Bug#871704: Labels of files in `/etc/init.d/` prevent systemd tools from working
Package: selinux-policy-default Version: 2:2.20161023.1-9 Followup-For: Bug #871704 Some additional information. I've made some investigation. I could say, not all of service which has their name in it - failed to get status. *** root@vps:/tmp# for i in `ls /etc/init.d/ ` ; do ls -Z /etc/init.d/$i ; systemctl is-active $i ; done system_u:object_r:initrc_exec_t:s0 /etc/init.d/apache2 inactive system_u:object_r:initrc_exec_t:s0 /etc/init.d/apache-htcacheclean inactive system_u:object_r:auditd_initrc_exec_t:s0 /etc/init.d/auditd active system_u:object_r:initrc_exec_t:s0 /etc/init.d/bind9 active system_u:object_r:initrc_exec_t:s0 /etc/init.d/bootlogd inactive system_u:object_r:initrc_exec_t:s0 /etc/init.d/cgmanager active system_u:object_r:initrc_exec_t:s0 /etc/init.d/cgproxy inactive system_u:object_r:initrc_exec_t:s0 /etc/init.d/cron active system_u:object_r:initrc_exec_t:s0 /etc/init.d/dbus active system_u:object_r:exim_initrc_exec_t:s0 /etc/init.d/exim4 Failed to retrieve unit: Access denied system_u:object_r:entropyd_initrc_exec_t:s0 /etc/init.d/haveged active system_u:object_r:initrc_exec_t:s0 /etc/init.d/hwclock.sh inactive system_u:object_r:irqbalance_initrc_exec_t:s0 /etc/init.d/irqbalance inactive system_u:object_r:initrc_exec_t:s0 /etc/init.d/kmod active system_u:object_r:mysqld_initrc_exec_t:s0 /etc/init.d/mysql Failed to retrieve unit: Access denied system_u:object_r:initrc_exec_t:s0 /etc/init.d/netfilter-persistent active system_u:object_r:initrc_exec_t:s0 /etc/init.d/networking active system_u:object_r:ntpd_initrc_exec_t:s0 /etc/init.d/ntp Failed to retrieve unit: Access denied system_u:object_r:openvpn_initrc_exec_t:s0 /etc/init.d/openvpn inactive system_u:object_r:pcscd_initrc_exec_t:s0 /etc/init.d/pcscd inactive system_u:object_r:initrc_exec_t:s0 /etc/init.d/procps active system_u:object_r:initrc_exec_t:s0 /etc/init.d/rsync inactive system_u:object_r:syslogd_initrc_exec_t:s0 /etc/init.d/rsyslog active system_u:object_r:initrc_exec_t:s0 /etc/init.d/screen-cleanup inactive system_u:object_r:initrc_exec_t:s0 /etc/init.d/selinux-autorelabel inactive system_u:object_r:initrc_exec_t:s0 /etc/init.d/ssh active system_u:object_r:initrc_exec_t:s0 /etc/init.d/stop-bootlogd inactive system_u:object_r:initrc_exec_t:s0 /etc/init.d/stop-bootlogd-single inactive system_u:object_r:initrc_exec_t:s0 /etc/init.d/sudo inactive system_u:object_r:sysstat_initrc_exec_t:s0 /etc/init.d/sysstat Failed to retrieve unit: Access denied system_u:object_r:initrc_exec_t:s0 /etc/init.d/udev active system_u:object_r:initrc_exec_t:s0 /etc/init.d/unattended-upgrades active system_u:object_r:uuidd_initrc_exec_t:s0 /etc/init.d/uuidd inactive root@vps:/tmp# *** As you can see, there are just exim4, mysql, ntp, sysstat. So, the audit.log has this AVCs: *** type=USER_AVC msg=audit(1591212457.570:6102): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=0 uid=0 gid=0 path="/etc/init.d/exim4" cmdline="systemctl is-active exim4.service" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:exim_initrc_exec_t:s0 tclass=service exe="/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1591212457.830:6103): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=0 uid=0 gid=0 path="/etc/init.d/mysql" cmdline="systemctl is-active mysql.service" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mysqld_initrc_exec_t:s0 tclass=service exe="/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1591212457.862:6104): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=0 uid=0 gid=0 path="/etc/init.d/ntp" cmdline="systemctl is-active ntp.service" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:ntpd_initrc_exec_t:s0 tclass=service exe="/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1591212458.278:6105): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=0 uid=0 gid=0 path="/etc/init.d/sysstat" cmdline="systemctl is-active sysstat.service" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysstat_initrc_exec_t:s0 tclass=service exe="/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' *** -- System Information: Debian Release: 9.12 APT prefers oldstable-updates APT policy: (500, 'oldstable-updates'), (500, 'oldstable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-12-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8) Shell: /bin/sh linked to /bin/dash Init:
Bug#871704: Labels of files in `/etc/init.d/` prevent systemd tools from working
Package: selinux-policy-default Version: 2:2.20161023.1-9 Followup-For: Bug #871704 I can confirm this bug. It affects all units having: - Non standard SELinux type in /etc/init.d/ startup script (meaning, other than initrc_exec_t) - No unit file in /lib/systemd/system or /etc/systemd/system (and thus are controlled by autogenerated unit file) ALL systemctl actions (start, stop, restart, status...) fail on these units in enforcing mode (but not in permissive mode). Error messages are e.g.: root@pherkad:/etc/systemd/system# systemctl stop exim4 Failed to stop exim4.service: Access denied See system logs and 'systemctl status exim4.service' for details. Failed to get load state of exim4.service: Access denied root@pherkad:/etc/systemd/system# systemctl start exim4 Failed to start exim4.service: Access denied See system logs and 'systemctl status exim4.service' for details. The error is logged in audit.log (see above report), but audit2allow does not produce rules from that. This also affects tab completion of all systemctl actions, as tab completion seems to trigger "systemctl status ". This was reported in #879037 for refpolicy. Possible workarounds: Either set SELinux type of offending init script to standard initrc_exec_t, or create a simple systemd unit file for the affected service. Offending services on my Debian 9.2 installations are exim4 and ntp, which are both standard services and installed by default. Cheers, Robert -- System Information: Debian Release: 9.2 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages selinux-policy-default depends on: ii libselinux1 2.6-3+b3 ii libsemanage1 2.6-2 ii libsepol12.6-2 pn policycoreutils pn selinux-utils Versions of packages selinux-policy-default recommends: pn checkpolicy pn setools Versions of packages selinux-policy-default suggests: pn logcheck pn syslog-summary
Bug#871704: Labels of files in `/etc/init.d/` prevent systemd tools from working
Package: selinux-policy-default Version: 2:2.20161023.1-10 Severity: normal Dear Debian folks, Running `systemd-analyze critical-chain` and `systemctl status sysstat` – even as root – fails. ``` $ sudo systemd-analyze critical-chain Failed to parse reply: Access denied $ sudo systemctl status sysstat Failed to get properties: Access denied ``` The messages below are logged in `/var/log/audit/audit.log`. ``` type=USER_AVC msg=audit(1502388774.763:469093): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=1000 uid=0 gid=0 path="/etc/init.d/sysstat" cmdline="systemd-analyze critical-chain" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysstat_initrc_exec_t:s0 tclass=service exe="/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' […] type=USER_AVC msg=audit(1502388969.411:469366): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=1000 uid=0 gid=0 path="/etc/init.d/sysstat" cmdline="systemctl status sysstat" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysstat_initrc_exec_t:s0 tclass=service exe="/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' ``` The labels of some files in `/etc/init.d/` also differ. Some are just labeled with `initrc_exec_t`, while others seem to have their name in it. ``` -rwxr-xr-x. 1 root root system_u:object_r:sysstat_initrc_exec_t:s01597 May 25 20:26 sysstat ``` For “services”, like xinetd, whose label is `initrc_exec_t`, `systemctl status` works. Thanks, Paul signature.asc Description: This is a digitally signed message part