Description of problem:
I wanted to perform this test (http://fedoraproject.org/wiki/User:Sumantrom/Draft/Testcase_OpenSSH) for the latest version of Fedora 28 and the procedure had no effect. It should prevent me from logging into my localhost, but it did not. I was able to log all the times.
Then I arrived on this page and tried to start a shell as unit, where I would prevent it to test that it was working. It always failed with the following traceback:
# systemd-run -p IPAddressDeny=127.0.0.1 -t /bin/sh
Running as unit: run-u18.service
# (same root prompt)
# systemctl status run-u18.service
● run-u18.service - /bin/sh
Loaded: loaded (/run/systemd/transient/run-u18.service; transient)
Active: failed (Result: exit-code) since Thu 2018-03-22 14:35:29 CET; 38s ago
Process: 1325 ExecStart=/bin/sh (code=exited, status=208/STDIN)
Main PID: 1325 (code=exited, status=208/STDIN)
bře 22 14:35:29 localhost.localdomain systemd: Started /bin/sh.
bře 22 14:35:29 localhost.localdomain systemd: run-u18.service: Failed to set up standard input: Permission denied
bře 22 14:35:29 localhost.localdomain systemd: run-u18.service: Failed at step STDIN spawning /bin/sh: Permission denied
bře 22 14:35:29 localhost.localdomain systemd: run-u18.service: Main process exited, code=exited, status=208/STDIN
bře 22 14:35:29 localhost.localdomain systemd: run-u18.service: Failed with result 'exit-code'.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
I can't reproduce this here. Is there anything special about your setup? Are you running with selinux in enforcing mode? If yes, does it help if selinux is permissive?
Oh, I forgot I wanted to write something more:
I agree that if we fail to execute the executable it'd be nice to report this better. I opened https://github.com/systemd/systemd/issues/8558. Nevertheless, how this is reported is a separate issue from why it fails in the first place.
Yes, this is SELinux related:
It's blocking open() on the pts device for the terminal.
Tested this on Fedora 27.
Right. This is still reproducible on Fedora-Workstation-Live-x86_64-Rawhide-20190102.n.0.iso. It needs a fix in the selinux policy.
Author: Lukas Vrabec <email@example.com>
Date: Wed Jan 9 17:38:20 2019 +0100
Make workin: systemd-run --system --pty bash BZ(1647162)
Should be fixed in the latest builds.
selinux-policy-3.14.1-54.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2019-d1eff79041
selinux-policy-3.14.1-54.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-d1eff79041