1337041 – Selinux is preventing the masking of iptables service

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1337041 - Selinux is preventing the masking of iptables service

Summary: Selinux is preventing the masking of iptables service

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.3
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Lukas Vrabec
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Duplicates (4):	1373298 1392443 1412727 1434727 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-05-18 06:42 UTC by Bogdan Benea
Modified:	2017-08-01 15:12 UTC (History)
CC List:	12 users (show)
Fixed In Version:	selinux-policy-3.13.1-136.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-08-01 15:12:40 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2017:1861	0	normal	SHIPPED_LIVE	selinux-policy bug fix update	2017-08-01 17:50:24 UTC

Internal Links: 1434727

Description Bogdan Benea 2016-05-18 06:42:54 UTC

Description of problem:

Selinux is preventing the masking of iptables service
Version-Release number of selected component (if applicable): 219-19


How reproducible:
Everytime

Steps to Reproduce:
1. Install a clean RHEL
2. run the systemctl mask iptables.service
3.

Actual results:
Iptables service is not masked, you get "Failed to execute operation: Access denied"

Expected results:
Iptables service should be masked, you should get "Created symlink from /etc/systemd/system/iptables.service to /dev/null"

Additional info:
Other services could be masked without issues(example network.service, postfix.service, rhnsd.service). Putting SELINUX in permissive mode allows masking of iptables.

Best regards
Bogdan Benea

Comment 1 Milos Malik 2016-05-18 06:56:07 UTC

The scenario works fine on RHEL-7.3.

# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28
# systemctl mask iptables.service
Created symlink from /etc/systemd/system/iptables.service to /dev/null.
# systemctl status iptables.service
● iptables.service
   Loaded: masked (/dev/null)
   Active: inactive (dead)
# systemctl unmask iptables.service
Removed symlink /etc/systemd/system/iptables.service.
# systemctl status iptables.service
● iptables.service - IPv4 firewall with iptables
   Loaded: loaded (/usr/lib/systemd/system/iptables.service; disabled; vendor preset: disabled)
   Active: inactive (dead)
# 

# rpm -qa selinux-policy\* systemd\* | sort
selinux-policy-3.13.1-73.el7.noarch
selinux-policy-devel-3.13.1-73.el7.noarch
selinux-policy-doc-3.13.1-73.el7.noarch
selinux-policy-minimum-3.13.1-73.el7.noarch
selinux-policy-mls-3.13.1-73.el7.noarch
selinux-policy-sandbox-3.13.1-73.el7.noarch
selinux-policy-targeted-3.13.1-73.el7.noarch
systemd-219-20.el7.x86_64
systemd-devel-219-20.el7.x86_64
systemd-journal-gateway-219-20.el7.x86_64
systemd-libs-219-20.el7.x86_64
systemd-networkd-219-20.el7.x86_64
systemd-python-219-20.el7.x86_64
systemd-resolved-219-20.el7.x86_64
systemd-sysv-219-20.el7.x86_64
#

Comment 3 Miroslav Grepl 2016-05-26 08:25:28 UTC

Bogdan,
what is your version of policy?

$ rpm -q selinux-policy-targeted

Comment 4 Bogdan Benea 2016-05-26 09:22:46 UTC

Hi Miroslav

rpm -q selinux-policy-targeted
selinux-policy-targeted-3.13.1-60.el7.noarch

I dont have a 7.3 to test.

Best regards
Bogdan Benea

Comment 5 Milos Malik 2016-05-31 13:45:38 UTC

Here is the output from RHEL-7.2:

# systemctl mask iptables.service
Created symlink from /etc/systemd/system/iptables.service to /dev/null.
# systemctl unmask iptables.service
Removed symlink /etc/systemd/system/iptables.service.
# rpm -e iptables-services
# systemctl mask iptables.service
Failed to execute operation: Access denied
# systemctl unmask iptables.service
Failed to execute operation: Access denied
# ausearch -m avc -m user_avc -i
----
type=USER_AVC msg=audit(05/31/2016 09:41:27.160:274) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  denied  { disable } for auid=root uid=root gid=root cmdline="systemctl mask iptables.service" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=service  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(05/31/2016 09:41:34.615:275) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  denied  { enable } for auid=root uid=root gid=root cmdline="systemctl unmask iptables.service" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=service  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----

It seems like a re-appearance of BZ#1154065.

Comment 6 Milos Malik 2016-06-29 13:56:41 UTC

Another way how to reproduce it in enforcing mode on RHEL-7.3:

# systemctl enable xyz.service
Failed to execute operation: Access denied
# systemctl disable xyz.service
Failed to execute operation: Access denied
# ausearch -m avc,user_avc,selinux_err,user_selinux_err -i -ts recent
----
type=USER_AVC msg=audit(06/29/2016 15:54:06.987:849) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  denied  { enable } for auid=root uid=root gid=root cmdline="systemctl enable xyz.service" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=service  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(06/29/2016 15:54:18.638:854) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  denied  { disable } for auid=root uid=root gid=root cmdline="systemctl disable xyz.service" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=service  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----

Comment 7 Lukas Vrabec 2016-09-06 15:09:46 UTC

*** Bug 1373298 has been marked as a duplicate of this bug. ***

Comment 8 Hannes Frederic Sowa 2016-09-06 18:17:38 UTC

`sesearch -A  -s unconfined_t -t init_t -c service' yields:

allow unconfined_domain_type init_t : service { start stop status reload } ; 

we might miss an enable/disable in this rule?

Comment 9 Lukas Vrabec 2016-11-14 14:10:47 UTC

*** Bug 1392443 has been marked as a duplicate of this bug. ***

Comment 10 Frantisek Sumsal 2017-01-12 16:28:51 UTC

*** Bug 1412727 has been marked as a duplicate of this bug. ***

Comment 11 Lukas Vrabec 2017-03-27 12:43:30 UTC

I cannot reproduce this issue. Closing this BZ as NOTABUG. If you can reproduce this issue feel free to re-open this.

Comment 12 Bogdan Benea 2017-03-27 13:04:28 UTC

Hello

I can reproduce this on RHEL 7.3  clean minimal install
[root@localhost ~]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.3 (Maipo)
[root@localhost ~]# systemctl mask iptables.service
Failed to execute operation: Access denied
[root@localhost ~]# ausearch -m avc -m user_avc -i
----
type=USER_AVC msg=audit(03/27/2017 18:57:23.211:98) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  denied  { disable } for auid=root uid=root gid=root cmdline="systemctl mask iptables.service" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=service  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?'
----
type=USER_AVC msg=audit(03/27/2017 18:59:17.471:145) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  denied  { disable } for auid=root uid=root gid=root cmdline="systemctl mask iptables.service" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=service  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?'
[root@localhost ~]# ausearch -m avc,user_avc,selinux_err,user_selinux_err -i -ts recent
----
type=USER_AVC msg=audit(03/27/2017 18:57:23.211:98) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  denied  { disable } for auid=root uid=root gid=root cmdline="systemctl mask iptables.service" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=service  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?'
----
type=USER_AVC msg=audit(03/27/2017 18:59:17.471:145) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  denied  { disable } for auid=root uid=root gid=root cmdline="systemctl mask iptables.service" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=service  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?'
[root@localhost ~]# rpm -qa selinux-policy\* systemd\* | sort
selinux-policy-3.13.1-102.el7.noarch
selinux-policy-targeted-3.13.1-102.el7.noarch
systemd-219-30.el7.x86_64
systemd-libs-219-30.el7.x86_64
systemd-sysv-219-30.el7.x86_64

Comment 18 Lukas Vrabec 2017-07-17 14:02:20 UTC

*** Bug 1434727 has been marked as a duplicate of this bug. ***

Comment 19 errata-xmlrpc 2017-08-01 15:12:40 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1861

Note You need to log in before you can comment on or make changes to this bug.