Bug 1211460
| Summary: | Cryptic error message when unit does not exist | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Giovanni Tirloni <gtirloni> | ||||
| Component: | systemd | Assignee: | systemd-maint | ||||
| Status: | CLOSED ERRATA | QA Contact: | Robin Hack <rhack> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 7.1 | CC: | greartes, jscotka, jsynacek, lnykryn, rhack, systemd-maint-list | ||||
| Target Milestone: | rc | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | systemd-219-1.el7 | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2015-11-19 15:00:26 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
|
Description
Giovanni Tirloni
2015-04-14 03:47:43 UTC
The problem here is that there is a different selinux check for unit file in rhel. We need a general fix here. I can't reproduce this on my machine using systemd-219: # cat /etc/os-release NAME="Red Hat Enterprise Linux Workstation" VERSION="7.1 (Maipo)" ID="rhel" ID_LIKE="fedora" VERSION_ID="7.1" PRETTY_NAME="Red Hat Enterprise Linux Workstation 7.1 (Maipo)" ANSI_COLOR="0;31" CPE_NAME="cpe:/o:redhat:enterprise_linux:7.1:GA:workstation" HOME_URL="https://www.redhat.com/" BUG_REPORT_URL="https://bugzilla.redhat.com/" REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 7" REDHAT_BUGZILLA_PRODUCT_VERSION=7.1 REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux" REDHAT_SUPPORT_PRODUCT_VERSION="7.1" # sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 28 # systemctl enable non-existent.service Failed to execute operation: No such file or directory # systemctl status non-existent.service ● non-existent.service Loaded: not-found (Reason: No such file or directory) Active: inactive (dead) Maybe my SELinux policy is missing something?
Relevant strace output:
sendmsg(3, {msg_name(0)=NULL, msg_iov(2)=[{"l\1\0\1(\0\0\0\1\0\0\0\242\0\0\0\1\1o\0\31\0\0\0/org/freedesktop/systemd1\0\0\0\0\0\0\0\6\1s\0\30\0\0\0org.freedesktop.systemd1\0\0\0\0\0\0\0\0\2\1s\0 \0\0\0org.freedesktop.systemd1.Manager\0\0\0\0\0\0\0\0\3\1s\0\17\0\0\0EnableUnitFiles\0\10\1g\0\4asbb\0\0\0\0\0\0\0", 184}, {"\31\0\0\0\24\0\0\0non-existent.service\0\0\0\0\0\0\0\0\0\0\0\0", 40}], msg_controllen=0, msg_flags=0}, MSG_NOSIGNAL) = 224
poll([{fd=3, events=POLLIN}], 1, 25000) = 1 ([{fd=3, revents=POLLIN}])
recvmsg(3, {msg_name(0)=NULL, msg_iov(1)=[{"l\3\1\1\"\0\0\0\1\0\0\0?\0\0\0\4\1s\0'\0\0\0org.freedesktop.DBus.Error.AccessDenied\0\5\1u\0\1\0\0\0\10\1g\0\1s\0\0\35\0\0\0SELinux policy denies access.\0l\4\1\1X\0\0\0\210\1\0\0p\0\0\0\1\1o\0\31\0\0\0/org/freedesktop/systemd1\0\0\0\0\0\0\0\2\1s\0 \0\0\0org.freedesktop.systemd1.Manager\0\0\0\0\0\0\0\0\3\1s\0\7\0\0\0UnitNew\0\10\1g\0\2so\0\24\0\0\0non-existent.service\0\0\0\0007\0\0\0/org/freedesktop/systemd1/unit/non_2dexistent_2eservice\0l\4\1\1X\0\0\0\211\1\0\0x\0\0\0\1\1o\0\31\0\0\0/org/freedesktop/systemd1\0\0\0\0\0\0\0\2\1s\0 \0\0\0org.freedesktop.systemd1.Manager\0\0\0\0\0\0\0\0\3\1s\0\v\0\0\0UnitRemoved\0\0\0\0\0\10\1g\0\2so\0\24\0\0\0non-existent.service\0\0\0\0007\0\0\0/org/freedesktop/systemd1/unit/non_2dexistent_2eservice\0", 2048}], msg_controllen=0, msg_flags=MSG_CMSG_CLOEXEC}, MSG_CMSG_CLOEXEC) = 554
recvmsg(3, 0x7fff96daec60, MSG_CMSG_CLOEXEC) = -1 EAGAIN (Resource temporarily unavailable)
writev(2, [{"Failed to issue method call: Access denied", 42}, {"\n", 1}], 2Failed to issue method call: Access denied
# tail -n 1 /var/log/audit/audit.log
type=USER_AVC msg=audit(1432574062.941:64): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { enable } for auid=0 uid=0 gid=0 cmdline="systemctl enable non-existent.service" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
# id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
# systemctl enable this-does-not-exist.service
Failed to issue method call: Access denied
# yum update
No packages marked for update
# audit2allow -a -M systemctl-enable
# semodule -i systemctl-enable.pp
# systemctl enable non-existent.service
Failed to issue method call: No such file or directory
(In reply to Giovanni Tirloni from comment #4) > Maybe my SELinux policy is missing something? To be more explicit - I *can* reproduce this with the systemd version currently in RHEL-7.1: # rpm -q systemd systemd-208-20.el7.x86_64 I can *not* reproduce this with our testing RHEL-7.2 build of systemd-219, that can be found in COPR: https://copr.fedoraproject.org/coprs/lnykryn/systemd/ This bug will be fixed by the update. Created attachment 1050881 [details]
0001-Retrict-org.freedesktop.DBus.Properties-interface-to.patch
Wrong bugreport *sigh* Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-2092.html |