subject:"Bug#871704\: Labels of files in `\/etc\/init.d\/` prevent systemd tools from working"

Bug#871704: Labels of files in `/etc/init.d/` prevent systemd tools from working

2020-06-03 Thread Maksim K.

Package: selinux-policy-default
Version: 2:2.20161023.1-9
Followup-For: Bug #871704

Some additional information.
I've made some investigation. 
I could say, not all of service which has their name in it - failed to get 
status.
***
root@vps:/tmp# for i in `ls /etc/init.d/ ` ; do ls -Z /etc/init.d/$i ; 
systemctl is-active $i   ; done
system_u:object_r:initrc_exec_t:s0 /etc/init.d/apache2
inactive
system_u:object_r:initrc_exec_t:s0 /etc/init.d/apache-htcacheclean
inactive
system_u:object_r:auditd_initrc_exec_t:s0 /etc/init.d/auditd
active
system_u:object_r:initrc_exec_t:s0 /etc/init.d/bind9
active
system_u:object_r:initrc_exec_t:s0 /etc/init.d/bootlogd
inactive
system_u:object_r:initrc_exec_t:s0 /etc/init.d/cgmanager
active
system_u:object_r:initrc_exec_t:s0 /etc/init.d/cgproxy
inactive
system_u:object_r:initrc_exec_t:s0 /etc/init.d/cron
active
system_u:object_r:initrc_exec_t:s0 /etc/init.d/dbus
active
system_u:object_r:exim_initrc_exec_t:s0 /etc/init.d/exim4
Failed to retrieve unit: Access denied
system_u:object_r:entropyd_initrc_exec_t:s0 /etc/init.d/haveged
active
system_u:object_r:initrc_exec_t:s0 /etc/init.d/hwclock.sh
inactive
system_u:object_r:irqbalance_initrc_exec_t:s0 /etc/init.d/irqbalance
inactive
system_u:object_r:initrc_exec_t:s0 /etc/init.d/kmod
active
system_u:object_r:mysqld_initrc_exec_t:s0 /etc/init.d/mysql
Failed to retrieve unit: Access denied
system_u:object_r:initrc_exec_t:s0 /etc/init.d/netfilter-persistent
active
system_u:object_r:initrc_exec_t:s0 /etc/init.d/networking
active
system_u:object_r:ntpd_initrc_exec_t:s0 /etc/init.d/ntp
Failed to retrieve unit: Access denied
system_u:object_r:openvpn_initrc_exec_t:s0 /etc/init.d/openvpn
inactive
system_u:object_r:pcscd_initrc_exec_t:s0 /etc/init.d/pcscd
inactive
system_u:object_r:initrc_exec_t:s0 /etc/init.d/procps
active
system_u:object_r:initrc_exec_t:s0 /etc/init.d/rsync
inactive
system_u:object_r:syslogd_initrc_exec_t:s0 /etc/init.d/rsyslog
active
system_u:object_r:initrc_exec_t:s0 /etc/init.d/screen-cleanup
inactive
system_u:object_r:initrc_exec_t:s0 /etc/init.d/selinux-autorelabel
inactive
system_u:object_r:initrc_exec_t:s0 /etc/init.d/ssh
active
system_u:object_r:initrc_exec_t:s0 /etc/init.d/stop-bootlogd
inactive
system_u:object_r:initrc_exec_t:s0 /etc/init.d/stop-bootlogd-single
inactive
system_u:object_r:initrc_exec_t:s0 /etc/init.d/sudo
inactive
system_u:object_r:sysstat_initrc_exec_t:s0 /etc/init.d/sysstat
Failed to retrieve unit: Access denied
system_u:object_r:initrc_exec_t:s0 /etc/init.d/udev
active
system_u:object_r:initrc_exec_t:s0 /etc/init.d/unattended-upgrades
active
system_u:object_r:uuidd_initrc_exec_t:s0 /etc/init.d/uuidd
inactive
root@vps:/tmp#
***
As you can see, there are just exim4, mysql, ntp, sysstat.
So, the audit.log has this AVCs:
***
type=USER_AVC msg=audit(1591212457.570:6102): pid=1 uid=0 auid=4294967295 
ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } 
for auid=0 uid=0 gid=0 path="/etc/init.d/exim4" cmdline="systemctl is-active 
exim4.service" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:exim_initrc_exec_t:s0 tclass=service  
exe="/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1591212457.830:6103): pid=1 uid=0 auid=4294967295 
ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } 
for auid=0 uid=0 gid=0 path="/etc/init.d/mysql" cmdline="systemctl is-active 
mysql.service" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:mysqld_initrc_exec_t:s0 tclass=service  
exe="/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1591212457.862:6104): pid=1 uid=0 auid=4294967295 
ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } 
for auid=0 uid=0 gid=0 path="/etc/init.d/ntp" cmdline="systemctl is-active 
ntp.service" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:ntpd_initrc_exec_t:s0 tclass=service  
exe="/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1591212458.278:6105): pid=1 uid=0 auid=4294967295 
ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } 
for auid=0 uid=0 gid=0 path="/etc/init.d/sysstat" cmdline="systemctl is-active 
sysstat.service" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:sysstat_initrc_exec_t:s0 tclass=service  
exe="/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
***



-- System Information:
Debian Release: 9.12
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-12-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL 
set to en_US.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set 
to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init:

Bug#871704: Labels of files in `/etc/init.d/` prevent systemd tools from working

2017-11-06 Thread Robert Senger

Package: selinux-policy-default
Version: 2:2.20161023.1-9
Followup-For: Bug #871704

I can confirm this bug.

It affects all units having:

- Non standard SELinux type in /etc/init.d/ startup script (meaning, other than
initrc_exec_t)
- No unit file in /lib/systemd/system or /etc/systemd/system (and thus are
controlled by autogenerated unit file)

ALL systemctl actions (start, stop, restart, status...) fail on these units in
enforcing mode (but not in permissive mode). Error messages are e.g.:

root@pherkad:/etc/systemd/system# systemctl stop exim4
Failed to stop exim4.service: Access denied
See system logs and 'systemctl status exim4.service' for details.
Failed to get load state of exim4.service: Access denied

root@pherkad:/etc/systemd/system# systemctl start exim4
Failed to start exim4.service: Access denied
See system logs and 'systemctl status exim4.service' for details.

The error is logged in audit.log (see above report), but audit2allow does not
produce rules from that.

This also affects tab completion of all systemctl actions, as tab completion
seems to trigger "systemctl status ". This was reported in #879037
for refpolicy.

Possible workarounds: Either set SELinux type of offending init script to
standard initrc_exec_t, or create a simple systemd unit file for the affected
service.

Offending services on my Debian 9.2 installations are exim4 and ntp, which are
both standard services and installed by default.

Cheers,

Robert



-- System Information:
Debian Release: 9.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), 
LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages selinux-policy-default depends on:
ii  libselinux1  2.6-3+b3
ii  libsemanage1 2.6-2
ii  libsepol12.6-2
pn  policycoreutils  
pn  selinux-utils

Versions of packages selinux-policy-default recommends:
pn  checkpolicy  
pn  setools  

Versions of packages selinux-policy-default suggests:
pn  logcheck
pn  syslog-summary

Bug#871704: Labels of files in `/etc/init.d/` prevent systemd tools from working

2017-08-10 Thread Paul Menzel

Package: selinux-policy-default
Version: 2:2.20161023.1-10
Severity: normal


Dear Debian folks,


Running `systemd-analyze critical-chain` and `systemctl status sysstat`
 – even as root – fails.

```
$ sudo systemd-analyze critical-chain
Failed to parse reply: Access denied
$ sudo systemctl status sysstat
Failed to get properties: Access denied
```

The messages below are logged in `/var/log/audit/audit.log`.

```
type=USER_AVC msg=audit(1502388774.763:469093): pid=1 uid=0 auid=4294967295 
ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } 
for auid=1000 uid=0 gid=0 path="/etc/init.d/sysstat" cmdline="systemd-analyze 
critical-chain" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:sysstat_initrc_exec_t:s0 tclass=service  
exe="/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
[…]
type=USER_AVC msg=audit(1502388969.411:469366): pid=1 uid=0 auid=4294967295 
ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } 
for auid=1000 uid=0 gid=0 path="/etc/init.d/sysstat" cmdline="systemctl status 
sysstat" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:sysstat_initrc_exec_t:s0 tclass=service  
exe="/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
```

The labels of some files in `/etc/init.d/` also differ.

Some are just labeled with `initrc_exec_t`, while others seem to have
their name in it.

```
-rwxr-xr-x. 1 root root system_u:object_r:sysstat_initrc_exec_t:s01597 May 
25 20:26 sysstat
```

For “services”, like xinetd, whose label is `initrc_exec_t`, `systemctl
status` works.


Thanks,

Paul

signature.asc
Description: This is a digitally signed message part

Bug#871704: Labels of files in `/etc/init.d/` prevent systemd tools from working

Bug#871704: Labels of files in `/etc/init.d/` prevent systemd tools from working

Bug#871704: Labels of files in `/etc/init.d/` prevent systemd tools from working

3 matches

Site Navigation

Mail list logo

Footer information