| Summary: | selinux interferes with starting firewalld | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Thomas Higgins <thomas_higgins> | ||||
| Component: | firewalld | Assignee: | Thomas Woerner <twoerner> | ||||
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 23 | CC: | jpopelka, thomas_higgins, twoerner | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | x86_64 | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2016-11-23 13:28:16 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Attachments: |
|
||||||
Which firewalld version are you using? I am not particularly experienced with Linux, how do I find out what version of firewalld I have installed? When I install it via dnf, it seems to be grabbing 0.4.0. I haven't changed the default dnf repo on my installation. To get the firewalld package version use: rpm -q firewalld Thanks Thomas, it is what dnf was grabbing: firewalld-0.4.0-2.fc23.noarch Which selinux-policy version is installed? I ran sestatus and it gave me Max kernel policy version: 29. Is that the version number you are after? Please add the output of rpm -q selinux-policy This is the output selinux-policy-3.13.1-152.fc23.noarch What is the output of
ls -Z /usr/sbin/firewalld
It should be:
system_u:object_r:firewalld_exec_t:s0 /usr/sbin/firewalld
If the context is not correct , you can use
restorecon -rvF $(rpm -qla "*firewall*")
to reset the contexts of all firewall specific files.
ls -Z /usr/sbin/firewalld outputs: system_u:object_r:firewalld_exec_t:s0 /usr/sbin/firewalld I did run restorecon -rvF $(rpm -qla "*firewall*"), and it made no difference There has been an selinux-policy update that addresses this. Please verify if this is working for you. Thanks Thomas, my apologies for not getting back to this sooner, but this has resolved the issue thanks. Closing due to comment 12. |
Created attachment 1150091 [details] conversation on irc with solution Description of problem: I have installed firewalld on the fedora 23 image that Digital Ocean provides. While I can install firewalld, I cannot start it. How reproducible: Every time Steps to Reproduce: 1. after initial fedora install, run dnf install firewalld firewall-config 2. systemctl enable firewalld 3. systemctl start firewalld Actual results: When you run systemctl start firewalld, you get: Job for firewalld.service failed because the control process exited with error code. See "systemctl status firewalld.service" and "journalctl -xe" for details. In journalctl, you see: Apr 24 06:35:00 fourth audit[10684]: AVC avc: denied { create } for pid=10684 comm="firewalld" name="firewalld" scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=0 Apr 24 06:35:00 fourth /firewalld[10684]: FATAL ERROR: Fork #1 failed: 13 (Permission denied) Apr 24 06:35:00 fourth /firewalld[10684]: ERROR: Traceback (most recent call last): File "/usr/sbin/firewalld", line 128, in startup os.mkdir(config.FIREWALLD_TEMPDIR, 0o750) PermissionError: [Errno 13] Permission denied: '/run/firewalld' Apr 24 06:35:00 fourth systemd[1]: firewalld.service: Main process exited, code=exited, status=1/FAILURE Apr 24 06:35:00 fourth systemd[1]: Failed to start firewalld - dynamic firewall daemon. If you dig into the selinux logs you get: avc: denied { create } for pid=849 comm="firewalld" name="firewalld" scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=0 Expected results: That firewalld would start Additional info: I have attached a conversation I had with a person on the fedora IRC, their instructions did get firewalld working in the end, but he recommended submitting a fedora bug. Also I have opened a bug at digitalocean but they have also told me to submit a fedora bug.