Package: selinux-policy-default Version: 2:2.20161023.1-9 Followup-For: Bug #871704
I can confirm this bug. It affects all units having: - Non standard SELinux type in /etc/init.d/ startup script (meaning, other than initrc_exec_t) - No unit file in /lib/systemd/system or /etc/systemd/system (and thus are controlled by autogenerated unit file) ALL systemctl actions (start, stop, restart, status...) fail on these units in enforcing mode (but not in permissive mode). Error messages are e.g.: root@pherkad:/etc/systemd/system# systemctl stop exim4 Failed to stop exim4.service: Access denied See system logs and 'systemctl status exim4.service' for details. Failed to get load state of exim4.service: Access denied root@pherkad:/etc/systemd/system# systemctl start exim4 Failed to start exim4.service: Access denied See system logs and 'systemctl status exim4.service' for details. The error is logged in audit.log (see above report), but audit2allow does not produce rules from that. This also affects tab completion of all systemctl actions, as tab completion seems to trigger "systemctl status <unit-name>". This was reported in #879037 for refpolicy. Possible workarounds: Either set SELinux type of offending init script to standard initrc_exec_t, or create a simple systemd unit file for the affected service. Offending services on my Debian 9.2 installations are exim4 and ntp, which are both standard services and installed by default. Cheers, Robert -- System Information: Debian Release: 9.2 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages selinux-policy-default depends on: ii libselinux1 2.6-3+b3 ii libsemanage1 2.6-2 ii libsepol1 2.6-2 pn policycoreutils <none> pn selinux-utils <none> Versions of packages selinux-policy-default recommends: pn checkpolicy <none> pn setools <none> Versions of packages selinux-policy-default suggests: pn logcheck <none> pn syslog-summary <none> _______________________________________________ SELinux-devel mailing list SELinux-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/selinux-devel