Bug 2165508

Summary: Use of AUTORELABEL=0 to enable manual fix labeling leads to sulogin: tcgetattr failed
Product: Red Hat Enterprise Linux 9 Reporter: Welterlen Benoit <bwelterl>
Component: policycoreutilsAssignee: Petr Lautrbach <plautrba>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 9.0CC: dwalsh, lvrabec, mmalik, plautrba, vmojzis
Target Milestone: rcKeywords: Triaged
Target Release: ---Flags: pm-rhel: mirror+
Hardware: All   
OS: Unspecified   
Whiteboard:
Fixed In Version: policycoreutils-3.5-0.rc2.3.el9 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-05-09 08:25:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Welterlen Benoit 2023-01-30 10:06:43 UTC 
Description of problem:
When trying to use the option AUTORELABEL=0 in /etc/selinux/config to enter a shell a manually fix labels, it fails with 

---
Jan 27 15:35:30 localhost selinux-autorelabel[765]: *** Warning -- SELinux mls policy relabel is required.
Jan 27 15:35:30 localhost selinux-autorelabel[765]: *** /etc/selinux/config indicates you want to manually fix labeling
Jan 27 15:35:30 localhost selinux-autorelabel[765]: *** problems. Dropping you to a shell; the system will reboot
Jan 27 15:35:30 localhost selinux-autorelabel[765]: *** when you leave the shell.
Jan 27 15:35:30 localhost selinux-autorelabel[770]: sulogin: tcgetattr failed: Inappropriate ioctl for device
---

Version-Release number of selected component (if applicable):
RHEL9
selinux-policy-mls-34.1.29-1.el9_0.2.noarch
policycoreutils-3.3-6.el9_0.x86_64

# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             mls
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     denied
Memory protection checking:     actual (secure)
Max kernel policy version:      33


How reproducible:
always

Steps to Reproduce:
1. put AUTORELABEL=0 in /etc/selinux/config
2. reboot
3.

Actual results:
sulogin: tcgetattr failed: Inappropriate ioctl for device

Expected results:
access to shell without error

Additional info:
Comment 1 Petr Lautrbach 2023-02-03 16:34:58 UTC 
selinux-autorelabel.service needs StandardInput=tty for this particular case. tty was dropped from the service back in 2019 as part of the fix for https://bugzilla.redhat.com/show_bug.cgi?id=1634661 so we can't simply bring it back. But it's possible to use tty conditionally based on AUTORELABEL variable:

~~~
diff --git a/selinux-autorelabel-generator.sh b/selinux-autorelabel-generator.sh
index be6048766dcc..d9380b8be75b 100644
--- a/selinux-autorelabel-generator.sh
+++ b/selinux-autorelabel-generator.sh
@@ -18,6 +18,15 @@ fi
 set_target ()
 {
     ln -sf "$unitdir/selinux-autorelabel.target" "$earlydir/default.target"
+    AUTORELABEL="1"
+    source /etc/selinux/config
+    if [ "$AUTORELABEL" = "0" ]; then
+        mkdir -p "$earlydir/selinux-autorelabel.service.d"
+        cat > "$earlydir/selinux-autorelabel.service.d/tty.conf" <<EOF
+[Service]
+StandardInput=tty
+EOF
+    fi
 }
 
 if selinuxenabled; then
~~~

Rawhide and centosstream 9 testing builds are available at https://copr.fedorainfracloud.org/coprs/plautrba/autorelabel0/
Comment 3 Petr Lautrbach 2023-02-08 11:03:42 UTC 
https://gitlab.com/redhat/centos-stream/rpms/policycoreutils/-/merge_requests/30
Comment 11 errata-xmlrpc 2023-05-09 08:25:00 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (policycoreutils bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2561