Bug 1419946 - "agetty: can not connect on UNIX socket" on tty1 after boot, have to use tty2 to log in after 3.13.1-236 update
Summary: "agetty: can not connect on UNIX socket" on tty1 after boot, have to use tty2...
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: AcceptedBlocker
Depends On:
Blocks: F26BetaBlocker
TreeView+ depends on / blocked
 
Reported: 2017-02-07 13:34 UTC by Jan Pokorný [poki]
Modified: 2017-02-15 02:22 UTC (History)
14 users (show)

Fixed In Version: selinux-policy-3.13.1-239.fc26
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-02-15 02:22:22 UTC


Attachments (Terms of Use)

Description Jan Pokorný [poki] 2017-02-07 13:34:39 UTC
Likely relevant in audit.log incl. single systemd instance:

type=AVC msg=audit(1486473506.809:320): avc:  denied  { connectto } for  pid=1489 comm="(agetty)" path="/run/systemd/journal/stdout" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1486473506.814:321): avc:  denied  { connectto } for  pid=1489 comm="agetty" path=002F6F72672F667265656465736B746F702F706C796D6F75746864 scontext=system_u:system_r:getty_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1486473506.814:322): avc:  denied  { connectto } for  pid=1489 comm="agetty" path=002F6F72672F667265656465736B746F702F706C796D6F75746864 scontext=system_u:system_r:getty_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_stream_socket permissive=0
type=SERVICE_START msg=audit(1486473509.525:323): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=getty@tty3 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1486473509.525:324): avc:  denied  { connectto } for  pid=1 comm="systemd" path=002F6F72672F667265656465736B746F702F706C796D6F75746864 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1486473509.554:325): avc:  denied  { connectto } for  pid=1490 comm="(agetty)" path="/run/systemd/journal/stdout" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1486473509.564:326): avc:  denied  { connectto } for  pid=1490 comm="agetty" path=002F6F72672F667265656465736B746F702F706C796D6F75746864 scontext=system_u:system_r:getty_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1486473509.564:327): avc:  denied  { connectto } for  pid=1490 comm="agetty" path=002F6F72672F667265656465736B746F702F706C796D6F75746864 scontext=system_u:system_r:getty_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_stream_socket permissive=0

Comment 1 Paul Whalen 2017-02-07 20:37:28 UTC
Also hitting this after upgrading to selinux-policy-3.13.1-236.fc26.noarch on aarch64 and armhfp.

Comment 2 Paul Whalen 2017-02-08 19:06:39 UTC
Serial console login isn't possible. Nominating as a blocker for F26 Alpha - "A system installed without a graphical package set must boot to a state where it is possible to log in through at least one of the default virtual consoles"

Comment 3 Adam Williamson 2017-02-08 19:07:58 UTC
This is breaking just about every openQA test, also (they wind up at a login prompt, but on tty6 with the Plymouth color scheme...)

+1 blocker.

Comment 4 Adam Williamson 2017-02-08 19:20:00 UTC
booting with enforcing=0 does indeed seem to resolve this, so it definitely looks like an SELinux issue.

Comment 5 Geoffrey Marr 2017-02-13 19:52:34 UTC
Discussed during the 2017-02-13 blocker review meeting: [1]

The decision was made to classify this bug as an AcceptedBlocker (Beta) as it violates the following Beta blocker criteria:

"The installer must be able to complete an installation using the serial console interface." combined with "A system installed without a graphical package set must boot to a working login prompt without any unintended user intervention"

[1] https://meetbot.fedoraproject.org/fedora-blocker-review/2017-02-13/f26-blocker-review.2017-02-13-18.01.txt

Comment 6 Jan Pokorný [poki] 2017-02-13 20:31:31 UTC
Confirming this issue went away with -239.fc26 package + reboot.

Comment 7 Jens Petersen 2017-02-15 02:18:52 UTC
Yep, looks good to me too, thanks

Comment 8 Adam Williamson 2017-02-15 02:22:22 UTC
Yeah, this is confirmed fixed in the 20170213.n.1 and 20170214.n.0 composes.


Note You need to log in before you can comment on or make changes to this bug.