Bug 1932053 - Running `agetty --reload` interactively results in wrongly labeled /run/agetty.reload file
Summary: Running `agetty --reload` interactively results in wrongly labeled /run/agett...
Keywords:
Status: NEW
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: Unspecified
OS: Unspecified
low
low
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-02-23 20:00 UTC by Jonathan Lebon
Modified: 2021-06-03 13:49 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: Bug


Attachments (Terms of Use)

Description Jonathan Lebon 2021-02-23 20:00:27 UTC
Description of problem:

From https://github.com/coreos/fedora-coreos-config/pull/859#issuecomment-783713383.

When `agetty` is run by systemd, it creates `/run/agetty.reload` with the right context. When `agetty --reload` is run interactive, it creates `/run/agetty.reload` with the wrong context:

[root@cosa-devsh ~]# rm /run/agetty.reload
[root@cosa-devsh ~]# systemctl restart serial-getty@ttyS0.service
[root@cosa-devsh ~]# ls -lZ /run/agetty.reload
-rw-------. 1 root root system_u:object_r:getty_var_run_t:s0 0 Feb 22 22:11 /run/agetty.reload
[root@cosa-devsh ~]# systemctl stop serial-getty@ttyS0.service
[root@cosa-devsh ~]# rm /run/agetty.reload
[root@cosa-devsh ~]# agetty --reload
[root@cosa-devsh ~]# ls -lZ /run/agetty.reload
-rw-------. 1 root root unconfined_u:object_r:var_run_t:s0 0 Feb 22 22:10 /run/agetty.reload

Version-Release number of selected component (if applicable):

[root@cosa-devsh ~]# rpm -q selinux-policy util-linux
selinux-policy-3.14.8-3.fc35.noarch
util-linux-2.36.2-1.fc35.x86_64

How reproducible:

100% of the time

Steps to Reproduce:
1. See above

Actual results:

/run/agetty.reload has context var_run_t

Expected results:

/run/agetty.reload has context getty_var_run_t

Additional info:

I think this is because when running agetty interactively, it doesn't actually transition to getty_t. So the filename transition rule doesn't take place.

Comment 1 Zdenek Pytela 2021-03-15 09:30:44 UTC
Jonathan,

I can reproduce it and confirm your findings. Just wondering what is the use case: Are there still some getty@ services running? Why is the /run/agetty.reload file manually removed?

According to agetty(8):
       --reload
              Ask  all  running  agetty instances to reload and update their displayed
              prompts, if the user has not yet commenced logging in.  After  doing  so
              the  command  will  exit.   This feature might be unsupported on systems
              without Linux inotify(7).

If the file is not removed, --reload does not create a new one.

Comment 2 Jonathan Lebon 2021-03-15 14:54:56 UTC
There is more info in https://github.com/coreos/fedora-coreos-config/pull/859, but essentially: in FCOS we have a service called console-login-helper-messages (https://github.com/coreos/console-login-helper-messages) which creates .issue files for things like SSH host keys and network interface IP addresses so that they show up at the getty console prompt. This service is dynamic and reruns whenever e.g. new network devices come online or go offline. To force any open getty prompts to redraw the latest issue files, it calls `agetty --reload`.

What happens is that if console-login-helper-messages runs earlier than getty@, the `agetty --reload` call will create `/run/agetty.reload` for the first time, which will cause it to have the wrong label as above.

Of course, this generalizes to any service (or really, even SSH users) which runs `agetty --reload` while the system is still booting.

Comment 3 Dusty Mabe 2021-04-29 13:02:47 UTC
I'm seeing this denial in F34 FCOS. What's the path forward on fixing the problem here?

Comment 4 Jonathan Lebon 2021-06-03 13:49:25 UTC
Hi Zdenek, any way we can move this forward? We're currently carrying a workaround for this in FCOS which would be nice to drop.


Note You need to log in before you can comment on or make changes to this bug.