Bug 1257990 - systemctl shell: failed to get shell pty
systemctl shell: failed to get shell pty
Status: NEW
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
25
Unspecified Unspecified
medium Severity medium
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-08-28 10:42 EDT by darrell pfeifer
Modified: 2017-08-18 11:51 EDT (History)
17 users (show)

See Also:
Fixed In Version: selinux-policy-3.13.1-153.fc24
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-11-05 11:57:24 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
journalctl log (6.53 KB, text/plain)
2015-09-25 06:20 EDT, darrell pfeifer
no flags Details
journalctl log again (4.21 KB, text/plain)
2015-10-02 10:26 EDT, darrell pfeifer
no flags Details
Latest messages (18.80 KB, text/x-vhdl)
2015-10-13 15:07 EDT, darrell pfeifer
no flags Details

  None (edit)
Description darrell pfeifer 2015-08-28 10:42:09 EDT
Description of problem:

$ machinectl shell
Failed to get shell PTY: Message recipient disconnected from message bus without replying



Version-Release number of selected component (if applicable):

systemctl --version
systemd 225
+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ -LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Jan Synacek 2015-08-31 03:53:30 EDT
This error is caused by SELinux:

Aug 31 07:47:13 rawhide-virt audit[1]: USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='Unknown permission start for class system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
Aug 31 07:47:13 rawhide-virt audit[485]: AVC avc:  denied  { read write } for  pid=485 comm="dbus-daemon" path="/dev/ptmx" dev="devtmpfs" ino=1137 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:ptmx_t:s0 tclass=chr_file permissive=0
Comment 2 Jan Synacek 2015-08-31 05:29:12 EDT
On my other machine (rawhide as well), I'm also getting

Aug 31 11:28:18 rawhide audit[1865]: AVC avc:  denied  { transition } for  pid=1865 comm="(sh)" path="/usr/bin/bash" dev="sda3" ino=84406 scontext=system_u:system_r:init_t:s0 tcontext=unconfined
Aug 31 11:28:18 rawhide systemd[1865]: container-shell@1.service: Failed at step EXEC spawning /bin/sh: Permission denied
Comment 3 Miroslav Grepl 2015-08-31 06:54:51 EDT
(In reply to Jan Synacek from comment #2)
> On my other machine (rawhide as well), I'm also getting
> 
> Aug 31 11:28:18 rawhide audit[1865]: AVC avc:  denied  { transition } for 
> pid=1865 comm="(sh)" path="/usr/bin/bash" dev="sda3" ino=84406
> scontext=system_u:system_r:init_t:s0 tcontext=unconfined
> Aug 31 11:28:18 rawhide systemd[1865]: container-shell@1.service: Failed at
> step EXEC spawning /bin/sh: Permission denied

Yes, that's a problem which we will need to discuss. We will need to make it working to reflect SELinux users.
Comment 4 Miroslav Grepl 2015-08-31 07:16:04 EDT
The point is we have pam_selinux here so it requires "transition" perms. Also not sure if it reflect MCS/MLS range. Need to do more testing.
Comment 5 Miroslav Grepl 2015-08-31 07:17:12 EDT
Dan, Dominick
any chance you have been playing with that?
Comment 6 Daniel Walsh 2015-09-11 15:24:49 EDT
what does machinectl shell supposed to do?  Start a shell within a container or VM?
Comment 7 Daniel Walsh 2015-09-11 15:30:22 EDT
time->Fri Sep 11 15:28:02 2015
type=USER_AVC msg=audit(1441999682.293:4830): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='Unknown permission stop for class system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

I am seeing the following when I execute that command on rawhide.  It looks like the SELinux/systemd code is broken.

We could probably add a transition from init_t to unconfined_t.  systemd should probably be maching the label of the pid 1 on a container.
Comment 9 darrell pfeifer 2015-09-24 15:24:07 EDT
It still fails to work correctly

[darrell@localhost ~]$ machinectl shell
Failed to get shell PTY: Message recipient disconnected from message bus without replying

selinux-policy.noarch                                              3.13.1-148.fc24                                               @koji

systemd.x86_64                                                    226-3.fc24                                                     @koji
Comment 10 Miroslav Grepl 2015-09-25 03:56:27 EDT
There would be a transition.

Could you attach AVCs?
Comment 11 darrell pfeifer 2015-09-25 06:20 EDT
Created attachment 1076987 [details]
journalctl log
Comment 12 darrell pfeifer 2015-10-02 10:26 EDT
Created attachment 1079458 [details]
journalctl log again
Comment 13 darrell pfeifer 2015-10-02 10:27:26 EDT
With 	selinux-policy-3.13.1-150.fc24 there is still no shell
Comment 14 Miroslav Grepl 2015-10-13 04:15:30 EDT
https://github.com/fedora-selinux/selinux-policy/commit/53c0f7b97b0165f46276ad20b28d694d6b5119f2

commit 53c0f7b97b0165f46276ad20b28d694d6b5119f2
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Tue Oct 13 10:12:47 2015 +0200

    Allow systemd_machined_t to send dbus msgs to all users and read/write /dev/ptmx to make 'machinectl shell' working correctly.
Comment 15 darrell pfeifer 2015-10-13 15:07 EDT
Created attachment 1082614 [details]
Latest messages
Comment 16 darrell pfeifer 2015-10-13 15:08:58 EDT
Still fails to work

Failed to get shell PTY: No such file or directory

Latest log attached
Comment 17 darrell pfeifer 2015-11-05 11:57:24 EST
I believe this option is gone with the kdbus removal from rawhide. Looked in the man page and didn't see it any more.
Comment 18 Aaron Sowry 2016-02-21 17:19:53 EST
This bug probably still is valid - "machinectl shell" is no longer a valid subcommand, but "machinectl login" produces the same error on F23. Reported as BZ #1310464
Comment 19 Germano Massullo 2017-03-29 11:57:43 EDT
Confirming the problem on Fedora 25. Only setting selinux in permissive mode I could use "machinectl shell" command


SELinux is preventing (sh) from lock access on the file /var/log/lastlog.

Additional Information:
Source Context                system_u:system_r:init_t:s0
Target Context                system_u:object_r:lastlog_t:s0
Target Objects                /var/log/lastlog [ file ]
Source                        (sh)
Source Path                   (sh)
Port                          <Unknown>
Host                          host
Source RPM Packages           
Target RPM Packages           
Policy RPM                    <Unknown>
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Platform                      Linux host 4.10.5-200.fc25.x86_64 #1 SMP Wed
                              Mar 22 20:37:08 UTC 2017 x86_64 x86_64
Alert Count                   1
First Seen                    2017-03-29 17:51:11 CEST
Last Seen                     2017-03-29 17:51:11 CEST


Raw Audit Messages
type=AVC msg=audit(1490802671.895:358): avc:  denied  { lock } for  pid=13847 comm="(sh)" path="/var/log/lastlog" dev="sdb2" ino=20948 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1


Hash: (sh),init_t,lastlog_t,file,lock
selinux-policy.noarch              3.13.1-225.11.fc25
Comment 20 Enrico Tagliavini 2017-05-31 08:46:12 EDT
Confirmed

With SELinux in enforcing mode and default targeted policy, running

# whoami
root
# machinectl shell --uid=root
Failed to get shell PTY: Access denied

even when run as root (if not password prompt will escalate if I understand correctly).

Switching SELinux in permissive mode with setenforce 0 makes it work. It's not a solution it's just to point to SELinux as the source of the problem. audit logs are now showing any AVC, even if build with donotautid disabled (semodule -BD), which puzzles me.

Strace-ing systemd-machined shows

8800  open("/dev/ptmx", O_RDWR|O_NOCTTY|O_CLOEXEC) = 8
8800  ioctl(8, TIOCSPTLCK, [0])         = 0
8800  ioctl(8, TIOCGPTN, [14])          = 0
8800  open("/dev/pts/14", O_RDWR|O_NOCTTY|O_CLOEXEC) = -1 EACCES (Permission denied)
8800  close(8)                          = 0
8800  sendmsg(6, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="l\3\1\1\26\0\0\0B\0\0\0O\0\0\0\5\1u\0\3\0\0\0\6\1s\0\6\0\0\0:1.164\0\0\4\1s\0'\0\0\0org.freedesktop.DBus.Error.AccessDenied\0\10\1g\0\1s\0\0", iov_len=96}, {iov_base="\21\0\0\0Permission denied\0", iov_len=22}], msg_iovlen=2, msg_controllen=0, msg_flags=0}, MSG_DONTWAIT|MSG_NOSIGNAL) = 118

So it could be that systemd_machined_t cannot access user_devpts_t
Comment 21 Stephen 2017-08-18 11:51:44 EDT
Still present in F26.

Note You need to log in before you can comment on or make changes to this bug.