Bug 1559409 - Running as units always fails with code 208/STDIN permission denied.
Summary: Running as units always fails with code 208/STDIN permission denied.
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 28
Hardware: Unspecified
OS: Unspecified
high
medium
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-03-22 13:41 UTC by Lukas Ruzicka
Modified: 2019-03-05 04:44 UTC (History)
12 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2019-03-05 04:44:53 UTC


Attachments (Terms of Use)

Description Lukas Ruzicka 2018-03-22 13:41:34 UTC
Description of problem:

I wanted to perform this test (http://fedoraproject.org/wiki/User:Sumantrom/Draft/Testcase_OpenSSH) for the latest version of Fedora 28 and the procedure had no effect. It should prevent me from logging into my localhost, but it did not. I was able to log all the times.

Then I arrived on this page and tried to start a shell as unit, where I would prevent it to test that it was working. It always failed with the following traceback:

# systemd-run -p IPAddressDeny=127.0.0.1 -t /bin/sh
Running as unit: run-u18.service
# (same root prompt)

# systemctl status run-u18.service

● run-u18.service - /bin/sh
   Loaded: loaded (/run/systemd/transient/run-u18.service; transient)
Transient: yes
   Active: failed (Result: exit-code) since Thu 2018-03-22 14:35:29 CET; 38s ago
  Process: 1325 ExecStart=/bin/sh (code=exited, status=208/STDIN)
 Main PID: 1325 (code=exited, status=208/STDIN)

bře 22 14:35:29 localhost.localdomain systemd[1]: Started /bin/sh.
bře 22 14:35:29 localhost.localdomain systemd[1325]: run-u18.service: Failed to set up standard input: Permission denied
bře 22 14:35:29 localhost.localdomain systemd[1325]: run-u18.service: Failed at step STDIN spawning /bin/sh: Permission denied
bře 22 14:35:29 localhost.localdomain systemd[1]: run-u18.service: Main process exited, code=exited, status=208/STDIN
bře 22 14:35:29 localhost.localdomain systemd[1]: run-u18.service: Failed with result 'exit-code'.

Version-Release number of selected component (if applicable):

systemd 238.4

How reproducible:

Always

Steps to Reproduce:

See above

Comment 1 Zbigniew Jędrzejewski-Szmek 2018-03-22 21:58:33 UTC
I can't reproduce this here. Is there anything special about your setup? Are you running with selinux in enforcing mode? If yes, does it help if selinux is permissive?

Comment 2 Zbigniew Jędrzejewski-Szmek 2018-03-23 08:26:55 UTC
Oh, I forgot I wanted to write something more:
I agree that if we fail to execute the executable it'd be nice to report this better. I opened https://github.com/systemd/systemd/issues/8558. Nevertheless, how this is reported is a separate issue from why it fails in the first place.

Comment 3 Filipe Brandenburger 2018-03-27 20:59:21 UTC
Yes, this is SELinux related:

https://github.com/systemd/systemd/issues/8558#issuecomment-376671311

It's blocking open() on the pts device for the terminal.

Tested this on Fedora 27.

Comment 4 Zbigniew Jędrzejewski-Szmek 2019-01-11 15:39:07 UTC
Right. This is still reproducible on Fedora-Workstation-Live-x86_64-Rawhide-20190102.n.0.iso. It needs a fix in the selinux policy.

Comment 5 Lukas Vrabec 2019-01-14 17:11:00 UTC
commit a7fb5bc9b4591c8c6ee3c58f394b5c9818ccab28
Author: Lukas Vrabec <lvrabec@redhat.com>
Date:   Wed Jan 9 17:38:20 2019 +0100

    Make workin: systemd-run --system --pty bash BZ(1647162)


Should be fixed in the latest builds.

Comment 6 Fedora Update System 2019-02-15 08:00:53 UTC
selinux-policy-3.14.1-54.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2019-d1eff79041

Comment 7 Fedora Update System 2019-02-16 01:17:17 UTC
selinux-policy-3.14.1-54.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-d1eff79041

Comment 8 Fedora Update System 2019-03-05 04:44:53 UTC
selinux-policy-3.14.1-54.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.