Bug 804587 - firewall-cmd --get-active-zones returns nothing
firewall-cmd --get-active-zones returns nothing
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
: Reopened
Depends On:
Blocks: F17Beta/F17BetaBlocker
  Show dependency treegraph
Reported: 2012-03-19 06:50 EDT by Pavel Šimerda (pavlix)
Modified: 2012-03-21 23:59 EDT (History)
8 users (show)

See Also:
Fixed In Version: selinux-policy-3.10.0-93.fc17
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2012-03-21 17:58:29 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Pavel Šimerda (pavlix) 2012-03-19 06:50:02 EDT
Testing https://fedoraproject.org/wiki/QA:Testcase_firewalld_and_NetworkManager

Expected results:

firewall-cmd --get-active-zones

The output should look like this ('em1' is in used as an example):
public: em1

Actual results:

[root@dragon ~]# firewall-cmd --get-active-zones
[root@dragon ~]#
Comment 1 Jiri Popelka 2012-03-19 06:56:50 EDT
Does it change when you turn of SELinux (setenforce 0) and restart firewalld (systemctl restart firewalld.service) ?
Comment 2 Jiri Popelka 2012-03-19 07:09:21 EDT
Could be the same SELinux problem that I see:

Mar 19 11:50:56 localhost NetworkManager[343]: <warn> (eth1) firewall zone add/change failed: (9) An SELinux policy prevents this sender from sending this message to this recipient, 0 matched rules; type="method_call", sender=":1.4" (uid=0 pid=343 comm="/usr/sbin/NetworkManager --no-daemon --log-level=D") interface="org.fedoraproject.FirewallD1.zone" member="addInterface" error name="(unset)" requested_reply="0" destination="org.fedoraproject.FirewallD1" (uid=0 pid=331 comm="/usr/bin/python /usr/sbin/firewalld --nofork --deb")

We should probably put a warning to the https://fedoraproject.org/wiki/QA:Testcase_firewalld_and_NetworkManager
Comment 3 Thomas Woerner 2012-03-19 07:28:03 EDT
I have two fully updated F-17 test machines.. on both there is no problem with the interaction of firewalld and NetworkManager. Is the system updated completely (all testing packages applied)?
Comment 4 Jiri Popelka 2012-03-19 07:58:20 EDT
All right, updating to selinux-policy-3.10.0-95.fc17 (from updates-testing) fixes the problem for me.
This should be mentioned on the 'Test case 3' page.
Comment 5 Jiri Popelka 2012-03-19 08:33:57 EDT
From selinux-policy-3.10.0-93.fc17 changelog:
- Allow firewalld to dbus chat with networkmanager
Comment 6 Pavel Šimerda (pavlix) 2012-03-19 18:26:54 EDT
Comment 7 Adam Williamson 2012-03-20 19:08:00 EDT
Re-opening this, because -93 was never pushed stable. -95 was submitted as an update but never made it to stable. -104 is pending push to stable. Re-opening this and proposing as a blocker: this is (I believe) the correct bug to track that we need at least selinux-policy -93 in the Beta (we'll actually take 104) to make sure IPv6 works.

Fedora Bugzappers volunteer triage team
Comment 8 Thomas Woerner 2012-03-21 14:12:44 EDT
Reassigning to selinux-policy.
Comment 9 Adam Williamson 2012-03-21 17:58:29 EDT
selinux-policy 104 went stable, so closing again.

Fedora Bugzappers volunteer triage team
Comment 10 Bruno Wolff III 2012-03-21 22:37:37 EDT
-1 blocker -1 NTH Unless there are follow on affects to this issue, I don't think this hits any criteria.
Comment 11 Adam Williamson 2012-03-21 23:59:50 EDT
bruno: it prevented IPv6 working out-of-the-box (one among several bugs of this kind).

Fedora Bugzappers volunteer triage team

Note You need to log in before you can comment on or make changes to this bug.