'
[root@torrent ~]# rpm -q firewalld
firewalld-0.3.14.2-4.fc23.noarch
[root@torrent ~]# rpm -q selinux-policy-targeted
selinux-policy-targeted-3.13.1-152.fc23.noarch
[root@torrent ~]# setenforce 0
[root@torrent ~]# firewall-cmd --runtime-to-permanent
success

--- Additional comment from Alessandro Suardi on 2015-11-13 08:42:35 EST ---

[root@torrent audit]# grep firewalld audit.log|grep AVC | audit2why
type=AVC msg=audit(1447421196.268:487): avc:  denied  { relabelfrom } for  pid=812 comm="firewalld" name="public.xml.old" dev="dm-1" ino=395314 scontext=system_u:system_r:firewalld_t:s0 tcontext=unconfined_u:object_r:firewalld_etc_rw_t:s0 tclass=file permissive=0

	Was caused by:

#Constraint rule:

#	constrain file { create relabelfrom relabelto } ((u1 == u2 -Fail-)  or (t1 == can_change_object_identity -Fail-) ); Constraint DENIED

#	Possible cause is the source user (system_u) and target user (unconfined_u) are different.

--- Additional comment from Alessandro Suardi on 2015-11-30 05:58:01 EST ---

Good news - Firewall-cmd --permanent has started working for me even with setenforce 1 in recent FC23 updates...

I'm not setting this to CLOSED RESOLVED because I'm not the original bug filer and can't verify the issue on the machine it was originally reported on.

--- Additional comment from  on 2015-12-20 17:25:45 EST ---

Same error here on up to date F23:

[root@T14 ~] # firewall-cmd --runtime-to-permanent
Error: RT_TO_PERM_FAILED: zone 'public' : org.fedoraproject.FirewallD1.Exception: Backup of '/etc/firewalld/zones/public.xml' failed: [Errno 13] Permission denied: '/etc/firewalld/zones/public.xml.old'
[root@T14 ~] # lsb_release -a
LSB Version:	:core-4.1-amd64:core-4.1-noarch:cxx-4.1-amd64:cxx-4.1-noarch:desktop-4.1-amd64:desktop-4.1-noarch:languages-4.1-amd64:languages-4.1-noarch:printing-4.1-amd64:printing-4.1-noarch
Distributor ID:	Fedora
Description:	Fedora release 23 (Twenty Three)
Release:	23
Codename:	TwentyThree
[root@T14 ~] # 


[root@T14 ~] # grep firewalld /var/log/audit/audit.log  | grep AVC
type=AVC msg=audit(1450649588.201:1178): avc:  denied  { relabelfrom } for  pid=2492 comm="firewalld" name="public.xml.old" dev="dm-1" ino=2365085 scontext=system_u:system_r:firewalld_t:s0 tcontext=unconfined_u:object_r:firewalld_etc_rw_t:s0 tclass=file permissive=0
type=AVC msg=audit(1450649602.675:1179): avc:  denied  { relabelfrom } for  pid=2492 comm="firewalld" name="public.xml.old" dev="dm-1" ino=2365085 scontext=system_u:system_r:firewalld_t:s0 tcontext=unconfined_u:object_r:firewalld_etc_rw_t:s0 tclass=file permissive=0
type=AVC msg=audit(1450649690.120:1183): avc:  denied  { relabelfrom } for  pid=2492 comm="firewalld" name="public.xml.old" dev="dm-1" ino=2365085 scontext=system_u:system_r:firewalld_t:s0 tcontext=unconfined_u:object_r:firewalld_etc_rw_t:s0 tclass=file permissive=0
type=AVC msg=audit(1450649722.071:1184): avc:  denied  { relabelfrom } for  pid=2492 comm="firewalld" name="public.xml.old" dev="dm-1" ino=2365085 scontext=system_u:system_r:firewalld_t:s0 tcontext=unconfined_u:object_r:firewalld_etc_rw_t:s0 tclass=file permissive=0
type=AVC msg=audit(1450649843.488:1192): avc:  denied  { relabelfrom } for  pid=2492 comm="firewalld" name="public.xml.old" dev="dm-1" ino=2365085 scontext=system_u:system_r:firewalld_t:s0 tcontext=unconfined_u:object_r:firewalld_etc_rw_t:s0 tclass=file permissive=0
[root@T14 ~] #

--- Additional comment from Thomas Woerner on 2016-01-25 11:38:12 EST ---

(In reply to strasharo2000 from comment #5)
> Same error here on up to date F23:
> 
> [root@T14 ~] # firewall-cmd --runtime-to-permanent
> Error: RT_TO_PERM_FAILED: zone 'public' :
> org.fedoraproject.FirewallD1.Exception: Backup of
> '/etc/firewalld/zones/public.xml' failed: [Errno 13] Permission denied:
> '/etc/firewalld/zones/public.xml.old'
> [root@T14 ~] # lsb_release -a
> LSB Version:
> :core-4.1-amd64:core-4.1-noarch:cxx-4.1-amd64:cxx-4.1-noarch:desktop-4.1-
> amd64:desktop-4.1-noarch:languages-4.1-amd64:languages-4.1-noarch:printing-4.
> 1-amd64:printing-4.1-noarch
> Distributor ID:	Fedora
> Description:	Fedora release 23 (Twenty Three)
> Release:	23
> Codename:	TwentyThree
> [root@T14 ~] # 
> 
> 
> [root@T14 ~] # grep firewalld /var/log/audit/audit.log  | grep AVC
> type=AVC msg=audit(1450649588.201:1178): avc:  denied  { relabelfrom } for 
> pid=2492 comm="firewalld" name="public.xml.old" dev="dm-1" ino=2365085
> scontext=system_u:system_r:firewalld_t:s0
> tcontext=unconfined_u:object_r:firewalld_etc_rw_t:s0 tclass=file permissive=0
> type=AVC msg=audit(1450649602.675:1179): avc:  denied  { relabelfrom } for 
> pid=2492 comm="firewalld" name="public.xml.old" dev="dm-1" ino=2365085
> scontext=system_u:system_r:firewalld_t:s0
> tcontext=unconfined_u:object_r:firewalld_etc_rw_t:s0 tclass=file permissive=0
> type=AVC msg=audit(1450649690.120:1183): avc:  denied  { relabelfrom } for 
> pid=2492 comm="firewalld" name="public.xml.old" dev="dm-1" ino=2365085
> scontext=system_u:system_r:firewalld_t:s0
> tcontext=unconfined_u:object_r:firewalld_etc_rw_t:s0 tclass=file permissive=0
> type=AVC msg=audit(1450649722.071:1184): avc:  denied  { relabelfrom } for 
> pid=2492 comm="firewalld" name="public.xml.old" dev="dm-1" ino=2365085
> scontext=system_u:system_r:firewalld_t:s0
> tcontext=unconfined_u:object_r:firewalld_etc_rw_t:s0 tclass=file permissive=0
> type=AVC msg=audit(1450649843.488:1192): avc:  denied  { relabelfrom } for 
> pid=2492 comm="firewalld" name="public.xml.old" dev="dm-1" ino=2365085
> scontext=system_u:system_r:firewalld_t:s0
> tcontext=unconfined_u:object_r:firewalld_etc_rw_t:s0 tclass=file permissive=0
> [root@T14 ~] #

Please add the output of "restorecon -rv /etc/firewalld"

--- Additional comment from  on 2016-01-27 02:37:23 EST ---

[root@T14 ~] # restorecon -rv /etc/firewalld
[root@T14 ~] #

--- Additional comment from Thomas Woerner on 2016-02-03 10:23:41 EST ---

I also managed to run into this now. The backup files are not correctly labeled.

Assingning to selinux-policy-targetd-

--- Additional comment from Thomas Woerner on 2016-02-04 07:57:59 EST ---

This happens if the root user was running firewalld directly or if the user root copied a file into the firewalld configuration directory.

firewalld will create a backup of the old file by renaming it to <filename>.old

Here are steps to reproduce:
1) cp /usr/lib/firewalld/zones/public.xml /etc/firewalld/zones/foobar.xml
2) After 5 seconds when firewalld picked it up, do a change with firewalld: 
   firewall-cmd --permanent --zone=foobar --add-service=samba

Error: Backup of '/etc/firewalld/zones/foobar.xml' failed: [Errno 13] Permission denied: '/etc/firewalld/zones/foobar.xml.old'

# ls -Z /etc/firewalld/zones/foobar.xml*
unconfined_u:object_r:firewalld_etc_rw_t:s0 /etc/firewalld/zones/foobar.xml
    system_u:object_r:firewalld_etc_rw_t:s0 /etc/firewalld/zones/foobar.xml.old
Comment 2 Lukas Vrabec 2016-06-21 11:02:34 UTC 
# sesearch -A -s firewalld_t -t firewalld_etc_rw_t -c file  | grep relabelfrom 

   allow firewalld_t firewalld_etc_rw_t : file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ;

Looks like this issue is fixed in current version of selinux-policy. 
Moving to MODIFIED.
Comment 6 errata-xmlrpc 2016-11-04 02:41:49 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2283.html