Bug 868503

Summary: systemctl status on mask unit fails
Product: [Fedora] Fedora Reporter: Lukáš Nykrýn <lnykryn>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 18CC: dominick.grift, dwalsh, mgrepl, systemd-maint
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-12-20 15:08:06 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Lukáš Nykrýn 2012-10-20 10:45:06 UTC
Description of problem:


Version-Release number of selected component (if applicable):
systemd-194-2
selinux-policy-3.11.1-41.fc18

How reproducible:
100%

Steps to Reproduce:
[root@systemd ~]# systemctl mask masked.service
ln -s '/dev/null' '/etc/systemd/system/masked.service'
[root@systemd ~]# systemctl status masked.service
Failed to issue method call: Access denied

  
Actual results:
Failed to issue method call: Access denied

Expected results:
masked.service
	  Loaded: masked (/dev/null)
	  Active: inactive (dead)


Additional info:
from audit.log
type=USER_AVC msg=audit(1350729865.689:57): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=0 uid=0 gid=0 path="/dev/null" cmdline="systemctl status masked.service" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:null_device_t:s0 tclass=service  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

Comment 1 Miroslav Grepl 2012-10-22 12:54:48 UTC
Dan,
how about your systemd fix for this issue?

Comment 2 Miroslav Grepl 2012-10-23 15:28:35 UTC
Actually I missed

ln -s '/dev/null' '/etc/systemd/system/masked.service'

Comment 3 Miroslav Grepl 2012-10-23 15:56:05 UTC
So you can "disable" a service which you want this way, right?

Comment 4 Lukáš Nykrýn 2012-10-24 07:52:37 UTC
I am not quite sure what you are asking, but you use mask in the case that you don't want the service to start under any circumstances.

Comment 5 Miroslav Grepl 2012-10-24 07:55:33 UTC
(In reply to comment #4)
> I am not quite sure what you are asking, but you use mask in the case that
> you don't want the service to start under any circumstances.

Yes, it was my question.

Dan,
what do you think about that?

Comment 6 Daniel Walsh 2012-10-24 14:57:38 UTC
I think we should add interfaces for this and obviously unconfined_t should be allowed to do it.

Comment 7 Daniel Walsh 2012-10-24 15:06:52 UTC
I added this to f06014decd66106ec2c82e7229db4f27758db80b

Comment 8 Miroslav Grepl 2012-10-24 15:31:19 UTC
Ok, Fixed in selinux-policy-3.11.1-44.fc18

Comment 9 Fedora Update System 2012-10-26 15:39:18 UTC
selinux-policy-3.11.1-46.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-46.fc18

Comment 10 Fedora Update System 2012-10-26 19:28:48 UTC
Package selinux-policy-3.11.1-46.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-46.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-16862/selinux-policy-3.11.1-46.fc18
then log in and leave karma (feedback).

Comment 11 Fedora Update System 2012-12-20 15:08:08 UTC
selinux-policy-3.11.1-46.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.