Bug 804083 - firewalld is not allowed to write a temporary file to /etc/firewalld if started with systemd
Summary: firewalld is not allowed to write a temporary file to /etc/firewalld if start...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 17
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Ben Levenson
URL:
Whiteboard: RejectedBlocker
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-03-16 13:55 UTC by Thomas Woerner
Modified: 2012-03-21 18:53 UTC (History)
6 users (show)

Fixed In Version: selinux-policy-3.10.0-104.fc17
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-03-21 18:53:30 UTC
Type: ---


Attachments (Terms of Use)

Description Thomas Woerner 2012-03-16 13:55:04 UTC
Description of problem:
firewalld is not allowed to write a temporary file to /etc/firewalld if started with systemd. This happens if 'firewall-cmd --set-default-zone=work' is used. A temporary file gets written to store the new configuartion. Afterwards it gets moved of the old one.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.10.0-95.fc17.noarch

How reproducible:
Always

Steps to Reproduce:
1. Start firewalld
2. firewall-cmd --set-default-zone=work
  
Actual results:
Error

Expected results:
No error

Additional info:
Using setenforce=0 makes this work.

Comment 1 Daniel Walsh 2012-03-16 18:12:39 UTC
Thomas does it have content in this directory that firewalld should not be allowed to write to?

Comment 2 Daniel Walsh 2012-03-16 18:13:47 UTC
 ls -lZ /etc/firewalld/
-rw-r-----. root root system_u:object_r:etc_t:s0       firewalld.conf
drwxr-x---. root root system_u:object_r:etc_t:s0       icmptypes
drwxr-x---. root root system_u:object_r:etc_t:s0       services
drwxr-x---. root root system_u:object_r:etc_t:s0       zones


I can add labels to directories in here and give allow rules but I don't think we want to allow firewalld to write to firewalld.conf for example.

Comment 3 Thomas Woerner 2012-03-19 10:34:03 UTC
firewalld is writing to firewalld.conf to store the default zone. Everything in /etc/firewalld should be writable by firewalld.

Comment 4 Miroslav Grepl 2012-03-19 13:45:07 UTC
ok, i am adding a new type

firewalld_etc_rw_t

Comment 5 Miroslav Grepl 2012-03-19 14:05:37 UTC
Fixed in -103.fc17

Comment 6 Fedora Update System 2012-03-19 17:54:41 UTC
selinux-policy-3.10.0-103.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-103.fc17

Comment 7 Adam Williamson 2012-03-19 23:57:24 UTC
Tore Anderson suggests that this bug prevents firewalld from properly allowing DHCPv6, which makes it a Beta blocker per our recent determination that IPv6 connectivity is Beta blocking.

A live image for the purpose of testing is available at http://adamwill.fedorapeople.org/firewalld/firewalld-20120319-x86_64.iso : it has this selinux-policy, plus the firewalld and NetworkManager necessary to address other IPv6 issues.

Tore, can you please confirm my understanding here? Thanks.



-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers

Comment 8 Tore Anderson 2012-03-20 01:29:09 UTC
No, DHCPv6 problem I saw was (very likely) caused by bug #804587.

I don't believe this one is a blocker bug, as it (from my understanding of comment #0) is only causing manual fiddling to not work as expected - it does not affect the OOTB everything-default experience.

Tore

Comment 9 Bruno Wolff III 2012-03-20 02:13:15 UTC
Unless there is a cascading affect that causes a blocker, I don't think firewalld not working properly is itself a blocker. So I am currently -1 blocker given comment 8. Even though firewalld is a feature, this seems fixable by an update so I am -1 NTH.

Comment 10 Fedora Update System 2012-03-20 06:07:44 UTC
Package selinux-policy-3.10.0-104.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-104.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-4248/selinux-policy-3.10.0-104.fc17
then log in and leave karma (feedback).

Comment 11 Jared Smith 2012-03-20 18:06:32 UTC
-1 beta blocker

Comment 12 Adam Williamson 2012-03-20 23:08:58 UTC
okay, I agree this is -1 blocker as discussed above. I've re-opened 804587 to serve as a blocker to ensure we pull selinux-policy -104 into the Beta.



-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers

Comment 13 Fedora Update System 2012-03-21 18:53:30 UTC
selinux-policy-3.10.0-104.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.