Bug 1933902 - selinux prevents systemd early debug-shell from working
Summary: selinux prevents systemd early debug-shell from working
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 34
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: AcceptedFreezeException
: 1937580 (view as bug list)
Depends On:
Blocks: F34BetaFreezeException
TreeView+ depends on / blocked
 
Reported: 2021-03-02 01:03 UTC by Chris Murphy
Modified: 2021-03-16 00:29 UTC (History)
10 users (show)

Fixed In Version: selinux-policy-3.14.7-25.fc34
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-03-16 00:29:01 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)
journal.log (175.14 KB, text/plain)
2021-03-02 01:03 UTC, Chris Murphy
no flags Details

Description Chris Murphy 2021-03-02 01:03:34 UTC
Created attachment 1760121 [details]
journal.log

Description of problem:

[chris@fmac ~]$ systemctl status debug-shell.service 
× debug-shell.service - Early root shell on /dev/tty9 FOR DEBUGGING ONLY
     Loaded: loaded (/usr/lib/systemd/system/debug-shell.service; enabled; vendor preset: disabled)
     Active: failed (Result: exit-code) since Mon 2021-03-01 17:49:29 MST; 8min ago
       Docs: man:systemd-debug-generator(8)
    Process: 579 ExecStart=/bin/sh (code=exited, status=208/STDIN)



Version-Release number of selected component (if applicable):
selinux-policy-3.14.7-23.fc34.noarch

How reproducible:
Always


Steps to Reproduce:
1. systemctl enable debug-shell.service
2. reboot
3.

Actual results:

Multiple instances of:

[    7.079494] systemd[1]: Started Early root shell on /dev/tty9 FOR DEBUGGING ONLY.
[    7.083976] kernel: audit: type=1130 audit(1614618011.508:71): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=debug-shell comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
[    7.084956] systemd[1]: Starting Create list of static device nodes for the current kernel...
[    7.090204] kernel: audit: type=1400 audit(1614618011.514:72): avc:  denied  { watch watch_reads } for  pid=550 comm="(sh)" path="/dev/tty9" dev="devtmpfs" ino=28 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file permissive=0
[    7.090205] systemd[550]: debug-shell.service: Failed to set up standard input: Permission denied
[    7.090208] kernel: audit: type=1300 audit(1614618011.514:72): arch=c000003e syscall=254 success=no exit=-13 a0=3 a1=557373cb7d80 a2=18 a3=0 items=0 ppid=1 pid=550 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(sh)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)



Expected results:

The service should start


Additional info:

Comment 1 Zdenek Pytela 2021-03-02 20:01:19 UTC
I've submitted a Fedora PR to address the issue:
https://github.com/fedora-selinux/selinux-policy/pull/627

Comment 2 Fedora Blocker Bugs Application 2021-03-02 23:08:43 UTC
Proposed as a Freeze Exception for 34-beta by Fedora user chrismurphy using the blocker tracking app because:

 Early debug shell is used for debugging, it'd be nice to have it working for beta release.

Comment 3 Adam Williamson 2021-03-03 17:46:48 UTC
+3 in https://pagure.io/fedora-qa/blocker-review/issue/276 , marking accepted.

Comment 4 Zdenek Pytela 2021-03-03 18:13:04 UTC
PR merged, will be in the next package build.

Comment 5 Adam Williamson 2021-03-11 19:17:44 UTC
*** Bug 1937580 has been marked as a duplicate of this bug. ***

Comment 6 Adam Williamson 2021-03-11 21:59:06 UTC
Zdenek, can we please get a package build? We are already building Beta candidates and it would be very good to have this fixed in them.

Comment 7 Zdenek Pytela 2021-03-11 22:06:07 UTC
Both F34 and F35 are already in process, there are dist-git PRs waiting for CI to finish.

Comment 8 Fedora Update System 2021-03-12 15:44:01 UTC
FEDORA-2021-1e99f2ed79 has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-1e99f2ed79

Comment 9 Fedora Update System 2021-03-12 18:57:04 UTC
FEDORA-2021-1e99f2ed79 has been pushed to the Fedora 34 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-1e99f2ed79`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-1e99f2ed79

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 10 Fedora Update System 2021-03-16 00:29:01 UTC
FEDORA-2021-1e99f2ed79 has been pushed to the Fedora 34 stable repository.
If problem still persists, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.