1419946 – "agetty: can not connect on UNIX socket" on tty1 after boot, have to use tty2 to log in after 3.13.1-236 update

Bug 1419946 - "agetty: can not connect on UNIX socket" on tty1 after boot, have to use tty2 to log in after 3.13.1-236 update

Summary: "agetty: can not connect on UNIX socket" on tty1 after boot, have to use tty2...

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	AcceptedBlocker
Depends On:
Blocks:	F26BetaBlocker
TreeView+	depends on / blocked

Reported:	2017-02-07 13:34 UTC by Jan Pokorný [poki]
Modified:	2017-02-15 02:22 UTC (History)
CC List:	14 users (show)
Fixed In Version:	selinux-policy-3.13.1-239.fc26
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-02-15 02:22:22 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Jan Pokorný [poki] 2017-02-07 13:34:39 UTC

Likely relevant in audit.log incl. single systemd instance:

type=AVC msg=audit(1486473506.809:320): avc:  denied  { connectto } for  pid=1489 comm="(agetty)" path="/run/systemd/journal/stdout" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1486473506.814:321): avc:  denied  { connectto } for  pid=1489 comm="agetty" path=002F6F72672F667265656465736B746F702F706C796D6F75746864 scontext=system_u:system_r:getty_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1486473506.814:322): avc:  denied  { connectto } for  pid=1489 comm="agetty" path=002F6F72672F667265656465736B746F702F706C796D6F75746864 scontext=system_u:system_r:getty_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_stream_socket permissive=0
type=SERVICE_START msg=audit(1486473509.525:323): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=getty@tty3 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1486473509.525:324): avc:  denied  { connectto } for  pid=1 comm="systemd" path=002F6F72672F667265656465736B746F702F706C796D6F75746864 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1486473509.554:325): avc:  denied  { connectto } for  pid=1490 comm="(agetty)" path="/run/systemd/journal/stdout" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1486473509.564:326): avc:  denied  { connectto } for  pid=1490 comm="agetty" path=002F6F72672F667265656465736B746F702F706C796D6F75746864 scontext=system_u:system_r:getty_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1486473509.564:327): avc:  denied  { connectto } for  pid=1490 comm="agetty" path=002F6F72672F667265656465736B746F702F706C796D6F75746864 scontext=system_u:system_r:getty_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_stream_socket permissive=0

Comment 1 Paul Whalen 2017-02-07 20:37:28 UTC

Also hitting this after upgrading to selinux-policy-3.13.1-236.fc26.noarch on aarch64 and armhfp.

Comment 2 Paul Whalen 2017-02-08 19:06:39 UTC

Serial console login isn't possible. Nominating as a blocker for F26 Alpha - "A system installed without a graphical package set must boot to a state where it is possible to log in through at least one of the default virtual consoles"

Comment 3 Adam Williamson 2017-02-08 19:07:58 UTC

This is breaking just about every openQA test, also (they wind up at a login prompt, but on tty6 with the Plymouth color scheme...)

+1 blocker.

Comment 4 Adam Williamson 2017-02-08 19:20:00 UTC

booting with enforcing=0 does indeed seem to resolve this, so it definitely looks like an SELinux issue.

Comment 5 Geoffrey Marr 2017-02-13 19:52:34 UTC

Discussed during the 2017-02-13 blocker review meeting: [1]

The decision was made to classify this bug as an AcceptedBlocker (Beta) as it violates the following Beta blocker criteria:

"The installer must be able to complete an installation using the serial console interface." combined with "A system installed without a graphical package set must boot to a working login prompt without any unintended user intervention"

[1] https://meetbot.fedoraproject.org/fedora-blocker-review/2017-02-13/f26-blocker-review.2017-02-13-18.01.txt

Comment 6 Jan Pokorný [poki] 2017-02-13 20:31:31 UTC

Confirming this issue went away with -239.fc26 package + reboot.

Comment 7 Jens Petersen 2017-02-15 02:18:52 UTC

Yep, looks good to me too, thanks

Comment 8 Adam Williamson 2017-02-15 02:22:22 UTC

Yeah, this is confirmed fixed in the 20170213.n.1 and 20170214.n.0 composes.

Note You need to log in before you can comment on or make changes to this bug.