Bug 1559409 - Running as units always fails with code 208/STDIN permission denied.
Summary: Running as units always fails with code 208/STDIN permission denied.
Status: ON_QA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy   
(Show other bugs)
Version: 28
Hardware: Unspecified Unspecified
high
medium
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-03-22 13:41 UTC by Lukas Ruzicka
Modified: 2019-02-16 01:17 UTC (History)
12 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Lukas Ruzicka 2018-03-22 13:41:34 UTC
Description of problem:

I wanted to perform this test (http://fedoraproject.org/wiki/User:Sumantrom/Draft/Testcase_OpenSSH) for the latest version of Fedora 28 and the procedure had no effect. It should prevent me from logging into my localhost, but it did not. I was able to log all the times.

Then I arrived on this page and tried to start a shell as unit, where I would prevent it to test that it was working. It always failed with the following traceback:

# systemd-run -p IPAddressDeny=127.0.0.1 -t /bin/sh
Running as unit: run-u18.service
# (same root prompt)

# systemctl status run-u18.service

● run-u18.service - /bin/sh
   Loaded: loaded (/run/systemd/transient/run-u18.service; transient)
Transient: yes
   Active: failed (Result: exit-code) since Thu 2018-03-22 14:35:29 CET; 38s ago
  Process: 1325 ExecStart=/bin/sh (code=exited, status=208/STDIN)
 Main PID: 1325 (code=exited, status=208/STDIN)

bře 22 14:35:29 localhost.localdomain systemd[1]: Started /bin/sh.
bře 22 14:35:29 localhost.localdomain systemd[1325]: run-u18.service: Failed to set up standard input: Permission denied
bře 22 14:35:29 localhost.localdomain systemd[1325]: run-u18.service: Failed at step STDIN spawning /bin/sh: Permission denied
bře 22 14:35:29 localhost.localdomain systemd[1]: run-u18.service: Main process exited, code=exited, status=208/STDIN
bře 22 14:35:29 localhost.localdomain systemd[1]: run-u18.service: Failed with result 'exit-code'.

Version-Release number of selected component (if applicable):

systemd 238.4

How reproducible:

Always

Steps to Reproduce:

See above

Comment 1 Zbigniew Jędrzejewski-Szmek 2018-03-22 21:58:33 UTC
I can't reproduce this here. Is there anything special about your setup? Are you running with selinux in enforcing mode? If yes, does it help if selinux is permissive?

Comment 2 Zbigniew Jędrzejewski-Szmek 2018-03-23 08:26:55 UTC
Oh, I forgot I wanted to write something more:
I agree that if we fail to execute the executable it'd be nice to report this better. I opened https://github.com/systemd/systemd/issues/8558. Nevertheless, how this is reported is a separate issue from why it fails in the first place.

Comment 3 Filipe Brandenburger 2018-03-27 20:59:21 UTC
Yes, this is SELinux related:

https://github.com/systemd/systemd/issues/8558#issuecomment-376671311

It's blocking open() on the pts device for the terminal.

Tested this on Fedora 27.

Comment 4 Zbigniew Jędrzejewski-Szmek 2019-01-11 15:39:07 UTC
Right. This is still reproducible on Fedora-Workstation-Live-x86_64-Rawhide-20190102.n.0.iso. It needs a fix in the selinux policy.

Comment 5 Lukas Vrabec 2019-01-14 17:11:00 UTC
commit a7fb5bc9b4591c8c6ee3c58f394b5c9818ccab28
Author: Lukas Vrabec <lvrabec@redhat.com>
Date:   Wed Jan 9 17:38:20 2019 +0100

    Make workin: systemd-run --system --pty bash BZ(1647162)


Should be fixed in the latest builds.

Comment 6 Fedora Update System 2019-02-15 08:00:53 UTC
selinux-policy-3.14.1-54.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2019-d1eff79041

Comment 7 Fedora Update System 2019-02-16 01:17:17 UTC
selinux-policy-3.14.1-54.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-d1eff79041


Note You need to log in before you can comment on or make changes to this bug.