[DSE-Dev] Bug#871704: Labels of files in `/etc/init.d/` prevent systemd tools from working

Maksim K. debian_bug at k-max.name
Wed Jun 3 20:29:49 BST 2020 

Package: selinux-policy-default
Version: 2:2.20161023.1-9
Followup-For: Bug #871704

Some additional information.
I've made some investigation. 
I could say, not all of service which has their name in it - failed to get status.
***
root at vps:/tmp# for i in `ls /etc/init.d/ ` ; do ls -Z /etc/init.d/$i ; systemctl is-active $i   ; done
system_u:object_r:initrc_exec_t:s0 /etc/init.d/apache2
inactive
system_u:object_r:initrc_exec_t:s0 /etc/init.d/apache-htcacheclean
inactive
system_u:object_r:auditd_initrc_exec_t:s0 /etc/init.d/auditd
active
system_u:object_r:initrc_exec_t:s0 /etc/init.d/bind9
active
system_u:object_r:initrc_exec_t:s0 /etc/init.d/bootlogd
inactive
system_u:object_r:initrc_exec_t:s0 /etc/init.d/cgmanager
active
system_u:object_r:initrc_exec_t:s0 /etc/init.d/cgproxy
inactive
system_u:object_r:initrc_exec_t:s0 /etc/init.d/cron
active
system_u:object_r:initrc_exec_t:s0 /etc/init.d/dbus
active
system_u:object_r:exim_initrc_exec_t:s0 /etc/init.d/exim4
Failed to retrieve unit: Access denied
system_u:object_r:entropyd_initrc_exec_t:s0 /etc/init.d/haveged
active
system_u:object_r:initrc_exec_t:s0 /etc/init.d/hwclock.sh
inactive
system_u:object_r:irqbalance_initrc_exec_t:s0 /etc/init.d/irqbalance
inactive
system_u:object_r:initrc_exec_t:s0 /etc/init.d/kmod
active
system_u:object_r:mysqld_initrc_exec_t:s0 /etc/init.d/mysql
Failed to retrieve unit: Access denied
system_u:object_r:initrc_exec_t:s0 /etc/init.d/netfilter-persistent
active
system_u:object_r:initrc_exec_t:s0 /etc/init.d/networking
active
system_u:object_r:ntpd_initrc_exec_t:s0 /etc/init.d/ntp
Failed to retrieve unit: Access denied
system_u:object_r:openvpn_initrc_exec_t:s0 /etc/init.d/openvpn
inactive
system_u:object_r:pcscd_initrc_exec_t:s0 /etc/init.d/pcscd
inactive
system_u:object_r:initrc_exec_t:s0 /etc/init.d/procps
active
system_u:object_r:initrc_exec_t:s0 /etc/init.d/rsync
inactive
system_u:object_r:syslogd_initrc_exec_t:s0 /etc/init.d/rsyslog
active
system_u:object_r:initrc_exec_t:s0 /etc/init.d/screen-cleanup
inactive
system_u:object_r:initrc_exec_t:s0 /etc/init.d/selinux-autorelabel
inactive
system_u:object_r:initrc_exec_t:s0 /etc/init.d/ssh
active
system_u:object_r:initrc_exec_t:s0 /etc/init.d/stop-bootlogd
inactive
system_u:object_r:initrc_exec_t:s0 /etc/init.d/stop-bootlogd-single
inactive
system_u:object_r:initrc_exec_t:s0 /etc/init.d/sudo
inactive
system_u:object_r:sysstat_initrc_exec_t:s0 /etc/init.d/sysstat
Failed to retrieve unit: Access denied
system_u:object_r:initrc_exec_t:s0 /etc/init.d/udev
active
system_u:object_r:initrc_exec_t:s0 /etc/init.d/unattended-upgrades
active
system_u:object_r:uuidd_initrc_exec_t:s0 /etc/init.d/uuidd
inactive
root at vps:/tmp#
***
As you can see, there are just exim4, mysql, ntp, sysstat.
So, the audit.log has this AVCs:
***
type=USER_AVC msg=audit(1591212457.570:6102): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=0 uid=0 gid=0 path="/etc/init.d/exim4" cmdline="systemctl is-active exim4.service" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:exim_initrc_exec_t:s0 tclass=service  exe="/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1591212457.830:6103): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=0 uid=0 gid=0 path="/etc/init.d/mysql" cmdline="systemctl is-active mysql.service" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mysqld_initrc_exec_t:s0 tclass=service  exe="/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1591212457.862:6104): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=0 uid=0 gid=0 path="/etc/init.d/ntp" cmdline="systemctl is-active ntp.service" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:ntpd_initrc_exec_t:s0 tclass=service  exe="/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1591212458.278:6105): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=0 uid=0 gid=0 path="/etc/init.d/sysstat" cmdline="systemctl is-active sysstat.service" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysstat_initrc_exec_t:s0 tclass=service  exe="/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
***



-- System Information:
Debian Release: 9.12
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-12-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages selinux-policy-default depends on:
ii  libselinux1      2.6-3+b3
ii  libsemanage1     2.6-2
ii  libsepol1        2.6-2
ii  policycoreutils  2.6-3
ii  selinux-utils    2.6-3+b3

Versions of packages selinux-policy-default recommends:
ii  checkpolicy  2.6-2
ii  setools      4.0.1-6

Versions of packages selinux-policy-default suggests:
pn  logcheck        <none>
pn  syslog-summary  <none>

-- no debconf information

More information about the SELinux-devel mailing list