Description of problem: When I try to deploy some role with rolectl (either domaincontroller or databaseserver) it fails with the message: Error: Backup of '/etc/firewalld/zones/FedoraServer.xml' failed: [Errno 13] Permission denied: '/etc/firewalld/zones/FedoraServer.xml.old' After that the rolectl status <role name> always says 'error' I run rolectl as root. Version-Release number of selected component (if applicable): rolekit-0.4.0-2.beta1.fc23.noarch How reproducible: always Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: I propose it as alpha blocker as it violates the criterion: Release-blocking roles and the supported role configuration interfaces must meet the core functional Role Definition Requirements to the extent that supported roles can be successfully deployed, started, stopped, brought to a working configuration, and queried.
Are there AVC messages (SELinux denials)? Is /etc read-only?
Found AVCs, it's definitely SELinux. type=AVC msg=audit(1438779216.611:476): avc: denied { relabelto } for pid=744 comm="firewalld" name="FedoraServer.xml.old" dev="dm-0" ino=5060052 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:firewalld_etc_rw_t:s0 tclass=file permissive=0
commit a6718904510bf5fbca51632df8eaeae4620bdb5f Author: Miroslav Grepl <mgrepl> Date: Wed Aug 5 15:26:43 2015 +0200 firewalld needs to relabel own config files BZ(#1250537)
+1 blocker, per criterion in #c0.
selinux-policy-3.13.1-140.fc23 has been submitted as an update for Fedora 23. https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-140.fc23
+1 blocker
That's 3 +1s (counting sgallagh, which I reckon I can :>). Marking as accepted.
Right, +1 blocker for the record.
selinux-policy-3.13.1-140.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.