Bug 868503 - systemctl status on mask unit fails
systemctl status on mask unit fails
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2012-10-20 06:45 EDT by Lukáš Nykrýn
Modified: 2012-12-20 10:08 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2012-12-20 10:08:06 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Lukáš Nykrýn 2012-10-20 06:45:06 EDT
Description of problem:

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
[root@systemd ~]# systemctl mask masked.service
ln -s '/dev/null' '/etc/systemd/system/masked.service'
[root@systemd ~]# systemctl status masked.service
Failed to issue method call: Access denied

Actual results:
Failed to issue method call: Access denied

Expected results:
	  Loaded: masked (/dev/null)
	  Active: inactive (dead)

Additional info:
from audit.log
type=USER_AVC msg=audit(1350729865.689:57): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=0 uid=0 gid=0 path="/dev/null" cmdline="systemctl status masked.service" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:null_device_t:s0 tclass=service  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
Comment 1 Miroslav Grepl 2012-10-22 08:54:48 EDT
how about your systemd fix for this issue?
Comment 2 Miroslav Grepl 2012-10-23 11:28:35 EDT
Actually I missed

ln -s '/dev/null' '/etc/systemd/system/masked.service'
Comment 3 Miroslav Grepl 2012-10-23 11:56:05 EDT
So you can "disable" a service which you want this way, right?
Comment 4 Lukáš Nykrýn 2012-10-24 03:52:37 EDT
I am not quite sure what you are asking, but you use mask in the case that you don't want the service to start under any circumstances.
Comment 5 Miroslav Grepl 2012-10-24 03:55:33 EDT
(In reply to comment #4)
> I am not quite sure what you are asking, but you use mask in the case that
> you don't want the service to start under any circumstances.

Yes, it was my question.

what do you think about that?
Comment 6 Daniel Walsh 2012-10-24 10:57:38 EDT
I think we should add interfaces for this and obviously unconfined_t should be allowed to do it.
Comment 7 Daniel Walsh 2012-10-24 11:06:52 EDT
I added this to f06014decd66106ec2c82e7229db4f27758db80b
Comment 8 Miroslav Grepl 2012-10-24 11:31:19 EDT
Ok, Fixed in selinux-policy-3.11.1-44.fc18
Comment 9 Fedora Update System 2012-10-26 11:39:18 EDT
selinux-policy-3.11.1-46.fc18 has been submitted as an update for Fedora 18.
Comment 10 Fedora Update System 2012-10-26 15:28:48 EDT
Package selinux-policy-3.11.1-46.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-46.fc18'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).
Comment 11 Fedora Update System 2012-12-20 10:08:08 EST
selinux-policy-3.11.1-46.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.