Description of problem: firewalld is not allowed to write a temporary file to /etc/firewalld if started with systemd. This happens if 'firewall-cmd --set-default-zone=work' is used. A temporary file gets written to store the new configuartion. Afterwards it gets moved of the old one. Version-Release number of selected component (if applicable): selinux-policy-targeted-3.10.0-95.fc17.noarch How reproducible: Always Steps to Reproduce: 1. Start firewalld 2. firewall-cmd --set-default-zone=work Actual results: Error Expected results: No error Additional info: Using setenforce=0 makes this work.
Thomas does it have content in this directory that firewalld should not be allowed to write to?
ls -lZ /etc/firewalld/ -rw-r-----. root root system_u:object_r:etc_t:s0 firewalld.conf drwxr-x---. root root system_u:object_r:etc_t:s0 icmptypes drwxr-x---. root root system_u:object_r:etc_t:s0 services drwxr-x---. root root system_u:object_r:etc_t:s0 zones I can add labels to directories in here and give allow rules but I don't think we want to allow firewalld to write to firewalld.conf for example.
firewalld is writing to firewalld.conf to store the default zone. Everything in /etc/firewalld should be writable by firewalld.
ok, i am adding a new type firewalld_etc_rw_t
Fixed in -103.fc17
selinux-policy-3.10.0-103.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-103.fc17
Tore Anderson suggests that this bug prevents firewalld from properly allowing DHCPv6, which makes it a Beta blocker per our recent determination that IPv6 connectivity is Beta blocking. A live image for the purpose of testing is available at http://adamwill.fedorapeople.org/firewalld/firewalld-20120319-x86_64.iso : it has this selinux-policy, plus the firewalld and NetworkManager necessary to address other IPv6 issues. Tore, can you please confirm my understanding here? Thanks. -- Fedora Bugzappers volunteer triage team https://fedoraproject.org/wiki/BugZappers
No, DHCPv6 problem I saw was (very likely) caused by bug #804587. I don't believe this one is a blocker bug, as it (from my understanding of comment #0) is only causing manual fiddling to not work as expected - it does not affect the OOTB everything-default experience. Tore
Unless there is a cascading affect that causes a blocker, I don't think firewalld not working properly is itself a blocker. So I am currently -1 blocker given comment 8. Even though firewalld is a feature, this seems fixable by an update so I am -1 NTH.
Package selinux-policy-3.10.0-104.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-104.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-4248/selinux-policy-3.10.0-104.fc17 then log in and leave karma (feedback).
-1 beta blocker
okay, I agree this is -1 blocker as discussed above. I've re-opened 804587 to serve as a blocker to ensure we pull selinux-policy -104 into the Beta. -- Fedora Bugzappers volunteer triage team https://fedoraproject.org/wiki/BugZappers
selinux-policy-3.10.0-104.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.