This seems to be failing because of permission issues on /etc/firewalld/zones. All the tests fail trying to run firewall-cmd --permanent --add-service commands, which error out with something like:
This is even though they're running the command as root. Seems like maybe either /etc/firewalld/zones or individual files within it are getting created as read-only?
Oh, no, it's an SELinux denial - but it only happens with this new firewalld, it does not happen with the old version. This is the denial that seems to cause this specific problem:
with SELinux in permissive mode, the commands work, but obviously that's not an acceptable fix.
Additionally, there are a lot of other AVCs to do with firewalld logged with this new version, none of which appeared with the old version. Here's the full list:
For help debugging failed Fedora CI tests (fedora-ci.*), contact the Fedora CI team.
For help debugging failed Fedora CoreOS tests (coreos.*), contact the Fedora CoreOS team.
For help debugging failed openQA tests (update.*), contact the Fedora Quality team, who will usually investigate and diagnose all failures within 24 hours.
This update was automatically created
This update's test gating status has been changed to 'waiting'.
This update's test gating status has been changed to 'failed'.
This seems to be failing because of permission issues on /etc/firewalld/zones. All the tests fail trying to run
firewall-cmd --permanent --add-service
commands, which error out with something like:Error: [Errno 13] Permission denied: '/etc/firewalld/zones/FedoraServer.xml'
This is even though they're running the command as root. Seems like maybe either /etc/firewalld/zones or individual files within it are getting created as read-only?
Oh, no, it's an SELinux denial - but it only happens with this new firewalld, it does not happen with the old version. This is the denial that seems to cause this specific problem:
with SELinux in permissive mode, the commands work, but obviously that's not an acceptable fix.
Additionally, there are a lot of other AVCs to do with firewalld logged with this new version, none of which appeared with the old version. Here's the full list:
Note, this happens with both selinux-policy-41.3 and 41.8.
This update has been unpushed.
I have no idea why this update would trigger new AVC issues. In unpushed it. I don't have time to debug and will be on vacation next week.