Description of problem: I wanted to perform this test (http://fedoraproject.org/wiki/User:Sumantrom/Draft/Testcase_OpenSSH) for the latest version of Fedora 28 and the procedure had no effect. It should prevent me from logging into my localhost, but it did not. I was able to log all the times. Then I arrived on this page and tried to start a shell as unit, where I would prevent it to test that it was working. It always failed with the following traceback: # systemd-run -p IPAddressDeny=127.0.0.1 -t /bin/sh Running as unit: run-u18.service # (same root prompt) # systemctl status run-u18.service ● run-u18.service - /bin/sh Loaded: loaded (/run/systemd/transient/run-u18.service; transient) Transient: yes Active: failed (Result: exit-code) since Thu 2018-03-22 14:35:29 CET; 38s ago Process: 1325 ExecStart=/bin/sh (code=exited, status=208/STDIN) Main PID: 1325 (code=exited, status=208/STDIN) bře 22 14:35:29 localhost.localdomain systemd[1]: Started /bin/sh. bře 22 14:35:29 localhost.localdomain systemd[1325]: run-u18.service: Failed to set up standard input: Permission denied bře 22 14:35:29 localhost.localdomain systemd[1325]: run-u18.service: Failed at step STDIN spawning /bin/sh: Permission denied bře 22 14:35:29 localhost.localdomain systemd[1]: run-u18.service: Main process exited, code=exited, status=208/STDIN bře 22 14:35:29 localhost.localdomain systemd[1]: run-u18.service: Failed with result 'exit-code'. Version-Release number of selected component (if applicable): systemd 238.4 How reproducible: Always Steps to Reproduce: See above
I can't reproduce this here. Is there anything special about your setup? Are you running with selinux in enforcing mode? If yes, does it help if selinux is permissive?
Oh, I forgot I wanted to write something more: I agree that if we fail to execute the executable it'd be nice to report this better. I opened https://github.com/systemd/systemd/issues/8558. Nevertheless, how this is reported is a separate issue from why it fails in the first place.
Yes, this is SELinux related: https://github.com/systemd/systemd/issues/8558#issuecomment-376671311 It's blocking open() on the pts device for the terminal. Tested this on Fedora 27.
Right. This is still reproducible on Fedora-Workstation-Live-x86_64-Rawhide-20190102.n.0.iso. It needs a fix in the selinux policy.
commit a7fb5bc9b4591c8c6ee3c58f394b5c9818ccab28 Author: Lukas Vrabec <lvrabec> Date: Wed Jan 9 17:38:20 2019 +0100 Make workin: systemd-run --system --pty bash BZ(1647162) Should be fixed in the latest builds.
selinux-policy-3.14.1-54.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2019-d1eff79041
selinux-policy-3.14.1-54.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-d1eff79041
selinux-policy-3.14.1-54.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.