Hide Forgot
Created attachment 1150091 [details] conversation on irc with solution Description of problem: I have installed firewalld on the fedora 23 image that Digital Ocean provides. While I can install firewalld, I cannot start it. How reproducible: Every time Steps to Reproduce: 1. after initial fedora install, run dnf install firewalld firewall-config 2. systemctl enable firewalld 3. systemctl start firewalld Actual results: When you run systemctl start firewalld, you get: Job for firewalld.service failed because the control process exited with error code. See "systemctl status firewalld.service" and "journalctl -xe" for details. In journalctl, you see: Apr 24 06:35:00 fourth audit[10684]: AVC avc: denied { create } for pid=10684 comm="firewalld" name="firewalld" scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=0 Apr 24 06:35:00 fourth /firewalld[10684]: FATAL ERROR: Fork #1 failed: 13 (Permission denied) Apr 24 06:35:00 fourth /firewalld[10684]: ERROR: Traceback (most recent call last): File "/usr/sbin/firewalld", line 128, in startup os.mkdir(config.FIREWALLD_TEMPDIR, 0o750) PermissionError: [Errno 13] Permission denied: '/run/firewalld' Apr 24 06:35:00 fourth systemd[1]: firewalld.service: Main process exited, code=exited, status=1/FAILURE Apr 24 06:35:00 fourth systemd[1]: Failed to start firewalld - dynamic firewall daemon. If you dig into the selinux logs you get: avc: denied { create } for pid=849 comm="firewalld" name="firewalld" scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=0 Expected results: That firewalld would start Additional info: I have attached a conversation I had with a person on the fedora IRC, their instructions did get firewalld working in the end, but he recommended submitting a fedora bug. Also I have opened a bug at digitalocean but they have also told me to submit a fedora bug.
Which firewalld version are you using?
I am not particularly experienced with Linux, how do I find out what version of firewalld I have installed? When I install it via dnf, it seems to be grabbing 0.4.0. I haven't changed the default dnf repo on my installation.
To get the firewalld package version use: rpm -q firewalld
Thanks Thomas, it is what dnf was grabbing: firewalld-0.4.0-2.fc23.noarch
Which selinux-policy version is installed?
I ran sestatus and it gave me Max kernel policy version: 29. Is that the version number you are after?
Please add the output of rpm -q selinux-policy
This is the output selinux-policy-3.13.1-152.fc23.noarch
What is the output of ls -Z /usr/sbin/firewalld It should be: system_u:object_r:firewalld_exec_t:s0 /usr/sbin/firewalld If the context is not correct , you can use restorecon -rvF $(rpm -qla "*firewall*") to reset the contexts of all firewall specific files.
ls -Z /usr/sbin/firewalld outputs: system_u:object_r:firewalld_exec_t:s0 /usr/sbin/firewalld I did run restorecon -rvF $(rpm -qla "*firewall*"), and it made no difference
There has been an selinux-policy update that addresses this. Please verify if this is working for you.
Thanks Thomas, my apologies for not getting back to this sooner, but this has resolved the issue thanks.
Closing due to comment 12.