Created attachment 1760121 [details] journal.log Description of problem: [chris@fmac ~]$ systemctl status debug-shell.service × debug-shell.service - Early root shell on /dev/tty9 FOR DEBUGGING ONLY Loaded: loaded (/usr/lib/systemd/system/debug-shell.service; enabled; vendor preset: disabled) Active: failed (Result: exit-code) since Mon 2021-03-01 17:49:29 MST; 8min ago Docs: man:systemd-debug-generator(8) Process: 579 ExecStart=/bin/sh (code=exited, status=208/STDIN) Version-Release number of selected component (if applicable): selinux-policy-3.14.7-23.fc34.noarch How reproducible: Always Steps to Reproduce: 1. systemctl enable debug-shell.service 2. reboot 3. Actual results: Multiple instances of: [ 7.079494] systemd[1]: Started Early root shell on /dev/tty9 FOR DEBUGGING ONLY. [ 7.083976] kernel: audit: type=1130 audit(1614618011.508:71): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=debug-shell comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' [ 7.084956] systemd[1]: Starting Create list of static device nodes for the current kernel... [ 7.090204] kernel: audit: type=1400 audit(1614618011.514:72): avc: denied { watch watch_reads } for pid=550 comm="(sh)" path="/dev/tty9" dev="devtmpfs" ino=28 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file permissive=0 [ 7.090205] systemd[550]: debug-shell.service: Failed to set up standard input: Permission denied [ 7.090208] kernel: audit: type=1300 audit(1614618011.514:72): arch=c000003e syscall=254 success=no exit=-13 a0=3 a1=557373cb7d80 a2=18 a3=0 items=0 ppid=1 pid=550 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(sh)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null) Expected results: The service should start Additional info:
I've submitted a Fedora PR to address the issue: https://github.com/fedora-selinux/selinux-policy/pull/627
Proposed as a Freeze Exception for 34-beta by Fedora user chrismurphy using the blocker tracking app because: Early debug shell is used for debugging, it'd be nice to have it working for beta release.
+3 in https://pagure.io/fedora-qa/blocker-review/issue/276 , marking accepted.
PR merged, will be in the next package build.
*** Bug 1937580 has been marked as a duplicate of this bug. ***
Zdenek, can we please get a package build? We are already building Beta candidates and it would be very good to have this fixed in them.
Both F34 and F35 are already in process, there are dist-git PRs waiting for CI to finish.
FEDORA-2021-1e99f2ed79 has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-1e99f2ed79
FEDORA-2021-1e99f2ed79 has been pushed to the Fedora 34 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-1e99f2ed79` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-1e99f2ed79 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2021-1e99f2ed79 has been pushed to the Fedora 34 stable repository. If problem still persists, please make note of it in this bug report.