Bug 1933902

Summary: selinux prevents systemd early debug-shell from working
Product: [Fedora] Fedora Reporter: Chris Murphy <bugzilla>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 34CC: awilliam, bugzilla, dwalsh, grepl.miroslav, lvrabec, mmalik, omosnace, plautrba, vmojzis, zpytela
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: AcceptedFreezeException
Fixed In Version: selinux-policy-3.14.7-25.fc34 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-03-16 00:29:01 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1829023    
Attachments:
Description Flags
journal.log none

Description Chris Murphy 2021-03-02 01:03:34 UTC 
Created attachment 1760121 [details]
journal.log

Description of problem:

[chris@fmac ~]$ systemctl status debug-shell.service 
× debug-shell.service - Early root shell on /dev/tty9 FOR DEBUGGING ONLY
     Loaded: loaded (/usr/lib/systemd/system/debug-shell.service; enabled; vendor preset: disabled)
     Active: failed (Result: exit-code) since Mon 2021-03-01 17:49:29 MST; 8min ago
       Docs: man:systemd-debug-generator(8)
    Process: 579 ExecStart=/bin/sh (code=exited, status=208/STDIN)



Version-Release number of selected component (if applicable):
selinux-policy-3.14.7-23.fc34.noarch

How reproducible:
Always


Steps to Reproduce:
1. systemctl enable debug-shell.service
2. reboot
3.

Actual results:

Multiple instances of:

[    7.079494] systemd[1]: Started Early root shell on /dev/tty9 FOR DEBUGGING ONLY.
[    7.083976] kernel: audit: type=1130 audit(1614618011.508:71): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=debug-shell comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
[    7.084956] systemd[1]: Starting Create list of static device nodes for the current kernel...
[    7.090204] kernel: audit: type=1400 audit(1614618011.514:72): avc:  denied  { watch watch_reads } for  pid=550 comm="(sh)" path="/dev/tty9" dev="devtmpfs" ino=28 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file permissive=0
[    7.090205] systemd[550]: debug-shell.service: Failed to set up standard input: Permission denied
[    7.090208] kernel: audit: type=1300 audit(1614618011.514:72): arch=c000003e syscall=254 success=no exit=-13 a0=3 a1=557373cb7d80 a2=18 a3=0 items=0 ppid=1 pid=550 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(sh)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)



Expected results:

The service should start


Additional info:
Comment 1 Zdenek Pytela 2021-03-02 20:01:19 UTC 
I've submitted a Fedora PR to address the issue:
https://github.com/fedora-selinux/selinux-policy/pull/627
Comment 2 Fedora Blocker Bugs Application 2021-03-02 23:08:43 UTC 
Proposed as a Freeze Exception for 34-beta by Fedora user chrismurphy using the blocker tracking app because:

 Early debug shell is used for debugging, it'd be nice to have it working for beta release.
Comment 3 Adam Williamson 2021-03-03 17:46:48 UTC 
+3 in https://pagure.io/fedora-qa/blocker-review/issue/276 , marking accepted.
Comment 4 Zdenek Pytela 2021-03-03 18:13:04 UTC 
PR merged, will be in the next package build.
Comment 5 Adam Williamson 2021-03-11 19:17:44 UTC 
*** Bug 1937580 has been marked as a duplicate of this bug. ***
Comment 6 Adam Williamson 2021-03-11 21:59:06 UTC 
Zdenek, can we please get a package build? We are already building Beta candidates and it would be very good to have this fixed in them.
Comment 7 Zdenek Pytela 2021-03-11 22:06:07 UTC 
Both F34 and F35 are already in process, there are dist-git PRs waiting for CI to finish.
Comment 8 Fedora Update System 2021-03-12 15:44:01 UTC 
FEDORA-2021-1e99f2ed79 has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-1e99f2ed79
Comment 9 Fedora Update System 2021-03-12 18:57:04 UTC 
FEDORA-2021-1e99f2ed79 has been pushed to the Fedora 34 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-1e99f2ed79`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-1e99f2ed79

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 10 Fedora Update System 2021-03-16 00:29:01 UTC 
FEDORA-2021-1e99f2ed79 has been pushed to the Fedora 34 stable repository.
If problem still persists, please make note of it in this bug report.