Description of problem: I attempted to run 'rolectl deploy databaseserver' from a Fedora Workstation system. SELinux is preventing firewalld from 'relabelfrom' accesses on the file /etc/firewalld/zones/FedoraWorkstation.xml.old. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that firewalld should be allowed relabelfrom access on the FedoraWorkstation.xml.old file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep firewalld /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:firewalld_t:s0 Target Context system_u:object_r:firewalld_etc_rw_t:s0 Target Objects /etc/firewalld/zones/FedoraWorkstation.xml.old [ file ] Source firewalld Source Path firewalld Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-112.fc22.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.20.0-0.rc0.git10.1.fc22.x86_64 #1 SMP Fri Feb 20 14:44:06 UTC 2015 x86_64 x86_64 Alert Count 1 First Seen 2015-02-23 10:25:43 EST Last Seen 2015-02-23 10:25:43 EST Local ID de46e2bf-6f7b-4403-b4af-96b8183c6714 Raw Audit Messages type=AVC msg=audit(1424705143.659:755): avc: denied { relabelfrom } for pid=1080 comm="firewalld" name="FedoraWorkstation.xml.old" dev="dm-1" ino=788998 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:firewalld_etc_rw_t:s0 tclass=file permissive=0 Hash: firewalld,firewalld_t,firewalld_etc_rw_t,file,relabelfrom Version-Release number of selected component: selinux-policy-3.13.1-112.fc22.noarch Additional info: reporter: libreport-2.4.0 hashmarkername: setroubleshoot kernel: 3.20.0-0.rc0.git10.1.fc22.x86_64 type: libreport
commit f5a7132f4cee0ce1ea47ac4a7a7ca559a1231067 Author: Lukas Vrabec <lvrabec> Date: Thu Mar 5 15:04:17 2015 +0100 Allow firewalld_t relabelfrom firewalld_rw_etc_t. BZ(1195327)
selinux-policy-3.13.1-116.fc22 has been submitted as an update for Fedora 22. https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-116.fc22
Package selinux-policy-3.13.1-116.fc22: * should fix your issue, * was pushed to the Fedora 22 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-116.fc22' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2015-3508/selinux-policy-3.13.1-116.fc22 then log in and leave karma (feedback).
selinux-policy-3.13.1-116.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.