Description of problem: Changing the permanent firewalld settings SELinux is preventing firewalld from 'relabelto' accesses on the file FedoraWorkstation.xml.old. ***** Plugin catchall (100. confidence) suggests ************************** If вы считаете, что firewalld следует разрешить доступ relabelto к FedoraWorkstation.xml.old file по умолчанию. Then рекомендуется создать отчет об ошибке. Чтобы разрешить доступ, можно создать локальный модуль политики. Do чтобы разрешить доступ, выполните: # grep firewalld /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:firewalld_t:s0 Target Context unconfined_u:object_r:firewalld_etc_rw_t:s0 Target Objects FedoraWorkstation.xml.old [ file ] Source firewalld Source Path firewalld Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-154.fc23.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.2.6-300.fc23.x86_64 #1 SMP Tue Nov 10 19:32:21 UTC 2015 x86_64 x86_64 Alert Count 4 First Seen 2015-11-20 10:20:52 YEKT Last Seen 2015-11-20 10:22:23 YEKT Local ID 69b04a08-facd-4751-8d1d-b4ea6a2ea219 Raw Audit Messages type=AVC msg=audit(1447996943.903:1905): avc: denied { relabelto } for pid=974 comm="firewalld" name="FedoraWorkstation.xml.old" dev="dm-0" ino=3934719 scontext=system_u:system_r:firewalld_t:s0 tcontext=unconfined_u:object_r:firewalld_etc_rw_t:s0 tclass=file permissive=0 Hash: firewalld,firewalld_t,firewalld_etc_rw_t,file,relabelto Version-Release number of selected component: selinux-policy-3.13.1-154.fc23.noarch Additional info: reporter: libreport-2.6.3 hashmarkername: setroubleshoot kernel: 4.2.6-300.fc23.x86_64 type: libreport
Description of problem: Changing samba permanent firewalld settings Version-Release number of selected component: selinux-policy-3.13.1-154.fc23.noarch Additional info: reporter: libreport-2.6.3 hashmarkername: setroubleshoot kernel: 4.2.6-300.fc23.x86_64 type: libreport
Description of problem: Changing firewalld permanent samba settings Version-Release number of selected component: selinux-policy-3.13.1-155.fc23.noarch Additional info: reporter: libreport-2.6.3 hashmarkername: setroubleshoot kernel: 4.2.6-301.fc23.x86_64 type: libreport
This seems to prevent firewall-config from updating its saved configuration until the FedoraWorkstation.xml.old file is removed or renamed. restorecon doesn't fix it. [root@localhost zones]# ls -lZ total 60 -rw-r--r--. 1 root root system_u:object_r:firewalld_etc_rw_t:s0 315 Mar 31 22:26 FedoraServer.xml -rw-r--r--. 1 root root system_u:object_r:firewalld_etc_rw_t:s0 315 Oct 30 01:23 FedoraServer.xml.old -rw-rw-r--. 1 root root system_u:object_r:firewalld_etc_rw_t:s0 655 Oct 30 01:23 FedoraWorkstation.xml -rw-rw-r--. 1 root root unconfined_u:object_r:firewalld_etc_rw_t:s0 655 Oct 30 01:23 FedoraWorkstation.xml.old -rw-r--r--. 1 root root system_u:object_r:firewalld_etc_rw_t:s0 369 Oct 30 01:23 home.xml -rw-r--r--. 1 root root system_u:object_r:firewalld_etc_rw_t:s0 384 Oct 30 01:23 internal.xml -rw-r--r--. 1 root root system_u:object_r:firewalld_etc_rw_t:s0 340 Oct 30 01:23 public.xml -rw-r--r--. 1 root root system_u:object_r:firewalld_etc_rw_t:s0 336 Oct 30 01:23 work.xml
In my last comment I forgot to mention that the AVC occured when hitting the 'Runtime to Permanent' button. selinux-policy-3.13.1-158.11.fc23.noarch type=AVC msg=audit(1459459560.489:4052): avc: denied { relabelfrom } for pid=1340 comm="firewalld" name="FedoraWorkstation.xml.old" dev="dm-2" ino=665862 scontext=system_u:system_r:firewalld_t:s0 tcontext=unconfined_u:object_r:firewalld_etc_rw_t:s0 tclass=file permissive=0
Description of problem: Changing firewalld settings to permanent Version-Release number of selected component: selinux-policy-3.13.1-158.11.fc23.noarch Additional info: reporter: libreport-2.6.4 hashmarkername: setroubleshoot kernel: 4.4.6-300.fc23.x86_64 type: libreport
Description of problem: Setting runtime to permanent in firewall-config after authenticating as root Version-Release number of selected component: selinux-policy-3.13.1-158.11.fc23.noarch Additional info: reporter: libreport-2.6.4 hashmarkername: setroubleshoot kernel: 4.4.6-300.fc23.x86_64 type: libreport
This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component.
This message is a reminder that Fedora 23 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 23. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '23'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 23 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
*** This bug has been marked as a duplicate of bug 1391283 ***