unpushed

firewalld-2.2.0-1.fc41

FEDORA-2024-3766dd8914 created by erig0 2 months ago for Fedora 41

Automatic update for firewalld-2.2.0-1.fc41.

Changelog
* Fri Jul 12 2024 Eric Garver <eric@garver.life> - 2.2.0-1
- rebase package to v2.2.0

This update was automatically created

2 months ago

This update's test gating status has been changed to 'waiting'.

2 months ago

This update's test gating status has been changed to 'failed'.

2 months ago
User Icon adamwill commented & provided feedback 2 months ago
karma

This seems to be failing because of permission issues on /etc/firewalld/zones. All the tests fail trying to run firewall-cmd --permanent --add-service commands, which error out with something like:

Error: [Errno 13] Permission denied: '/etc/firewalld/zones/FedoraServer.xml'

This is even though they're running the command as root. Seems like maybe either /etc/firewalld/zones or individual files within it are getting created as read-only?

Oh, no, it's an SELinux denial - but it only happens with this new firewalld, it does not happen with the old version. This is the denial that seems to cause this specific problem:

Jul 12 14:23:25 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[733]: AVC avc:  denied  { add_name } for  pid=733 comm="firewalld" name="internal.xml" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:firewalld_etc_rw_t:s0 tclass=dir permissive=0

with SELinux in permissive mode, the commands work, but obviously that's not an acceptable fix.

Additionally, there are a lot of other AVCs to do with firewalld logged with this new version, none of which appeared with the old version. Here's the full list:

Jul 12 14:22:50 fedora audit[733]: AVC avc:  denied  { nnp_transition } for  pid=733 comm="(irewalld)" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=process2 permissive=0
Jul 12 14:22:50 fedora audit[733]: AVC avc:  denied  { ioctl } for  pid=733 comm="firewalld" path="/usr/sbin/firewalld" dev="vda3" ino=50610 ioctlcmd=0x5401 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:firewalld_exec_t:s0 tclass=file permissive=0
Jul 12 14:22:50 fedora audit[733]: AVC avc:  denied  { ioctl } for  pid=733 comm="firewalld" path="/usr/sbin/firewalld" dev="vda3" ino=50610 ioctlcmd=0x5451 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:firewalld_exec_t:s0 tclass=file permissive=0
Jul 12 14:22:50 fedora audit[733]: AVC avc:  denied  { ioctl } for  pid=733 comm="firewalld" path="/usr/sbin/firewalld" dev="vda3" ino=50610 ioctlcmd=0x5401 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:firewalld_exec_t:s0 tclass=file permissive=0
Jul 12 14:22:50 fedora audit[733]: AVC avc:  denied  { append } for  pid=733 comm="firewalld" name="firewalld" dev="vda3" ino=47880 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:firewalld_var_log_t:s0 tclass=file permissive=0
Jul 12 14:22:51 fedora audit[744]: AVC avc:  denied  { nnp_transition } for  pid=744 comm="firewalld" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:iptables_t:s0 tclass=process2 permissive=0
Jul 12 14:22:51 fedora audit[744]: AVC avc:  denied  { execute_no_trans } for  pid=744 comm="firewalld" path="/usr/sbin/xtables-nft-multi" dev="vda3" ino=32306 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file permissive=0
Jul 12 14:22:51 fedora audit[746]: AVC avc:  denied  { nnp_transition } for  pid=746 comm="firewalld" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:iptables_t:s0 tclass=process2 permissive=0
Jul 12 14:22:51 fedora audit[746]: AVC avc:  denied  { execute_no_trans } for  pid=746 comm="firewalld" path="/usr/sbin/xtables-nft-multi" dev="vda3" ino=32306 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file permissive=0
Jul 12 14:22:51 fedora audit[747]: AVC avc:  denied  { nnp_transition } for  pid=747 comm="firewalld" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:iptables_t:s0 tclass=process2 permissive=0
Jul 12 14:22:51 fedora audit[747]: AVC avc:  denied  { execute_no_trans } for  pid=747 comm="firewalld" path="/usr/sbin/xtables-nft-multi" dev="vda3" ino=32306 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file permissive=0
Jul 12 14:22:51 fedora audit[748]: AVC avc:  denied  { nnp_transition } for  pid=748 comm="firewalld" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:iptables_t:s0 tclass=process2 permissive=0
Jul 12 14:22:51 fedora audit[748]: AVC avc:  denied  { execute_no_trans } for  pid=748 comm="firewalld" path="/usr/sbin/xtables-nft-multi" dev="vda3" ino=32306 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file permissive=0
Jul 12 14:22:51 fedora audit[749]: AVC avc:  denied  { nnp_transition } for  pid=749 comm="firewalld" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:iptables_t:s0 tclass=process2 permissive=0
Jul 12 14:22:51 fedora audit[749]: AVC avc:  denied  { execute_no_trans } for  pid=749 comm="firewalld" path="/usr/sbin/xtables-nft-multi" dev="vda3" ino=32306 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file permissive=0
Jul 12 14:22:51 fedora audit[750]: AVC avc:  denied  { nnp_transition } for  pid=750 comm="firewalld" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:iptables_t:s0 tclass=process2 permissive=0
Jul 12 14:22:51 fedora audit[750]: AVC avc:  denied  { execute_no_trans } for  pid=750 comm="firewalld" path="/usr/sbin/xtables-nft-multi" dev="vda3" ino=32306 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file permissive=0
Jul 12 14:22:51 fedora audit[751]: AVC avc:  denied  { nnp_transition } for  pid=751 comm="firewalld" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:iptables_t:s0 tclass=process2 permissive=0
Jul 12 14:22:51 fedora audit[751]: AVC avc:  denied  { execute_no_trans } for  pid=751 comm="firewalld" path="/usr/sbin/xtables-nft-multi" dev="vda3" ino=32306 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file permissive=0
Jul 12 14:22:51 fedora audit[752]: AVC avc:  denied  { nnp_transition } for  pid=752 comm="firewalld" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:iptables_t:s0 tclass=process2 permissive=0
Jul 12 14:22:51 fedora audit[752]: AVC avc:  denied  { execute_no_trans } for  pid=752 comm="firewalld" path="/usr/sbin/xtables-nft-multi" dev="vda3" ino=32306 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file permissive=0
Jul 12 14:22:51 fedora audit[753]: AVC avc:  denied  { nnp_transition } for  pid=753 comm="firewalld" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:iptables_t:s0 tclass=process2 permissive=0
Jul 12 14:22:51 fedora audit[753]: AVC avc:  denied  { execute_no_trans } for  pid=753 comm="firewalld" path="/usr/sbin/ipset" dev="vda3" ino=32608 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file permissive=0
Jul 12 14:22:51 fedora audit[760]: AVC avc:  denied  { nnp_transition } for  pid=760 comm="firewalld" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:iptables_t:s0 tclass=process2 permissive=0
Jul 12 14:22:51 fedora audit[760]: AVC avc:  denied  { execute_no_trans } for  pid=760 comm="firewalld" path="/usr/sbin/xtables-nft-multi" dev="vda3" ino=32306 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file permissive=0
Jul 12 14:22:51 fedora audit[761]: AVC avc:  denied  { nnp_transition } for  pid=761 comm="firewalld" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:iptables_t:s0 tclass=process2 permissive=0
Jul 12 14:22:51 fedora audit[761]: AVC avc:  denied  { execute_no_trans } for  pid=761 comm="firewalld" path="/usr/sbin/xtables-nft-multi" dev="vda3" ino=32306 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file permissive=0
Jul 12 14:22:51 fedora audit[762]: AVC avc:  denied  { nnp_transition } for  pid=762 comm="firewalld" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:iptables_t:s0 tclass=process2 permissive=0
Jul 12 14:22:51 fedora audit[762]: AVC avc:  denied  { execute_no_trans } for  pid=762 comm="firewalld" path="/usr/sbin/xtables-nft-multi" dev="vda3" ino=32306 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file permissive=0
Jul 12 14:22:51 fedora audit[763]: AVC avc:  denied  { nnp_transition } for  pid=763 comm="firewalld" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:iptables_t:s0 tclass=process2 permissive=0
Jul 12 14:22:51 fedora audit[763]: AVC avc:  denied  { execute_no_trans } for  pid=763 comm="firewalld" path="/usr/sbin/xtables-nft-multi" dev="vda3" ino=32306 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file permissive=0
Jul 12 14:22:51 fedora audit[764]: AVC avc:  denied  { nnp_transition } for  pid=764 comm="firewalld" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:iptables_t:s0 tclass=process2 permissive=0
Jul 12 14:22:51 fedora audit[764]: AVC avc:  denied  { execute_no_trans } for  pid=764 comm="firewalld" path="/usr/sbin/xtables-nft-multi" dev="vda3" ino=32306 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file permissive=0
Jul 12 14:22:51 fedora audit[765]: AVC avc:  denied  { nnp_transition } for  pid=765 comm="firewalld" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:iptables_t:s0 tclass=process2 permissive=0
Jul 12 14:22:51 fedora audit[765]: AVC avc:  denied  { execute_no_trans } for  pid=765 comm="firewalld" path="/usr/sbin/xtables-nft-multi" dev="vda3" ino=32306 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file permissive=0
Jul 12 14:22:51 fedora audit[766]: AVC avc:  denied  { nnp_transition } for  pid=766 comm="firewalld" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:iptables_t:s0 tclass=process2 permissive=0
Jul 12 14:22:51 fedora audit[766]: AVC avc:  denied  { execute_no_trans } for  pid=766 comm="firewalld" path="/usr/sbin/xtables-nft-multi" dev="vda3" ino=32306 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file permissive=0
Jul 12 14:22:51 fedora audit[767]: AVC avc:  denied  { nnp_transition } for  pid=767 comm="firewalld" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:iptables_t:s0 tclass=process2 permissive=0
Jul 12 14:22:51 fedora audit[767]: AVC avc:  denied  { execute_no_trans } for  pid=767 comm="firewalld" path="/usr/sbin/xtables-nft-multi" dev="vda3" ino=32306 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file permissive=0
Jul 12 14:22:51 fedora audit[768]: AVC avc:  denied  { nnp_transition } for  pid=768 comm="firewalld" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:iptables_t:s0 tclass=process2 permissive=0
Jul 12 14:22:51 fedora audit[768]: AVC avc:  denied  { execute_no_trans } for  pid=768 comm="firewalld" path="/usr/sbin/xtables-nft-multi" dev="vda3" ino=32306 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file permissive=0
Jul 12 14:22:51 fedora audit[769]: AVC avc:  denied  { nnp_transition } for  pid=769 comm="firewalld" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:iptables_t:s0 tclass=process2 permissive=0
Jul 12 14:22:51 fedora audit[769]: AVC avc:  denied  { execute_no_trans } for  pid=769 comm="firewalld" path="/usr/sbin/xtables-nft-multi" dev="vda3" ino=32306 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file permissive=0
Jul 12 14:22:51 fedora audit[770]: AVC avc:  denied  { nnp_transition } for  pid=770 comm="firewalld" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:iptables_t:s0 tclass=process2 permissive=0
Jul 12 14:22:51 fedora audit[770]: AVC avc:  denied  { execute_no_trans } for  pid=770 comm="firewalld" path="/usr/sbin/xtables-nft-multi" dev="vda3" ino=32306 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file permissive=0
Jul 12 14:22:51 fedora audit[771]: AVC avc:  denied  { nnp_transition } for  pid=771 comm="firewalld" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:iptables_t:s0 tclass=process2 permissive=0
Jul 12 14:22:51 fedora audit[771]: AVC avc:  denied  { execute_no_trans } for  pid=771 comm="firewalld" path="/usr/sbin/xtables-nft-multi" dev="vda3" ino=32306 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file permissive=0
Jul 12 14:22:51 fedora audit[772]: AVC avc:  denied  { nnp_transition } for  pid=772 comm="firewalld" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:iptables_t:s0 tclass=process2 permissive=0
Jul 12 14:22:51 fedora audit[772]: AVC avc:  denied  { execute_no_trans } for  pid=772 comm="firewalld" path="/usr/sbin/xtables-nft-multi" dev="vda3" ino=32306 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file permissive=0
Jul 12 14:23:25 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[733]: AVC avc:  denied  { add_name } for  pid=733 comm="firewalld" name="internal.xml" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:firewalld_etc_rw_t:s0 tclass=dir permissive=0

Note, this happens with both selinux-policy-41.3 and 41.8.

This update has been unpushed.

I have no idea why this update would trigger new AVC issues. In unpushed it. I don't have time to debug and will be on vacation next week.


Please login to add feedback.

Metadata
Type
unspecified
Karma
-1
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
disabled
Stable by Time
0 days
Dates
submitted
2 months ago
in testing
2 months ago

Automated Test Results