Bug 1257990 - systemctl shell: failed to get shell pty
systemctl shell: failed to get shell pty
Status: NEW
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
27
Unspecified Unspecified
medium Severity medium
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-08-28 10:42 EDT by darrell pfeifer
Modified: 2017-11-18 06:31 EST (History)
17 users (show)

See Also:
Fixed In Version: selinux-policy-3.13.1-153.fc24
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-11-05 11:57:24 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
journalctl log (6.53 KB, text/plain)
2015-09-25 06:20 EDT, darrell pfeifer
no flags Details
journalctl log again (4.21 KB, text/plain)
2015-10-02 10:26 EDT, darrell pfeifer
no flags Details
Latest messages (18.80 KB, text/x-vhdl)
2015-10-13 15:07 EDT, darrell pfeifer
no flags Details

  None (edit)
Description darrell pfeifer 2015-08-28 10:42:09 EDT
Description of problem:

$ machinectl shell
Failed to get shell PTY: Message recipient disconnected from message bus without replying



Version-Release number of selected component (if applicable):

systemctl --version
systemd 225
+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ -LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Jan Synacek 2015-08-31 03:53:30 EDT
This error is caused by SELinux:

Aug 31 07:47:13 rawhide-virt audit[1]: USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='Unknown permission start for class system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
Aug 31 07:47:13 rawhide-virt audit[485]: AVC avc:  denied  { read write } for  pid=485 comm="dbus-daemon" path="/dev/ptmx" dev="devtmpfs" ino=1137 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:ptmx_t:s0 tclass=chr_file permissive=0
Comment 2 Jan Synacek 2015-08-31 05:29:12 EDT
On my other machine (rawhide as well), I'm also getting

Aug 31 11:28:18 rawhide audit[1865]: AVC avc:  denied  { transition } for  pid=1865 comm="(sh)" path="/usr/bin/bash" dev="sda3" ino=84406 scontext=system_u:system_r:init_t:s0 tcontext=unconfined
Aug 31 11:28:18 rawhide systemd[1865]: container-shell@1.service: Failed at step EXEC spawning /bin/sh: Permission denied
Comment 3 Miroslav Grepl 2015-08-31 06:54:51 EDT
(In reply to Jan Synacek from comment #2)
> On my other machine (rawhide as well), I'm also getting
> 
> Aug 31 11:28:18 rawhide audit[1865]: AVC avc:  denied  { transition } for 
> pid=1865 comm="(sh)" path="/usr/bin/bash" dev="sda3" ino=84406
> scontext=system_u:system_r:init_t:s0 tcontext=unconfined
> Aug 31 11:28:18 rawhide systemd[1865]: container-shell@1.service: Failed at
> step EXEC spawning /bin/sh: Permission denied

Yes, that's a problem which we will need to discuss. We will need to make it working to reflect SELinux users.
Comment 4 Miroslav Grepl 2015-08-31 07:16:04 EDT
The point is we have pam_selinux here so it requires "transition" perms. Also not sure if it reflect MCS/MLS range. Need to do more testing.
Comment 5 Miroslav Grepl 2015-08-31 07:17:12 EDT
Dan, Dominick
any chance you have been playing with that?
Comment 6 Daniel Walsh 2015-09-11 15:24:49 EDT
what does machinectl shell supposed to do?  Start a shell within a container or VM?
Comment 7 Daniel Walsh 2015-09-11 15:30:22 EDT
time->Fri Sep 11 15:28:02 2015
type=USER_AVC msg=audit(1441999682.293:4830): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='Unknown permission stop for class system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

I am seeing the following when I execute that command on rawhide.  It looks like the SELinux/systemd code is broken.

We could probably add a transition from init_t to unconfined_t.  systemd should probably be maching the label of the pid 1 on a container.
Comment 9 darrell pfeifer 2015-09-24 15:24:07 EDT
It still fails to work correctly

[darrell@localhost ~]$ machinectl shell
Failed to get shell PTY: Message recipient disconnected from message bus without replying

selinux-policy.noarch                                              3.13.1-148.fc24                                               @koji

systemd.x86_64                                                    226-3.fc24                                                     @koji
Comment 10 Miroslav Grepl 2015-09-25 03:56:27 EDT
There would be a transition.

Could you attach AVCs?
Comment 11 darrell pfeifer 2015-09-25 06:20 EDT
Created attachment 1076987 [details]
journalctl log
Comment 12 darrell pfeifer 2015-10-02 10:26 EDT
Created attachment 1079458 [details]
journalctl log again
Comment 13 darrell pfeifer 2015-10-02 10:27:26 EDT
With 	selinux-policy-3.13.1-150.fc24 there is still no shell
Comment 14 Miroslav Grepl 2015-10-13 04:15:30 EDT
https://github.com/fedora-selinux/selinux-policy/commit/53c0f7b97b0165f46276ad20b28d694d6b5119f2

commit 53c0f7b97b0165f46276ad20b28d694d6b5119f2
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Tue Oct 13 10:12:47 2015 +0200

    Allow systemd_machined_t to send dbus msgs to all users and read/write /dev/ptmx to make 'machinectl shell' working correctly.
Comment 15 darrell pfeifer 2015-10-13 15:07 EDT
Created attachment 1082614 [details]
Latest messages
Comment 16 darrell pfeifer 2015-10-13 15:08:58 EDT
Still fails to work

Failed to get shell PTY: No such file or directory

Latest log attached
Comment 17 darrell pfeifer 2015-11-05 11:57:24 EST
I believe this option is gone with the kdbus removal from rawhide. Looked in the man page and didn't see it any more.
Comment 18 Aaron Sowry 2016-02-21 17:19:53 EST
This bug probably still is valid - "machinectl shell" is no longer a valid subcommand, but "machinectl login" produces the same error on F23. Reported as BZ #1310464
Comment 19 Germano Massullo 2017-03-29 11:57:43 EDT
Confirming the problem on Fedora 25. Only setting selinux in permissive mode I could use "machinectl shell" command


SELinux is preventing (sh) from lock access on the file /var/log/lastlog.

Additional Information:
Source Context                system_u:system_r:init_t:s0
Target Context                system_u:object_r:lastlog_t:s0
Target Objects                /var/log/lastlog [ file ]
Source                        (sh)
Source Path                   (sh)
Port                          <Unknown>
Host                          host
Source RPM Packages           
Target RPM Packages           
Policy RPM                    <Unknown>
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Platform                      Linux host 4.10.5-200.fc25.x86_64 #1 SMP Wed
                              Mar 22 20:37:08 UTC 2017 x86_64 x86_64
Alert Count                   1
First Seen                    2017-03-29 17:51:11 CEST
Last Seen                     2017-03-29 17:51:11 CEST


Raw Audit Messages
type=AVC msg=audit(1490802671.895:358): avc:  denied  { lock } for  pid=13847 comm="(sh)" path="/var/log/lastlog" dev="sdb2" ino=20948 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1


Hash: (sh),init_t,lastlog_t,file,lock
selinux-policy.noarch              3.13.1-225.11.fc25
Comment 20 Enrico Tagliavini 2017-05-31 08:46:12 EDT
Confirmed

With SELinux in enforcing mode and default targeted policy, running

# whoami
root
# machinectl shell --uid=root
Failed to get shell PTY: Access denied

even when run as root (if not password prompt will escalate if I understand correctly).

Switching SELinux in permissive mode with setenforce 0 makes it work. It's not a solution it's just to point to SELinux as the source of the problem. audit logs are now showing any AVC, even if build with donotautid disabled (semodule -BD), which puzzles me.

Strace-ing systemd-machined shows

8800  open("/dev/ptmx", O_RDWR|O_NOCTTY|O_CLOEXEC) = 8
8800  ioctl(8, TIOCSPTLCK, [0])         = 0
8800  ioctl(8, TIOCGPTN, [14])          = 0
8800  open("/dev/pts/14", O_RDWR|O_NOCTTY|O_CLOEXEC) = -1 EACCES (Permission denied)
8800  close(8)                          = 0
8800  sendmsg(6, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="l\3\1\1\26\0\0\0B\0\0\0O\0\0\0\5\1u\0\3\0\0\0\6\1s\0\6\0\0\0:1.164\0\0\4\1s\0'\0\0\0org.freedesktop.DBus.Error.AccessDenied\0\10\1g\0\1s\0\0", iov_len=96}, {iov_base="\21\0\0\0Permission denied\0", iov_len=22}], msg_iovlen=2, msg_controllen=0, msg_flags=0}, MSG_DONTWAIT|MSG_NOSIGNAL) = 118

So it could be that systemd_machined_t cannot access user_devpts_t
Comment 21 Stephen 2017-08-18 11:51:44 EDT
Still present in F26.
Comment 22 Fedora End Of Life 2017-11-16 14:02:37 EST
This message is a reminder that Fedora 25 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 25. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '25'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version'
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not
able to fix it before Fedora 25 is end of life. If you would still like
to see this bug fixed and are able to reproduce it against a later version
of Fedora, you are encouraged  change the 'version' to a later Fedora
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.
Comment 23 Stephen 2017-11-18 06:27:22 EST
Still the same problem on F27:

$ machinectl login
Failed to get login PTY: Access denied
$ sudo machinectl login
Failed to get login PTY: Access denied
$ sudo setenforce 0
$ machinectl login
Connected to the local host. Press ^] three times within 1s to exit session.
...


Someone with privileges please bump the version on this bug.

Note You need to log in before you can comment on or make changes to this bug.