30

When I run

sudo systemctl disable avahi-daemon.socket

I get

Failed to execute operation: Access denied

But it's run as root, how can access be denied? (CentOS 7)

spraff
  • 2,458

3 Answers3

40

I also work on CentOS 7, and had a similar issue:

# systemctl unmask tmp.mount
Failed to execute operation: Access denied

The denial has to do with SELinux. This can be your case if you are running SELinux in enforcing mode:

# getenforce
Enforcing

In my case, the systemctl error had produced an USER_AVC denial in SELinux log file, /var/log/audit/audit.log:

type=USER_AVC msg=audit(1475497680.859:2656): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { enable } for auid=0 uid=0 gid=0 path="/dev/null" cmdline="systemctl unmask tmp.mount" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:null_device_t:s0 tclass=service  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

Solution

This article states that it is due to a bug in systemd, and provides a work around:

systemctl daemon-reexec

Secondary solution

If the above did not work, you can set SELinux mode to permissive:

setenforce 0

and it should work fine. However, this 2nd solution has security implications.

Elouan Keryell-Even
  • 888
34

In my case, I had just upgraded systemd and any systemctl command was failing:

# systemctl daemon-reexec
Failed to reload daemon: Access denied
# systemctl status
Failed to read server status: Access denied

However according to the init manpage, you can do the same thing by sending SIGTERM to the daemon running as PID 1, which worked:

kill -TERM 1

This reloaded the daemon, after which all the systemctl commands started working again.

Malvineous
  • 2,798
4

Neither solution worked for me. It turned out there was a missing = sign on one of the lines in my .service file. I discovered this by looking /var/log/messages and saw an error there that was more descriptive. So the Access Denied was misleading. It was not a really a security problem.

Jon
  • 51