Bug 1337041

Summary:	Selinux is preventing the masking of iptables service
Product:	Red Hat Enterprise Linux 7	Reporter:	Bogdan Benea <benea_bogdan>
Component:	selinux-policy	Assignee:	Lukas Vrabec <lvrabec>
Status:	CLOSED ERRATA	QA Contact:	Milos Malik <mmalik>
Severity:	medium	Docs Contact:
Priority:	medium
Version:	7.3	CC:	akmal.avloni86, benea_bogdan, fsumsal, hsowa, lvrabec, mgrepl, mleitner, mmalik, nperic, plautrba, pvrabec, ssekidde
Target Milestone:	rc	Keywords:	Reopened
Target Release:	---
Hardware:	x86_64
OS:	Linux
Whiteboard:
Fixed In Version:	selinux-policy-3.13.1-136.el7	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2017-08-01 15:12:40 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Bogdan Benea 2016-05-18 06:42:54 UTC

Description of problem:

Selinux is preventing the masking of iptables service
Version-Release number of selected component (if applicable): 219-19


How reproducible:
Everytime

Steps to Reproduce:
1. Install a clean RHEL
2. run the systemctl mask iptables.service
3.

Actual results:
Iptables service is not masked, you get "Failed to execute operation: Access denied"

Expected results:
Iptables service should be masked, you should get "Created symlink from /etc/systemd/system/iptables.service to /dev/null"

Additional info:
Other services could be masked without issues(example network.service, postfix.service, rhnsd.service). Putting SELINUX in permissive mode allows masking of iptables.

Best regards
Bogdan Benea

Comment 1 Milos Malik 2016-05-18 06:56:07 UTC

The scenario works fine on RHEL-7.3.

# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28
# systemctl mask iptables.service
Created symlink from /etc/systemd/system/iptables.service to /dev/null.
# systemctl status iptables.service
● iptables.service
   Loaded: masked (/dev/null)
   Active: inactive (dead)
# systemctl unmask iptables.service
Removed symlink /etc/systemd/system/iptables.service.
# systemctl status iptables.service
● iptables.service - IPv4 firewall with iptables
   Loaded: loaded (/usr/lib/systemd/system/iptables.service; disabled; vendor preset: disabled)
   Active: inactive (dead)
# 

# rpm -qa selinux-policy\* systemd\* | sort
selinux-policy-3.13.1-73.el7.noarch
selinux-policy-devel-3.13.1-73.el7.noarch
selinux-policy-doc-3.13.1-73.el7.noarch
selinux-policy-minimum-3.13.1-73.el7.noarch
selinux-policy-mls-3.13.1-73.el7.noarch
selinux-policy-sandbox-3.13.1-73.el7.noarch
selinux-policy-targeted-3.13.1-73.el7.noarch
systemd-219-20.el7.x86_64
systemd-devel-219-20.el7.x86_64
systemd-journal-gateway-219-20.el7.x86_64
systemd-libs-219-20.el7.x86_64
systemd-networkd-219-20.el7.x86_64
systemd-python-219-20.el7.x86_64
systemd-resolved-219-20.el7.x86_64
systemd-sysv-219-20.el7.x86_64
#

Comment 3 Miroslav Grepl 2016-05-26 08:25:28 UTC

Bogdan,
what is your version of policy?

$ rpm -q selinux-policy-targeted

Comment 4 Bogdan Benea 2016-05-26 09:22:46 UTC

Hi Miroslav

rpm -q selinux-policy-targeted
selinux-policy-targeted-3.13.1-60.el7.noarch

I dont have a 7.3 to test.

Best regards
Bogdan Benea

Comment 5 Milos Malik 2016-05-31 13:45:38 UTC

Here is the output from RHEL-7.2:

# systemctl mask iptables.service
Created symlink from /etc/systemd/system/iptables.service to /dev/null.
# systemctl unmask iptables.service
Removed symlink /etc/systemd/system/iptables.service.
# rpm -e iptables-services
# systemctl mask iptables.service
Failed to execute operation: Access denied
# systemctl unmask iptables.service
Failed to execute operation: Access denied
# ausearch -m avc -m user_avc -i
----
type=USER_AVC msg=audit(05/31/2016 09:41:27.160:274) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  denied  { disable } for auid=root uid=root gid=root cmdline="systemctl mask iptables.service" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=service  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(05/31/2016 09:41:34.615:275) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  denied  { enable } for auid=root uid=root gid=root cmdline="systemctl unmask iptables.service" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=service  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----

It seems like a re-appearance of BZ#1154065.

Comment 6 Milos Malik 2016-06-29 13:56:41 UTC

Another way how to reproduce it in enforcing mode on RHEL-7.3:

# systemctl enable xyz.service
Failed to execute operation: Access denied
# systemctl disable xyz.service
Failed to execute operation: Access denied
# ausearch -m avc,user_avc,selinux_err,user_selinux_err -i -ts recent
----
type=USER_AVC msg=audit(06/29/2016 15:54:06.987:849) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  denied  { enable } for auid=root uid=root gid=root cmdline="systemctl enable xyz.service" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=service  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(06/29/2016 15:54:18.638:854) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  denied  { disable } for auid=root uid=root gid=root cmdline="systemctl disable xyz.service" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=service  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----

Comment 7 Lukas Vrabec 2016-09-06 15:09:46 UTC

*** Bug 1373298 has been marked as a duplicate of this bug. ***

Comment 8 Hannes Frederic Sowa 2016-09-06 18:17:38 UTC

`sesearch -A  -s unconfined_t -t init_t -c service' yields:

allow unconfined_domain_type init_t : service { start stop status reload } ; 

we might miss an enable/disable in this rule?

Comment 9 Lukas Vrabec 2016-11-14 14:10:47 UTC

*** Bug 1392443 has been marked as a duplicate of this bug. ***

Comment 10 Frantisek Sumsal 2017-01-12 16:28:51 UTC

*** Bug 1412727 has been marked as a duplicate of this bug. ***

Comment 11 Lukas Vrabec 2017-03-27 12:43:30 UTC

I cannot reproduce this issue. Closing this BZ as NOTABUG. If you can reproduce this issue feel free to re-open this.

Comment 12 Bogdan Benea 2017-03-27 13:04:28 UTC

Hello

I can reproduce this on RHEL 7.3  clean minimal install
[root@localhost ~]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.3 (Maipo)
[root@localhost ~]# systemctl mask iptables.service
Failed to execute operation: Access denied
[root@localhost ~]# ausearch -m avc -m user_avc -i
----
type=USER_AVC msg=audit(03/27/2017 18:57:23.211:98) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  denied  { disable } for auid=root uid=root gid=root cmdline="systemctl mask iptables.service" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=service  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?'
----
type=USER_AVC msg=audit(03/27/2017 18:59:17.471:145) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  denied  { disable } for auid=root uid=root gid=root cmdline="systemctl mask iptables.service" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=service  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?'
[root@localhost ~]# ausearch -m avc,user_avc,selinux_err,user_selinux_err -i -ts recent
----
type=USER_AVC msg=audit(03/27/2017 18:57:23.211:98) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  denied  { disable } for auid=root uid=root gid=root cmdline="systemctl mask iptables.service" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=service  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?'
----
type=USER_AVC msg=audit(03/27/2017 18:59:17.471:145) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  denied  { disable } for auid=root uid=root gid=root cmdline="systemctl mask iptables.service" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=service  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?'
[root@localhost ~]# rpm -qa selinux-policy\* systemd\* | sort
selinux-policy-3.13.1-102.el7.noarch
selinux-policy-targeted-3.13.1-102.el7.noarch
systemd-219-30.el7.x86_64
systemd-libs-219-30.el7.x86_64
systemd-sysv-219-30.el7.x86_64

Comment 18 Lukas Vrabec 2017-07-17 14:02:20 UTC

*** Bug 1434727 has been marked as a duplicate of this bug. ***

Comment 19 errata-xmlrpc 2017-08-01 15:12:40 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1861