[DSE-Dev] Bug#871704: Labels of files in `/etc/init.d/` prevent systemd tools from working
Robert Senger
rs-debian at microscopium.de
Mon Nov 6 21:37:51 UTC 2017
Package: selinux-policy-default
Version: 2:2.20161023.1-9
Followup-For: Bug #871704
I can confirm this bug.
It affects all units having:
- Non standard SELinux type in /etc/init.d/ startup script (meaning, other than
initrc_exec_t)
- No unit file in /lib/systemd/system or /etc/systemd/system (and thus are
controlled by autogenerated unit file)
ALL systemctl actions (start, stop, restart, status...) fail on these units in
enforcing mode (but not in permissive mode). Error messages are e.g.:
root at pherkad:/etc/systemd/system# systemctl stop exim4
Failed to stop exim4.service: Access denied
See system logs and 'systemctl status exim4.service' for details.
Failed to get load state of exim4.service: Access denied
root at pherkad:/etc/systemd/system# systemctl start exim4
Failed to start exim4.service: Access denied
See system logs and 'systemctl status exim4.service' for details.
The error is logged in audit.log (see above report), but audit2allow does not
produce rules from that.
This also affects tab completion of all systemctl actions, as tab completion
seems to trigger "systemctl status <unit-name>". This was reported in #879037
for refpolicy.
Possible workarounds: Either set SELinux type of offending init script to
standard initrc_exec_t, or create a simple systemd unit file for the affected
service.
Offending services on my Debian 9.2 installations are exim4 and ntp, which are
both standard services and installed by default.
Cheers,
Robert
-- System Information:
Debian Release: 9.2
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages selinux-policy-default depends on:
ii libselinux1 2.6-3+b3
ii libsemanage1 2.6-2
ii libsepol1 2.6-2
pn policycoreutils <none>
pn selinux-utils <none>
Versions of packages selinux-policy-default recommends:
pn checkpolicy <none>
pn setools <none>
Versions of packages selinux-policy-default suggests:
pn logcheck <none>
pn syslog-summary <none>
More information about the SELinux-devel
mailing list