868503 – systemctl status on mask unit fails

Bug 868503 - systemctl status on mask unit fails

Summary: systemctl status on mask unit fails

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	18
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-10-20 10:45 UTC by Lukáš Nykrýn
Modified:	2012-12-20 15:08 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2012-12-20 15:08:06 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Lukáš Nykrýn 2012-10-20 10:45:06 UTC

Description of problem:


Version-Release number of selected component (if applicable):
systemd-194-2
selinux-policy-3.11.1-41.fc18

How reproducible:
100%

Steps to Reproduce:
[root@systemd ~]# systemctl mask masked.service
ln -s '/dev/null' '/etc/systemd/system/masked.service'
[root@systemd ~]# systemctl status masked.service
Failed to issue method call: Access denied

  
Actual results:
Failed to issue method call: Access denied

Expected results:
masked.service
	  Loaded: masked (/dev/null)
	  Active: inactive (dead)


Additional info:
from audit.log
type=USER_AVC msg=audit(1350729865.689:57): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=0 uid=0 gid=0 path="/dev/null" cmdline="systemctl status masked.service" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:null_device_t:s0 tclass=service  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

Comment 1 Miroslav Grepl 2012-10-22 12:54:48 UTC

Dan,
how about your systemd fix for this issue?

Comment 2 Miroslav Grepl 2012-10-23 15:28:35 UTC

Actually I missed

ln -s '/dev/null' '/etc/systemd/system/masked.service'

Comment 3 Miroslav Grepl 2012-10-23 15:56:05 UTC

So you can "disable" a service which you want this way, right?

Comment 4 Lukáš Nykrýn 2012-10-24 07:52:37 UTC

I am not quite sure what you are asking, but you use mask in the case that you don't want the service to start under any circumstances.

Comment 5 Miroslav Grepl 2012-10-24 07:55:33 UTC

(In reply to comment #4)
> I am not quite sure what you are asking, but you use mask in the case that
> you don't want the service to start under any circumstances.

Yes, it was my question.

Dan,
what do you think about that?

Comment 6 Daniel Walsh 2012-10-24 14:57:38 UTC

I think we should add interfaces for this and obviously unconfined_t should be allowed to do it.

Comment 7 Daniel Walsh 2012-10-24 15:06:52 UTC

I added this to f06014decd66106ec2c82e7229db4f27758db80b

Comment 8 Miroslav Grepl 2012-10-24 15:31:19 UTC

Ok, Fixed in selinux-policy-3.11.1-44.fc18

Comment 9 Fedora Update System 2012-10-26 15:39:18 UTC

selinux-policy-3.11.1-46.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-46.fc18

Comment 10 Fedora Update System 2012-10-26 19:28:48 UTC

Package selinux-policy-3.11.1-46.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-46.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-16862/selinux-policy-3.11.1-46.fc18
then log in and leave karma (feedback).

Comment 11 Fedora Update System 2012-12-20 15:08:08 UTC

selinux-policy-3.11.1-46.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.