Bug 1337041
Summary: | Selinux is preventing the masking of iptables service | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Bogdan Benea <benea_bogdan> |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 7.3 | CC: | akmal.avloni86, benea_bogdan, fsumsal, hsowa, lvrabec, mgrepl, mleitner, mmalik, nperic, plautrba, pvrabec, ssekidde |
Target Milestone: | rc | Keywords: | Reopened |
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-3.13.1-136.el7 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-08-01 15:12:40 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Bogdan Benea
2016-05-18 06:42:54 UTC
The scenario works fine on RHEL-7.3. # sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 28 # systemctl mask iptables.service Created symlink from /etc/systemd/system/iptables.service to /dev/null. # systemctl status iptables.service ● iptables.service Loaded: masked (/dev/null) Active: inactive (dead) # systemctl unmask iptables.service Removed symlink /etc/systemd/system/iptables.service. # systemctl status iptables.service ● iptables.service - IPv4 firewall with iptables Loaded: loaded (/usr/lib/systemd/system/iptables.service; disabled; vendor preset: disabled) Active: inactive (dead) # # rpm -qa selinux-policy\* systemd\* | sort selinux-policy-3.13.1-73.el7.noarch selinux-policy-devel-3.13.1-73.el7.noarch selinux-policy-doc-3.13.1-73.el7.noarch selinux-policy-minimum-3.13.1-73.el7.noarch selinux-policy-mls-3.13.1-73.el7.noarch selinux-policy-sandbox-3.13.1-73.el7.noarch selinux-policy-targeted-3.13.1-73.el7.noarch systemd-219-20.el7.x86_64 systemd-devel-219-20.el7.x86_64 systemd-journal-gateway-219-20.el7.x86_64 systemd-libs-219-20.el7.x86_64 systemd-networkd-219-20.el7.x86_64 systemd-python-219-20.el7.x86_64 systemd-resolved-219-20.el7.x86_64 systemd-sysv-219-20.el7.x86_64 # Bogdan, what is your version of policy? $ rpm -q selinux-policy-targeted Hi Miroslav rpm -q selinux-policy-targeted selinux-policy-targeted-3.13.1-60.el7.noarch I dont have a 7.3 to test. Best regards Bogdan Benea Here is the output from RHEL-7.2: # systemctl mask iptables.service Created symlink from /etc/systemd/system/iptables.service to /dev/null. # systemctl unmask iptables.service Removed symlink /etc/systemd/system/iptables.service. # rpm -e iptables-services # systemctl mask iptables.service Failed to execute operation: Access denied # systemctl unmask iptables.service Failed to execute operation: Access denied # ausearch -m avc -m user_avc -i ---- type=USER_AVC msg=audit(05/31/2016 09:41:27.160:274) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc: denied { disable } for auid=root uid=root gid=root cmdline="systemctl mask iptables.service" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=service exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' ---- type=USER_AVC msg=audit(05/31/2016 09:41:34.615:275) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc: denied { enable } for auid=root uid=root gid=root cmdline="systemctl unmask iptables.service" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=service exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' ---- It seems like a re-appearance of BZ#1154065. Another way how to reproduce it in enforcing mode on RHEL-7.3: # systemctl enable xyz.service Failed to execute operation: Access denied # systemctl disable xyz.service Failed to execute operation: Access denied # ausearch -m avc,user_avc,selinux_err,user_selinux_err -i -ts recent ---- type=USER_AVC msg=audit(06/29/2016 15:54:06.987:849) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc: denied { enable } for auid=root uid=root gid=root cmdline="systemctl enable xyz.service" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=service exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' ---- type=USER_AVC msg=audit(06/29/2016 15:54:18.638:854) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc: denied { disable } for auid=root uid=root gid=root cmdline="systemctl disable xyz.service" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=service exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' ---- *** Bug 1373298 has been marked as a duplicate of this bug. *** `sesearch -A -s unconfined_t -t init_t -c service' yields: allow unconfined_domain_type init_t : service { start stop status reload } ; we might miss an enable/disable in this rule? *** Bug 1392443 has been marked as a duplicate of this bug. *** *** Bug 1412727 has been marked as a duplicate of this bug. *** I cannot reproduce this issue. Closing this BZ as NOTABUG. If you can reproduce this issue feel free to re-open this. Hello I can reproduce this on RHEL 7.3 clean minimal install [root@localhost ~]# cat /etc/redhat-release Red Hat Enterprise Linux Server release 7.3 (Maipo) [root@localhost ~]# systemctl mask iptables.service Failed to execute operation: Access denied [root@localhost ~]# ausearch -m avc -m user_avc -i ---- type=USER_AVC msg=audit(03/27/2017 18:57:23.211:98) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc: denied { disable } for auid=root uid=root gid=root cmdline="systemctl mask iptables.service" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=service exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' ---- type=USER_AVC msg=audit(03/27/2017 18:59:17.471:145) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc: denied { disable } for auid=root uid=root gid=root cmdline="systemctl mask iptables.service" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=service exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' [root@localhost ~]# ausearch -m avc,user_avc,selinux_err,user_selinux_err -i -ts recent ---- type=USER_AVC msg=audit(03/27/2017 18:57:23.211:98) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc: denied { disable } for auid=root uid=root gid=root cmdline="systemctl mask iptables.service" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=service exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' ---- type=USER_AVC msg=audit(03/27/2017 18:59:17.471:145) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc: denied { disable } for auid=root uid=root gid=root cmdline="systemctl mask iptables.service" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=service exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' [root@localhost ~]# rpm -qa selinux-policy\* systemd\* | sort selinux-policy-3.13.1-102.el7.noarch selinux-policy-targeted-3.13.1-102.el7.noarch systemd-219-30.el7.x86_64 systemd-libs-219-30.el7.x86_64 systemd-sysv-219-30.el7.x86_64 *** Bug 1434727 has been marked as a duplicate of this bug. *** Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:1861 |