Description of problem: Attempting to start/use agetty on /dev/ttyUSB* fails due to selinux error: SELinux is preventing agetty from setattr access on the chr_file ttyUSB0. type=AVC msg=audit(1553058988.540:836): avc: denied { setattr } for pid=1876 comm="agetty" name="ttyUSB0" dev="devtmpfs" ino=24592 scontext=system_u:system_r:getty_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usbtty_device_t:s0 tclass=chr_file permissive=1 additional: SELinux is preventing login from 'read, write' accesses on the chr_file /dev/ttyUSB0. SELinux is preventing login from ioctl access on the chr_file /dev/ttyUSB0. SELinux is preventing login from getattr access on the chr_file ttyUSB0. SELinux is preventing login from setattr access on the chr_file ttyUSB0. SELinux is preventing login from open access on the chr_file /dev/ttyUSB0. SELinux is preventing unix_chkpwd from 'read, write' accesses on the chr_file /dev/ttyUSB0. SELinux is preventing login from relabelfrom access on the chr_file ttyUSB0. SELinux is preventing login from relabelto access on the chr_file ttyUSB0. SELinux is preventing login from getattr access on the chr_file /dev/ttyUSB0. SELinux is preventing login from ioctl access on the chr_file /dev/ttyUSB0. SELinux is preventing login from write access on the chr_file /dev/ttyUSB0. SELinux is preventing login from setattr access on the chr_file ttyUSB0. SELinux is preventing login from read access on the chr_file ttyUSB0. SELinux is preventing login from open access on the chr_file /dev/ttyUSB0. SELinux is preventing login from relabelfrom access on the chr_file ttyUSB0. SELinux is preventing agetty from setattr access on the chr_file ttyUSB0. SELinux is preventing login from 'read, write' accesses on the chr_file /dev/ttyUSB0. SELinux is preventing unix_chkpwd from 'read, write' accesses on the chr_file /dev/ttyUSB0. Version-Release number of selected component (if applicable): How reproducible: Add a USB / DB9 serial dongle, and configure agetty to run on it. Steps to Reproduce: 1. Attach USB / DB9 serial dongle. 2. systemctl enable serial-getty 3. systemctl start serial-getty 4. Observe that agetty doesn't start -- view journal and see AVC messages. Expected results: Should just work like /dev/ttyS*. Additional info: Why is there a usbtty_device_t type? What was the rational for creating it?
setenforce 0 results in agetty running on /dev/ttyUSB* as expected.
Missing: allow [getty_t] [usbtty_device_t] : [chr_file] { setattr }; allow local_login_t usbtty_device_t:chr_file { getattr ioctl open read relabelf; allow chkpwd_t usbtty_device_t:chr_file { read write }; allow [passwd_t] [usbtty_device_t] : [chr_file] { read write };
commit b8327632158395b68f5b8b24f16fc77a2d2a3873 (HEAD -> rawhide, origin/rawhide) Author: Lukas Vrabec <lvrabec> Date: Tue Mar 26 16:16:28 2019 +0100 Allow getty_t, local_login_t, chkpwd_t and passwd_t to use usbttys. BZ(1691582)
selinux-policy-3.14.2-53.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-bf377d92c7
selinux-policy-3.14.2-53.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-bf377d92c7
selinux-policy-3.14.2-53.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.