Ask Your Question
0

selinux preventing systemd services

asked 2015-09-18 12:28:46 -0600

this post is marked as community wiki

This post is a wiki. Anyone with karma >750 is welcome to improve it.

the latest dnf changes I made were

Command Line : install policycoreutils-sandbox

Command Line : install policycoreutils-newrole

(I wanted to check out the sandbox features)

and a system update before that (details at question's end) - I suspect the update was not the cause because I do these actions regularly and beelieve I did at least a few after the update but before playing with the sandbox

I have since removed both of those but I suspect a setting has stuck around that's causing problems

$ systemctl --user stop vboxvmservice.service

Failed to stop vboxvmservice.service: Access denied

Failed to get load state of vboxvmservice.service: Access denied

here's the journalctl Sep 18 13:05:41 samain systemd[1353]: Can't send to audit system: USER_AVC avc: denied { status } for auid=1000 uid=1000 gid=1000 path="/home/sam/.config/systemd/user/vboxvmservice.service" cmdline="systemctl --user stop vboxvmservice.service" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:config_home_t:s0 tclass=service exe=2F7573722F6C69622F73797374656D642F73797374656D64202864656C6574656429 sauid=0 hostname=? addr=? terminal=?

and there's nothing in the /var/log/audit/audit.log

another symptom - when trying to switch TTYs this is in the journal

Sep 18 13:10:01 samain systemd-logind[987]: Failed to start autovt@tty8.service : Access denied

another one (as root)

type=USER_AVC msg=audit(1442596423.976:1429): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=1000 uid=0 gid=0 path="/usr/lib/systemd/system/getty@.service" cmdline="systemctl stop getty@tty9.service" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:getty_unit_file_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

$systemctl stop  getty@tty9.service

gives the terminal message

Failed to stop getty@tty9.service : Access denied

audit.log type=USER_AVC msg=audit(1442596423.976:1429): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=1000 uid=0 gid=0 path="/usr/lib/systemd/system/getty@.service" cmdline="systemctl stop getty@tty9.service" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:getty_unit_file_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

and the journal Sep 18 13:15:47 samain polkitd[1045]: Registered Authentication Agent for unix-process:19248:16223320 (system bus name :1.208 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_CA.UTF-8) Sep 18 13:15:47 samain audit[1]: pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { stop } for auid=1000 uid=0 gid=0 path="/usr/lib/systemd/system/getty@.service" cmdline="systemctl stop getty@tty9.service" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:getty_unit_file_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' Sep 18 13:15:47 samain audit[1]: pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status ... (mais)

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2015-09-19 12:08:45 -0600

dremor56 gravatar image

updated 2015-09-19 12:41:46 -0600

It seem to be this bug : https://bugzilla.redhat.com/show_bug....

Workaround : sudo systemctl daemon-reexec

edit flag offensive delete link more

Comments

the root based terminal switching works after doing this but the user services are unaffected; with setenforce 0 this works, with setenforce 1 I get issues

$systemctl --user stop awar.servicec

same messages as above, nothing in /var/log/audit/audit.log

How much more detail do I need to put this over in the bugzilla?

sksharma gravatar imagesksharma ( 2015-09-19 13:13:26 -0600 )edit

this Workaround did not work directly but following the bug report, a reboot did

I am still not sure if installing the sandbox policies and utilities had anything to do with this in my case - next time I experiment with that I'll try to come back and update this

sksharma gravatar imagesksharma ( 2015-09-22 06:01:37 -0600 )edit

Question Tools

1 follower

Stats

Asked: 2015-09-18 12:28:46 -0600

Seen: 1,853 times

Last updated: Sep 19 '15