Bug 2109691

Summary: systemctl rescue doesn't work from gnome-terminal
Product: Red Hat Enterprise Linux 8 Reporter: Eric Atwood <eric.atwood>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED MIGRATED QA Contact: Amith <apeetham>
Severity: high Docs Contact:
Priority: low    
Version: 8.6CC: dtardon, lvrabec, mmalik, systemd-maint-list
Target Milestone: rcKeywords: MigratedToJIRA, Triaged
Target Release: 8.9   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-08-16 17:43:24 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Eric Atwood 2022-07-21 20:20:41 UTC 
Description of problem:
On a basic 8.6 system, the following command does not work:
# /usr/bin/systemctl rescue

Version-Release number of selected component (if applicable):
systemd-239-58

How reproducible:
Always
Steps to Reproduce:
1. systemctl rescue
2.
3.

Actual results:
sulogin: cannot read /dev/tty1: Bad file descriptor

It then resumes the default target

Expected results:
A prompt for the password to enter rescue mode

Additional info:
If you do setenforce 0 before entering the systemctl command, things work properly
Comment 1 Zdenek Pytela 2022-08-10 11:21:50 UTC 
I haven't managed to reproduce this issue. Is there any special setup needed?
Can you collect AVC denials?

  # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err
Comment 2 Eric Atwood 2022-08-11 15:44:37 UTC 
It was done as a straight 8.6 (minimal install), with no special setup required. It was installed into a VMware VM.
AVC collected after systemctl rescue (enforcing = 0)
----
type=USER_AVC msg=audit(07/12/2022 10:28:03.338:97) : pid=1074 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  received policyload notice (seqno=2)  exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(08/11/2022 09:24:56.083:95) : pid=1076 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  received setenforce notice (enforcing=0)  exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' 

AVC collected after reboot, systemctl rescue (enforcing=1)
----
type=USER_AVC msg=audit(07/12/2022 10:28:03.338:97) : pid=1074 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  received policyload notice (seqno=2)  exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(08/11/2022 09:24:56.083:95) : pid=1076 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  received setenforce notice (enforcing=0)  exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' 
----
type=PROCTITLE msg=audit(08/11/2022 09:29:29.626:157) : proctitle=/usr/bin/loadkeys -q -C /dev/tty1 -u us 
type=SYSCALL msg=audit(08/11/2022 09:29:29.626:157) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7ffe9e4c0f48 a2=O_RDWR a3=0x0 items=0 ppid=1598 pid=1620 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=loadkeys exe=/usr/bin/loadkeys subj=system_u:system_r:loadkeys_t:s0 key=(null) 
type=AVC msg=audit(08/11/2022 09:29:29.626:157) : avc:  denied  { dac_override } for  pid=1620 comm=loadkeys capability=dac_override  scontext=system_u:system_r:loadkeys_t:s0 tcontext=system_u:system_r:loadkeys_t:s0 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(08/11/2022 09:29:29.626:158) : proctitle=/usr/bin/loadkeys -q -C /dev/tty1 -u us 
type=SYSCALL msg=audit(08/11/2022 09:29:29.626:158) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7ffe9e4c0f48 a2=O_WRONLY a3=0x0 items=0 ppid=1598 pid=1620 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=loadkeys exe=/usr/bin/loadkeys subj=system_u:system_r:loadkeys_t:s0 key=(null) 
type=AVC msg=audit(08/11/2022 09:29:29.626:158) : avc:  denied  { dac_override } for  pid=1620 comm=loadkeys capability=dac_override  scontext=system_u:system_r:loadkeys_t:s0 tcontext=system_u:system_r:loadkeys_t:s0 tclass=capability permissive=0
Comment 3 Zdenek Pytela 2022-12-09 15:52:02 UTC 
I am sorry, still no luck with reproducing, deferring to 8.9.