[DSE-Dev] Bug#871704: Labels of files in `/etc/init.d/` prevent systemd tools from working

Paul Menzel pm.debian at googlemail.com
Thu Aug 10 19:12:33 UTC 2017 

Package: selinux-policy-default
Version: 2:2.20161023.1-10
Severity: normal


Dear Debian folks,


Running `systemd-analyze critical-chain` and `systemctl status sysstat`
 – even as root – fails.

```
$ sudo systemd-analyze critical-chain
Failed to parse reply: Access denied
$ sudo systemctl status sysstat
Failed to get properties: Access denied
```

The messages below are logged in `/var/log/audit/audit.log`.

```
type=USER_AVC msg=audit(1502388774.763:469093): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=1000 uid=0 gid=0 path="/etc/init.d/sysstat" cmdline="systemd-analyze critical-chain" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysstat_initrc_exec_t:s0 tclass=service  exe="/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
[…]
type=USER_AVC msg=audit(1502388969.411:469366): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=1000 uid=0 gid=0 path="/etc/init.d/sysstat" cmdline="systemctl status sysstat" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysstat_initrc_exec_t:s0 tclass=service  exe="/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
```

The labels of some files in `/etc/init.d/` also differ.

Some are just labeled with `initrc_exec_t`, while others seem to have
their name in it.

```
-rwxr-xr-x. 1 root root system_u:object_r:sysstat_initrc_exec_t:s0    1597 May 25 20:26 sysstat
```

For “services”, like xinetd, whose label is `initrc_exec_t`, `systemctl
status` works.


Thanks,

Paul
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 232 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/selinux-devel/attachments/20170810/732c569a/attachment.sig>

More information about the SELinux-devel mailing list