Bug 1932053
| Summary: | Running `agetty --reload` interactively results in wrongly labeled /run/agetty.reload file | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Jonathan Lebon <jlebon> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | ASSIGNED --- | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | 39 | CC: | dustymabe, dwalsh, grepl.miroslav, kfan, lvrabec, mmalik, omosnace, vmojzis, zpytela |
| Target Milestone: | --- | Keywords: | Reopened, Triaged |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-12-13 15:18:40 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Jonathan Lebon
2021-02-23 20:00:27 UTC
Jonathan,
I can reproduce it and confirm your findings. Just wondering what is the use case: Are there still some getty@ services running? Why is the /run/agetty.reload file manually removed?
According to agetty(8):
--reload
Ask all running agetty instances to reload and update their displayed
prompts, if the user has not yet commenced logging in. After doing so
the command will exit. This feature might be unsupported on systems
without Linux inotify(7).
If the file is not removed, --reload does not create a new one.
There is more info in https://github.com/coreos/fedora-coreos-config/pull/859, but essentially: in FCOS we have a service called console-login-helper-messages (https://github.com/coreos/console-login-helper-messages) which creates .issue files for things like SSH host keys and network interface IP addresses so that they show up at the getty console prompt. This service is dynamic and reruns whenever e.g. new network devices come online or go offline. To force any open getty prompts to redraw the latest issue files, it calls `agetty --reload`. What happens is that if console-login-helper-messages runs earlier than getty@, the `agetty --reload` call will create `/run/agetty.reload` for the first time, which will cause it to have the wrong label as above. Of course, this generalizes to any service (or really, even SSH users) which runs `agetty --reload` while the system is still booting. I'm seeing this denial in F34 FCOS. What's the path forward on fixing the problem here? Hi Zdenek, any way we can move this forward? We're currently carrying a workaround for this in FCOS which would be nice to drop. This bug appears to have been reported against 'rawhide' during the Fedora 35 development cycle. Changing version to 35. (In reply to Jonathan Lebon from comment #4) > Hi Zdenek, any way we can move this forward? We're currently carrying a > workaround for this in FCOS which would be nice to drop. Jonathan, Is this still an issue which needs to be addressed in selinux-policy? Yes, this is still an issue: [root@cosa-devsh ~]# ls -lZ /run/agetty.reload -rw-------. 1 root root system_u:object_r:getty_var_run_t:s0 0 Mar 4 14:36 /run/agetty.reload [root@cosa-devsh ~]# systemctl stop serial-getty [root@cosa-devsh ~]# rm /run/agetty.reload [root@cosa-devsh ~]# agetty --reload [root@cosa-devsh ~]# ls -lZ /run/agetty.reload -rw-------. 1 root root unconfined_u:object_r:var_run_t:s0 0 Mar 4 14:37 /run/agetty.reload (In reply to Jonathan Lebon from comment #2) > What happens is that if console-login-helper-messages runs earlier than > getty@, the `agetty --reload` call will create `/run/agetty.reload` for the > first time, which will cause it to have the wrong label as above. I am currently working on selinux-policy support for nm-dispatcher plugins. Are these scripts started only by nm-dispatcher? No, it can also be started by a udev rule: https://github.com/coreos/console-login-helper-messages/blob/75358c4232a11c1789e36641d8cba25d0520b3d9/etc/NetworkManager/dispatcher.d/90-console-login-helper-messages-gensnippet_if https://github.com/coreos/console-login-helper-messages/blob/75358c4232a11c1789e36641d8cba25d0520b3d9/usr/libexec/console-login-helper-messages/gensnippet_if_udev#L28 It could also be reproduced artificially manually as shown above. This message is a reminder that Fedora Linux 35 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora Linux 35 on 2022-12-13. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a 'version' of '35'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, change the 'version' to a later Fedora Linux version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora Linux 35 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora Linux, you are encouraged to change the 'version' to a later version prior to this bug being closed. Fedora Linux 35 entered end-of-life (EOL) status on 2022-12-13. Fedora Linux 35 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora Linux please feel free to reopen this bug against that version. Note that the version field may be hidden. Click the "Show advanced fields" button if you do not see the version field. If you are unable to reopen this bug, please file a new report against an active release. Thank you for reporting this bug and we are sorry it could not be fixed. This is still an issue in Fedora 37: [root@cosa-devsh ~]# rpm -q selinux-policy selinux-policy-37.15-1.fc37.noarch [root@cosa-devsh ~]# ls -lZ /run/agetty.reload -rw-r--r--. 1 root root system_u:object_r:getty_var_run_t:s0 0 Dec 19 16:04 /run/agetty.reload [root@cosa-devsh ~]# systemctl stop serial-getty [root@cosa-devsh ~]# rm /run/agetty.reload [root@cosa-devsh ~]# agetty --reload [root@cosa-devsh ~]# ls -lZ /run/agetty.reload -rw-------. 1 root root unconfined_u:object_r:var_run_t:s0 0 Dec 19 16:05 /run/agetty.reload This message is a reminder that Fedora Linux 37 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora Linux 37 on 2023-12-05. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a 'version' of '37'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, change the 'version' to a later Fedora Linux version. Note that the version field may be hidden. Click the "Show advanced fields" button if you do not see it. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora Linux 37 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora Linux, you are encouraged to change the 'version' to a later version prior to this bug being closed. This is still an issue in Fedora 39: ``` root@cosa-devsh:~# rpm -q selinux-policy selinux-policy-39.1-1.fc39.noarch root@cosa-devsh:~# ls -lZ /run/agetty.reload -rw-r--r--. 1 root root system_u:object_r:getty_var_run_t:s0 0 Nov 23 14:59 /run/agetty.reload root@cosa-devsh:~# systemctl stop serial-getty root@cosa-devsh:~# rm /run/agetty.reload root@cosa-devsh:~# agetty --reload root@cosa-devsh:~# ls -lZ /run/agetty.reload -rw-------. 1 root root unconfined_u:object_r:var_run_t:s0 0 Nov 23 15:00 /run/agetty.reload ``` |