Bug 951747

Summary: [abrt] firewall-config-0.2.12-4.fc18: connection.py:651:call_blocking:DBusException: org.freedesktop.DBus.Python.dbus.exceptions.DBusException: Backup of '/usr/lib/firewalld/zones/public.xml' failed: [Errno 13] Permission denied: '/usr/lib/firewalld/zo...
Product: [Fedora] Fedora Reporter: Nick H. <nck.s.hayes>
Component: firewalldAssignee: Thomas Woerner <twoerner>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 18CC: jpopelka, twoerner
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:1f89e880aabad249d5d643c2f5da07f1b2e4ce27
Fixed In Version: firewalld-0.3.2-1.fc19 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-05-22 03:21:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
File: backtrace
none
File: core_backtrace
none
File: dso_list
none
File: environ none

Description Nick H. 2013-04-13 00:32:42 UTC 
Description of problem:
Changing "Current View:" from "Runtime Configuration" to "Persistent Configuration".
Then, go to the "public" zone, select the "Ports" tab, then try adding a port/port range.

That's how I got my error, although you might encounter it through another method.

Version-Release number of selected component:
firewall-config-0.2.12-4.fc18

Additional info:
cmdline:        /usr/bin/python /usr/bin/firewall-config
executable:     /usr/bin/firewall-config
kernel:         3.8.5-201.fc18.x86_64
uid:            1000
ureports_counter: 1

Truncated backtrace:
connection.py:651:call_blocking:DBusException: org.freedesktop.DBus.Python.dbus.exceptions.DBusException: Backup of '/usr/lib/firewalld/zones/public.xml' failed: [Errno 13] Permission denied: '/usr/lib/firewalld/zones/public.xml.old'

Traceback (most recent call last):
  File "/usr/bin/firewall-config", line 1153, in onAddPort
    self.add_edit_port(True)
  File "/usr/bin/firewall-config", line 1235, in add_edit_port
    zone.update(settings)
  File "<string>", line 2, in update
  File "/usr/lib/python2.7/site-packages/slip/dbus/polkit.py", line 103, in _enable_proxy
    return func(*p, **k)
  File "/usr/lib/python2.7/site-packages/firewall/client.py", line 174, in update
    self.fw_zone.update(tuple(settings.settings))
  File "/usr/lib/python2.7/site-packages/slip/dbus/proxies.py", line 50, in __call__
    return dbus.proxies._ProxyMethod.__call__(self, *args, **kwargs)
  File "/usr/lib/python2.7/site-packages/dbus/proxies.py", line 145, in __call__
    **keywords)
  File "/usr/lib/python2.7/site-packages/dbus/connection.py", line 651, in call_blocking
    message, timeout)
DBusException: org.freedesktop.DBus.Python.dbus.exceptions.DBusException: Backup of '/usr/lib/firewalld/zones/public.xml' failed: [Errno 13] Permission denied: '/usr/lib/firewalld/zones/public.xml.old'

Local variables in innermost frame:
byte_arrays: False
self: <dbus._dbus.SystemBus (system) at 0xe2af50>
args: (('', 'Public', 'For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.', False, '{chain}_ZONE_{zone}', ['ssh', 'mdns', 'dhcpv6-client'], [('25565', 'tcp')], [], False, []),)
object_path: '/org/fedoraproject/FirewallD1/config/zone/7'
signature: u'(sssbsasa(ss)asba(ssss))'
bus_name: dbus.UTF8String(':1.3')
get_args_opts: {'byte_arrays': False, 'utf8_strings': False}
timeout: 2147483.647
kwargs: {}
dbus_interface: 'org.fedoraproject.FirewallD1.config.zone'
message: <dbus.lowlevel.MethodCallMessage path: /org/fedoraproject/FirewallD1/config/zone/7, iface: org.fedoraproject.FirewallD1.config.zone, member: update dest: :1.3>
method: 'update'
Comment 1 Nick H. 2013-04-13 00:32:44 UTC 
Created attachment 735053 [details]
File: backtrace
Comment 2 Nick H. 2013-04-13 00:32:46 UTC 
Created attachment 735054 [details]
File: core_backtrace
Comment 3 Nick H. 2013-04-13 00:32:47 UTC 
Created attachment 735055 [details]
File: dso_list
Comment 4 Nick H. 2013-04-13 00:32:49 UTC 
Created attachment 735056 [details]
File: environ
Comment 5 Jiri Popelka 2013-04-17 14:12:49 UTC 
So we have two problems here.

First is that firewall-config crashed after obtaining an exception from firewalld, which is duplicate of bug 951850.

Second is that firewalld tried to make a backup of public.xml zone file in /usr/lib/firewalld/zones/ instead of in /etc/firewalld/zones/
Comment 6 Jiri Popelka 2013-04-17 15:24:15 UTC 
To myself:

I see one possibility how this could happen:
Lets imagine that /usr/lib/firewalld/zones/public.xml was loaded but for some reason marked (in FirewallConfig.add_zone()) as 'not default'.
Then during updating (after user changes any zone setting) FirewallConfig.set_zone_config() checks whether the zone is default or not and if it's not marked as default the zone file gets overwritten (with backup).

Problem is that I can't find a place where this de-sync (i.e. loading zone from /usr/ but marking it as not default) could happen.
Comment 7 Jiri Popelka 2013-04-17 15:30:38 UTC 
Nick,

sorry for the delay.
Are you able to reproduce the problem ?
Do you by any chance remember what changes you had made prior to the steps to reproduce from your description ?
Comment 8 Nick H. 2013-04-17 18:14:15 UTC 
I believe I added a port while I was in "Runtime Configuration", but then thinking that I wouldn't have to add the port every time I log in, I switched to "Persistent Configuration" and tried adding the same port. That's when it crashed and triggered ABRT.

More notes:

Zone: Public //All the time I was doing this, I didn't change the zone.

I'll try to reproduce this as soon as I can.
Hope this new info helps!
Comment 9 Jiri Popelka 2013-04-18 15:21:12 UTC 
(In reply to comment #6)
> Problem is that I can't find a place where this de-sync (i.e. loading zone
> from /usr/ but marking it as not default) could happen.

I gave it another try today and rewrote [1] how/where we set the 'default(s)' flag.

[1] https://git.fedorahosted.org/cgit/firewalld.git/commit/?id=003cc6babeb66271a60d3b5b0436d259040b2887
Comment 10 Fedora Update System 2013-04-30 16:40:32 UTC 
firewalld-0.3.2-1.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/firewalld-0.3.2-1.fc19
Comment 11 Fedora Update System 2013-04-30 19:59:11 UTC 
Package firewalld-0.3.2-1.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing firewalld-0.3.2-1.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-7044/firewalld-0.3.2-1.fc19
then log in and leave karma (feedback).
Comment 12 Fedora Update System 2013-05-22 03:21:20 UTC 
firewalld-0.3.2-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.