Bug 804083
Summary: | firewalld is not allowed to write a temporary file to /etc/firewalld if started with systemd | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Thomas Woerner <twoerner> |
Component: | selinux-policy-targeted | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED ERRATA | QA Contact: | Ben Levenson <benl> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 17 | CC: | awilliam, bruno, dwalsh, jsmith.fedora, robatino, tore |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | RejectedBlocker | ||
Fixed In Version: | selinux-policy-3.10.0-104.fc17 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2012-03-21 18:53:30 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Thomas Woerner
2012-03-16 13:55:04 UTC
Thomas does it have content in this directory that firewalld should not be allowed to write to? ls -lZ /etc/firewalld/ -rw-r-----. root root system_u:object_r:etc_t:s0 firewalld.conf drwxr-x---. root root system_u:object_r:etc_t:s0 icmptypes drwxr-x---. root root system_u:object_r:etc_t:s0 services drwxr-x---. root root system_u:object_r:etc_t:s0 zones I can add labels to directories in here and give allow rules but I don't think we want to allow firewalld to write to firewalld.conf for example. firewalld is writing to firewalld.conf to store the default zone. Everything in /etc/firewalld should be writable by firewalld. ok, i am adding a new type firewalld_etc_rw_t Fixed in -103.fc17 selinux-policy-3.10.0-103.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-103.fc17 Tore Anderson suggests that this bug prevents firewalld from properly allowing DHCPv6, which makes it a Beta blocker per our recent determination that IPv6 connectivity is Beta blocking. A live image for the purpose of testing is available at http://adamwill.fedorapeople.org/firewalld/firewalld-20120319-x86_64.iso : it has this selinux-policy, plus the firewalld and NetworkManager necessary to address other IPv6 issues. Tore, can you please confirm my understanding here? Thanks. -- Fedora Bugzappers volunteer triage team https://fedoraproject.org/wiki/BugZappers No, DHCPv6 problem I saw was (very likely) caused by bug #804587. I don't believe this one is a blocker bug, as it (from my understanding of comment #0) is only causing manual fiddling to not work as expected - it does not affect the OOTB everything-default experience. Tore Unless there is a cascading affect that causes a blocker, I don't think firewalld not working properly is itself a blocker. So I am currently -1 blocker given comment 8. Even though firewalld is a feature, this seems fixable by an update so I am -1 NTH. Package selinux-policy-3.10.0-104.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-104.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-4248/selinux-policy-3.10.0-104.fc17 then log in and leave karma (feedback). -1 beta blocker okay, I agree this is -1 blocker as discussed above. I've re-opened 804587 to serve as a blocker to ensure we pull selinux-policy -104 into the Beta. -- Fedora Bugzappers volunteer triage team https://fedoraproject.org/wiki/BugZappers selinux-policy-3.10.0-104.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. |