Bug 1250537 - Deploy of roles fails with: Backup of '/etc/firewalld/zones/FedoraServer.xml' failed
Deploy of roles fails with: Backup of '/etc/firewalld/zones/FedoraServer.xml'...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
23
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
AcceptedBlocker
:
Depends On:
Blocks: F23AlphaBlocker
  Show dependency treegraph
 
Reported: 2015-08-05 08:20 EDT by Petr Schindler
Modified: 2015-08-06 02:02 EDT (History)
11 users (show)

See Also:
Fixed In Version: selinux-policy-3.13.1-140.fc23
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-08-06 02:02:07 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Petr Schindler 2015-08-05 08:20:56 EDT
Description of problem:
When I try to deploy some role with rolectl (either domaincontroller or databaseserver) it fails with the message:
Error: Backup of '/etc/firewalld/zones/FedoraServer.xml' failed: [Errno 13] Permission denied: '/etc/firewalld/zones/FedoraServer.xml.old'

After that the rolectl status <role name> always says 'error'

I run rolectl as root.

Version-Release number of selected component (if applicable):
rolekit-0.4.0-2.beta1.fc23.noarch

How reproducible:
always

Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
I propose it as alpha blocker as it violates the criterion: Release-blocking roles and the supported role configuration interfaces must meet the core functional Role Definition Requirements to the extent that supported roles can be successfully deployed, started, stopped, brought to a working configuration, and queried.
Comment 1 Thomas Woerner 2015-08-05 08:32:33 EDT
Are there AVC messages (SELinux denials)? 
Is /etc read-only?
Comment 2 Stephen Gallagher 2015-08-05 08:57:18 EDT
Found AVCs, it's definitely SELinux.

type=AVC msg=audit(1438779216.611:476): avc:  denied  { relabelto } for  pid=744 comm="firewalld" name="FedoraServer.xml.old" dev="dm-0" ino=5060052 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:firewalld_etc_rw_t:s0 tclass=file permissive=0
Comment 3 Miroslav Grepl 2015-08-05 09:27:47 EDT
commit a6718904510bf5fbca51632df8eaeae4620bdb5f
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Wed Aug 5 15:26:43 2015 +0200

    firewalld needs to relabel own config files
    BZ(#1250537)
Comment 4 Adam Williamson 2015-08-05 12:19:43 EDT
+1 blocker, per criterion in #c0.
Comment 5 Fedora Update System 2015-08-05 12:24:56 EDT
selinux-policy-3.13.1-140.fc23 has been submitted as an update for Fedora 23.
https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-140.fc23
Comment 6 Kevin Fenzi 2015-08-05 12:57:40 EDT
+1 blocker
Comment 7 Adam Williamson 2015-08-05 13:54:01 EDT
That's 3 +1s (counting sgallagh, which I reckon I can :>). Marking as accepted.
Comment 8 Stephen Gallagher 2015-08-05 13:58:41 EDT
Right, +1 blocker for the record.
Comment 9 Fedora Update System 2015-08-06 02:02:07 EDT
selinux-policy-3.13.1-140.fc23 has been pushed to the Fedora 23 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.