Bug 1419946

Summary: "agetty: can not connect on UNIX socket" on tty1 after boot, have to use tty2 to log in after 3.13.1-236 update
Product: [Fedora] Fedora Reporter: Jan Pokorný [poki] <jpokorny>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: rawhideCC: awilliam, cov, dominick.grift, dwalsh, gmarr, jeremy.linton, lvrabec, mgrepl, petersen, plautrba, pmoore, pwhalen, robatino, ssekidde
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: AcceptedBlocker
Fixed In Version: selinux-policy-3.13.1-239.fc26 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-02-15 02:22:22 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1349186    

Description Jan Pokorný [poki] 2017-02-07 13:34:39 UTC 
Likely relevant in audit.log incl. single systemd instance:

type=AVC msg=audit(1486473506.809:320): avc:  denied  { connectto } for  pid=1489 comm="(agetty)" path="/run/systemd/journal/stdout" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1486473506.814:321): avc:  denied  { connectto } for  pid=1489 comm="agetty" path=002F6F72672F667265656465736B746F702F706C796D6F75746864 scontext=system_u:system_r:getty_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1486473506.814:322): avc:  denied  { connectto } for  pid=1489 comm="agetty" path=002F6F72672F667265656465736B746F702F706C796D6F75746864 scontext=system_u:system_r:getty_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_stream_socket permissive=0
type=SERVICE_START msg=audit(1486473509.525:323): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=getty@tty3 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1486473509.525:324): avc:  denied  { connectto } for  pid=1 comm="systemd" path=002F6F72672F667265656465736B746F702F706C796D6F75746864 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1486473509.554:325): avc:  denied  { connectto } for  pid=1490 comm="(agetty)" path="/run/systemd/journal/stdout" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1486473509.564:326): avc:  denied  { connectto } for  pid=1490 comm="agetty" path=002F6F72672F667265656465736B746F702F706C796D6F75746864 scontext=system_u:system_r:getty_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1486473509.564:327): avc:  denied  { connectto } for  pid=1490 comm="agetty" path=002F6F72672F667265656465736B746F702F706C796D6F75746864 scontext=system_u:system_r:getty_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_stream_socket permissive=0
Comment 1 Paul Whalen 2017-02-07 20:37:28 UTC 
Also hitting this after upgrading to selinux-policy-3.13.1-236.fc26.noarch on aarch64 and armhfp.
Comment 2 Paul Whalen 2017-02-08 19:06:39 UTC 
Serial console login isn't possible. Nominating as a blocker for F26 Alpha - "A system installed without a graphical package set must boot to a state where it is possible to log in through at least one of the default virtual consoles"
Comment 3 Adam Williamson 2017-02-08 19:07:58 UTC 
This is breaking just about every openQA test, also (they wind up at a login prompt, but on tty6 with the Plymouth color scheme...)

+1 blocker.
Comment 4 Adam Williamson 2017-02-08 19:20:00 UTC 
booting with enforcing=0 does indeed seem to resolve this, so it definitely looks like an SELinux issue.
Comment 5 Geoffrey Marr 2017-02-13 19:52:34 UTC 
Discussed during the 2017-02-13 blocker review meeting: [1]

The decision was made to classify this bug as an AcceptedBlocker (Beta) as it violates the following Beta blocker criteria:

"The installer must be able to complete an installation using the serial console interface." combined with "A system installed without a graphical package set must boot to a working login prompt without any unintended user intervention"

[1] https://meetbot.fedoraproject.org/fedora-blocker-review/2017-02-13/f26-blocker-review.2017-02-13-18.01.txt
Comment 6 Jan Pokorný [poki] 2017-02-13 20:31:31 UTC 
Confirming this issue went away with -239.fc26 package + reboot.
Comment 7 Jens Petersen 2017-02-15 02:18:52 UTC 
Yep, looks good to me too, thanks
Comment 8 Adam Williamson 2017-02-15 02:22:22 UTC 
Yeah, this is confirmed fixed in the 20170213.n.1 and 20170214.n.0 composes.