Bug 2242287

Summary: loadkeys from kbd 2.6.1 triggers all mounts in the cwd
Product: [Fedora] Fedora Reporter: Daan De Meyer <daan.j.demeyer>
Component: kbdAssignee: Vitezslav Crhonek <vcrhonek>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 39CC: awilliam, gmarr, kparal, vcrhonek
Target Milestone: ---Keywords: Regression
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: AcceptedFreezeException RejectedBlocker
Fixed In Version: kbd-2.6.3-1.fc39 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-10-10 22:15:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2143447    

Description Daan De Meyer 2023-10-05 11:09:33 UTC 
When we released systemd v254 which started running systemd-vconsole-setup.service more, we uncovered a bug in loadkeys where it tries to trigger all mounts in the cwd (https://github.com/legionus/kbd/issues/101). See https://github.com/systemd/systemd/issues/28677 where quite a few users ran into deadlocked systems because of this issue.

Additionally on Fedora, it causes selinux denials on boot because loadkeys now runs from a different cwd (/) and tries to access files it's not supposed to access.

The problem was fixed is fixed in kbd 2.6.3 but F39 ships kbd 2.6.1. Ideally F39 would upgrade to kbd 2.6.3 to resolve these issues.

Reproducible: Always

Steps to Reproduce:
1. Boot into a system with selinux where systemd-vconsole-setup.service runs during boot (anything with a graphical console)
2. Run journalctl -g AVC after boot to check selinux denials

Actual Results:  
```
Oct 05 12:33:48 fedora audit[445]: AVC avc:  denied  { read } for  pid=445 comm="loadkeys" name="init" dev="sda2" ino=2300 scontext=system_u:system_r:loadkeys_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file permissive=1
Oct 05 12:33:48 fedora audit[445]: AVC avc:  denied  { getattr } for  pid=445 comm="loadkeys" path="/usr/lib/systemd/systemd" dev="sda2" ino=9577 scontext=system_u:system_r:loadkeys_t:s0 tcontext=system_u:object_r:init_exec_t:s0 tclass>
```

Expected Results:  
The system boots without selinux denials from loadkeys.
Comment 1 Fedora Blocker Bugs Application 2023-10-05 11:14:35 UTC 
Proposed as a Blocker for 39-final by Fedora user daandemeyer using the blocker tracking app because:

 This issue can cause systems to deadlock on boot. Given that the fix is absolutely trivial (update kbd from 2.6.1 to 2.6.3 which is already in rawhide), I'm proposing this as a blocker.
Comment 2 Kamil Páral 2023-10-06 08:29:25 UTC 
(In reply to Fedora Blocker Bugs Application from comment #1)
> Proposed as a Blocker for 39-final

Blocker review discussion thread:
https://pagure.io/fedora-qa/blocker-review/issue/1381
Comment 3 Fedora Update System 2023-10-06 08:43:37 UTC 
FEDORA-2023-fa617966c7 has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2023-fa617966c7
Comment 4 Adam Williamson 2023-10-06 19:12:00 UTC 
+4 FE in https://pagure.io/fedora-qa/blocker-review/issue/1381 , marking as accepted FE.
Comment 5 Fedora Update System 2023-10-07 02:32:24 UTC 
FEDORA-2023-fa617966c7 has been pushed to the Fedora 39 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-fa617966c7`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-fa617966c7

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 6 Kamil Páral 2023-10-09 11:05:31 UTC 
I don't know how to check the fix. I wanted to verify that at least the SELinux AVCs are gone, but I just don't see those AVCs at all, even prior to the update. Running with systemd-254.1-2.fc39.x86_64 and kbd-2.6.1-2.fc39.x86_64 on F39 Workstation, there are no AVCs after boot.

Daan, can you verify the fix?
Comment 7 Daan De Meyer 2023-10-09 12:57:54 UTC 
I cannot reproduce the selinux denials anymore on F39 with the updates-testing repository enabled, and kbd 2.6.3 is installed as expected, so I think this can be considered fixed.
Comment 8 Geoffrey Marr 2023-10-09 17:56:25 UTC 
Discussed during the 2023-10-09 blocker review meeting: [0]

The decision to classify this bug as a "RejectedBlocker (Final)" was made as the configuration to hit it seems very uncommon so it's not serious enough to block the release on.

[0] https://meetbot.fedoraproject.org/fedora-blocker-review/2023-10-09/f39-blocker-review.2023-10-09-16.00.txt
Comment 9 Kamil Páral 2023-10-10 09:50:46 UTC 
If you want to push the fix, we need one more karma in the Bodhi update:
https://bodhi.fedoraproject.org/updates/FEDORA-2023-fa617966c7
Comment 10 Fedora Update System 2023-10-10 22:15:47 UTC 
FEDORA-2023-fa617966c7 has been pushed to the Fedora 39 stable repository.
If problem still persists, please make note of it in this bug report.