Bug 804083 - firewalld is not allowed to write a temporary file to /etc/firewalld if started with systemd
firewalld is not allowed to write a temporary file to /etc/firewalld if start...
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Ben Levenson
Depends On:
  Show dependency treegraph
Reported: 2012-03-16 09:55 EDT by Thomas Woerner
Modified: 2012-03-21 14:53 EDT (History)
6 users (show)

See Also:
Fixed In Version: selinux-policy-3.10.0-104.fc17
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2012-03-21 14:53:30 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Thomas Woerner 2012-03-16 09:55:04 EDT
Description of problem:
firewalld is not allowed to write a temporary file to /etc/firewalld if started with systemd. This happens if 'firewall-cmd --set-default-zone=work' is used. A temporary file gets written to store the new configuartion. Afterwards it gets moved of the old one.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Start firewalld
2. firewall-cmd --set-default-zone=work
Actual results:

Expected results:
No error

Additional info:
Using setenforce=0 makes this work.
Comment 1 Daniel Walsh 2012-03-16 14:12:39 EDT
Thomas does it have content in this directory that firewalld should not be allowed to write to?
Comment 2 Daniel Walsh 2012-03-16 14:13:47 EDT
 ls -lZ /etc/firewalld/
-rw-r-----. root root system_u:object_r:etc_t:s0       firewalld.conf
drwxr-x---. root root system_u:object_r:etc_t:s0       icmptypes
drwxr-x---. root root system_u:object_r:etc_t:s0       services
drwxr-x---. root root system_u:object_r:etc_t:s0       zones

I can add labels to directories in here and give allow rules but I don't think we want to allow firewalld to write to firewalld.conf for example.
Comment 3 Thomas Woerner 2012-03-19 06:34:03 EDT
firewalld is writing to firewalld.conf to store the default zone. Everything in /etc/firewalld should be writable by firewalld.
Comment 4 Miroslav Grepl 2012-03-19 09:45:07 EDT
ok, i am adding a new type

Comment 5 Miroslav Grepl 2012-03-19 10:05:37 EDT
Fixed in -103.fc17
Comment 6 Fedora Update System 2012-03-19 13:54:41 EDT
selinux-policy-3.10.0-103.fc17 has been submitted as an update for Fedora 17.
Comment 7 Adam Williamson 2012-03-19 19:57:24 EDT
Tore Anderson suggests that this bug prevents firewalld from properly allowing DHCPv6, which makes it a Beta blocker per our recent determination that IPv6 connectivity is Beta blocking.

A live image for the purpose of testing is available at http://adamwill.fedorapeople.org/firewalld/firewalld-20120319-x86_64.iso : it has this selinux-policy, plus the firewalld and NetworkManager necessary to address other IPv6 issues.

Tore, can you please confirm my understanding here? Thanks.

Fedora Bugzappers volunteer triage team
Comment 8 Tore Anderson 2012-03-19 21:29:09 EDT
No, DHCPv6 problem I saw was (very likely) caused by bug #804587.

I don't believe this one is a blocker bug, as it (from my understanding of comment #0) is only causing manual fiddling to not work as expected - it does not affect the OOTB everything-default experience.

Comment 9 Bruno Wolff III 2012-03-19 22:13:15 EDT
Unless there is a cascading affect that causes a blocker, I don't think firewalld not working properly is itself a blocker. So I am currently -1 blocker given comment 8. Even though firewalld is a feature, this seems fixable by an update so I am -1 NTH.
Comment 10 Fedora Update System 2012-03-20 02:07:44 EDT
Package selinux-policy-3.10.0-104.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-104.fc17'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).
Comment 11 Jared Smith 2012-03-20 14:06:32 EDT
-1 beta blocker
Comment 12 Adam Williamson 2012-03-20 19:08:58 EDT
okay, I agree this is -1 blocker as discussed above. I've re-opened 804587 to serve as a blocker to ensure we pull selinux-policy -104 into the Beta.

Fedora Bugzappers volunteer triage team
Comment 13 Fedora Update System 2012-03-21 14:53:30 EDT
selinux-policy-3.10.0-104.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.