ansible.posix.firewalld fails with Polkit error

Question

This is probably an easy fix, but I'm not finding anything with my google-fu. Maybe pulling the wrong part of the error... Anyway, trying to just set a simple firewalld rule for inbound http.

This looks like some sort of permissions issue with the become?

I've set SELinux to permissive and found that this issue is still occurring, so I don't believe it to be SELinux related.

Servers

All systems are running Fedora 34, fully updated. All machines also have the python3-firewall package installed.

Primary FreeIPA Server, (10.1.0.11)
Secondary FreeIAP Server (10.1.0.12)
Ansible Server (10.1.0.22)

Trying to run...

[brandonyoung@ansible01 ansible-lab01]$ ansible-playbook -K -i hosts.yml playbooks/testFirewalld.yml
BECOME password:

PLAY [IPAServers] *****************************************************************************

TASK [Gathering Facts] ************************************************************************
ok: [10.1.0.12]
ok: [10.1.0.11]

TASK [Ensure that HTTP is allowed through the firewall] ***************************************
ERROR:dbus.proxies:Introspect error on :1.6:/org/fedoraproject/FirewallD1: dbus.exceptions.DBusException: org.fedoraproject.slip.dbus.service.PolKit.NotAuthorizedException.org.fedoraproject.FirewallD1.info:
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: dbus.exceptions.DBusException: org.fedoraproject.slip.dbus.service.PolKit.NotAuthorizedException.org.fedoraproject.FirewallD1.info:
fatal: [10.1.0.11]: FAILED! => {"msg": "Unexpected failure during module execution.", "stdout": ""}
ERROR:dbus.proxies:Introspect error on :1.6:/org/fedoraproject/FirewallD1: dbus.exceptions.DBusException: org.fedoraproject.slip.dbus.service.PolKit.NotAuthorizedException.org.fedoraproject.FirewallD1.info:
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: dbus.exceptions.DBusException: org.fedoraproject.slip.dbus.service.PolKit.NotAuthorizedException.org.fedoraproject.FirewallD1.info:
fatal: [10.1.0.12]: FAILED! => {"msg": "Unexpected failure during module execution.", "stdout": ""}

PLAY RECAP ************************************************************************************
10.1.0.11                  : ok=1    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0
10.1.0.12                  : ok=1    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0

Configuration

hosts.yml

unitedStates:
  children:
    city:
      children:
        ansibleServers:
          hosts:
            10.1.0.22:
        IPAServers:
          hosts:
            10.1.0.11:
            10.1.0.12:
  vars:
    ntp_server: time.nist.gov
    ansible_python_interpreter: /usr/bin/python3

playbooks/testFirewalld.yml

---
# This playbook will test some basic firewall rule enforcement using `ansible.posix.firewalld`

- hosts: IPAServers
  tasks:
    - name: Ensure that HTTP is allowed through the firewall
      ansible.posix.firewalld:
        service: http
        immediate: yes
        permanent: yes
        state: enabled
      become: yes

Output of ansible-playbook -K -i hosts.yml playbooks/testFirewalld.yml -vvv here: https://pastebin.com/ceskr5wJ

score 0 · Answer 1 · answered Oct 25 '21 at 14:00

Firewalld typically ships with a policykit definition. Perhaps yours is missing or altered. AFAICS, the firewalld <--> polkit communication is happening.

# ls -al /usr/share/polkit-1/actions/org.fedoraproject.FirewallD1.policy 
lrwxrwxrwx. 1 root root 49 Jul 30 10:31 /usr/share/polkit-1/actions/org.fedoraproject.FirewallD1.policy -> org.fedoraproject.FirewallD1.server.policy.choice

The relevant interface is open by default with the stock configuration.

# cat /usr/share/polkit-1/actions/org.fedoraproject.FirewallD1.server.policy.choice 
[..]
  <action id="org.fedoraproject.FirewallD1.info">
    <description>General firewall information</description>
    <message>System policy prevents getting general firewall information</message>
    <defaults> 
      <allow_any>yes</allow_any>
      <allow_inactive>yes</allow_inactive>
      <allow_active>yes</allow_active>                                                 
    </defaults>                                                                        
  </action>                                                                            
[..]

You should check to make sure you don't have other polkit rules that may be causing the request to be denied. These may be provided by your distribution or admin.