1991329 – sh was denied watching /dev/tty9 when debug-shell.service was started during boot

Bug 1991329 - sh was denied watching /dev/tty9 when debug-shell.service was started during boot

Summary: sh was denied watching /dev/tty9 when debug-shell.service was started during ...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	34
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Zdenek Pytela
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-08-09 03:52 UTC by Matt Fagnani
Modified:	2021-09-13 14:40 UTC (History)
CC List:	7 users (show)
Fixed In Version:	selinux-policy-34.19-1.fc34
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-09-13 14:40:11 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Matt Fagnani 2021-08-09 03:52:32 UTC

Description of problem:

I used the following commands to start an offline update in a Fedora 34 KDE Plasma installation with updates-testing enabled.
sudo dnf offline-upgrade download
sudo dnf offline-upgrade reboot

sh was denied watching /dev/tty9 when debug-shell.service was started during the boot when the offline upgrades were run. debug-shell.service failed to start as shown in the plymouth systemd messages during the boot and the journal from when the denials happened.

Aug 08 22:38:16 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=debug-shell comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Aug 08 22:38:16 audit[607]: AVC avc:  denied  { watch } for  pid=607 comm="(sh)" path="/dev/tty9" dev="devtmpfs" ino=28 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file permissive=0
Aug 08 22:38:16 audit[607]: SYSCALL arch=c000003e syscall=254 success=no exit=-13 a0=3 a1=55680c9c0610 a2=18 a3=0 items=0 ppid=1 pid=607 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(sh)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
Aug 08 22:38:16 audit: PROCTITLE proctitle="(sh)"
Aug 08 22:38:16 audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=plymouth-switch-root comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Aug 08 22:38:16 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-journald comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Aug 08 22:38:16 audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-journald comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Aug 08 22:38:16 audit: BPF prog-id=22 op=LOAD
Aug 08 22:38:16 audit: BPF prog-id=20 op=UNLOAD
Aug 08 22:38:16 audit: BPF prog-id=21 op=UNLOAD
Aug 08 22:38:16 audit: BPF prog-id=23 op=LOAD
Aug 08 22:38:16 audit: BPF prog-id=24 op=LOAD
Aug 08 22:38:16 audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=debug-shell comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
Aug 08 22:38:16 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=kmod-static-nodes comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Aug 08 22:38:16 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=modprobe@configfs comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Aug 08 22:38:16 audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=modprobe@configfs comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Aug 08 22:38:16 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=modprobe@fuse comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Aug 08 22:38:16 audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=modprobe@fuse comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Aug 08 22:38:16 audit: CONFIG_CHANGE op=set audit_enabled=1 old=1 auid=4294967295 ses=4294967295 subj=system_u:system_r:syslogd_t:s0 res=1
Aug 08 22:38:16 audit[612]: SYSCALL arch=c000003e syscall=46 success=yes exit=60 a0=3 a1=7ffe801c0db0 a2=4000 a3=7ffe801c0e3c items=0 ppid=1 pid=612 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-journal" exe="/usr/lib/systemd/systemd-journald" subj=system_u:system_r:syslogd_t:s0 key=(null)
Aug 08 22:38:16 audit: PROCTITLE proctitle="/usr/lib/systemd/systemd-journald"
Aug 08 22:38:16 systemd[1]: Queued start job for default target Offline System Update.
Aug 08 22:38:16 systemd[1]: Stopped Early root shell on /dev/tty9 FOR DEBUGGING ONLY.
Aug 08 22:38:16 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=debug-shell comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Aug 08 22:38:16 audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=debug-shell comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Aug 08 22:38:16 systemd[1]: systemd-journald.service: Deactivated successfully.
Aug 08 22:38:16 systemd[607]: debug-shell.service: Failed at step STDIN spawning /bin/sh: Permission denied
Aug 08 22:38:16 systemd-modules-load[613]: Module 'msr' is built in
Aug 08 22:38:16 systemd[1]: Started Early root shell on /dev/tty9 FOR DEBUGGING ONLY.
Aug 08 22:38:16 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=debug-shell comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Aug 08 22:38:16 audit[620]: AVC avc:  denied  { watch } for  pid=620 comm="(sh)" path="/dev/tty9" dev="devtmpfs" ino=28 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file permissive=0
Aug 08 22:38:16 audit[620]: SYSCALL arch=c000003e syscall=254 success=no exit=-13 a0=3 a1=55680c9c0610 a2=18 a3=0 items=0 ppid=1 pid=620 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(sh)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
Aug 08 22:38:16 audit: PROCTITLE proctitle="(sh)"
Aug 08 22:38:16 systemd[620]: debug-shell.service: Failed at step STDIN spawning /bin/sh: Permission denied
Aug 08 22:38:16 systemd[620]: debug-shell.service: Failed to set up standard input: Permission denied
Aug 08 22:38:16 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-journald comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Aug 08 22:38:16 systemd[1]: Started Journal Service.
Aug 08 22:38:16 systemd[1]: Finished Load Kernel Modules.
Aug 08 22:38:16 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-modules-load comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Aug 08 22:38:16 systemd[1]: Finished Remount Root and Kernel File Systems.
Aug 08 22:38:16 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-remount-fs comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Aug 08 22:38:16 systemd[1]: Mounted FUSE Control File System.
Aug 08 22:38:16 systemd[1]: Mounted Kernel Configuration File System.
Aug 08 22:38:16 systemd[1]: debug-shell.service: Main process exited, code=exited, status=208/STDIN
Aug 08 22:38:16 systemd[1]: debug-shell.service: Failed with result 'exit-code'.
Aug 08 22:38:16 audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=debug-shell comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
Aug 08 22:38:16 systemd[1]: debug-shell.service: Scheduled restart job, restart counter is at 2.
Aug 08 22:38:16 systemd[1]: Stopped Early root shell on /dev/tty9 FOR DEBUGGING ONLY.
Aug 08 22:38:16 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=debug-shell comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Aug 08 22:38:16 audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=debug-shell comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Aug 08 22:38:16 systemd[1]: Started Early root shell on /dev/tty9 FOR DEBUGGING ONLY.
Aug 08 22:38:16 audit[621]: AVC avc:  denied  { watch } for  pid=621 comm="(sh)" path="/dev/tty9" dev="devtmpfs" ino=28 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file permissive=0
Aug 08 22:38:16 audit[621]: SYSCALL arch=c000003e syscall=254 success=no exit=-13 a0=3 a1=55680c9c0610 a2=18 a3=0 items=0 ppid=1 pid=621 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(sh)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
Aug 08 22:38:16 audit: PROCTITLE proctitle="(sh)"
Aug 08 22:38:16 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=debug-shell comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Aug 08 22:38:16 systemd[621]: debug-shell.service: Failed to set up standard input: Permission denied
Aug 08 22:38:16 systemd[621]: debug-shell.service: Failed at step STDIN spawning /bin/sh: Permission denied
Aug 08 22:38:16 systemd[1]: Condition check resulted in OSTree Remount OS/ Bind Mounts being skipped.
Aug 08 22:38:16 systemd[1]: Condition check resulted in First Boot Wizard being skipped.
Aug 08 22:38:16 systemd[1]: Condition check resulted in Rebuild Hardware Database being skipped.
Aug 08 22:38:16 systemd[1]: Starting Flush Journal to Persistent Storage...
Aug 08 22:38:16 systemd[1]: Starting Load/Save Random Seed...
Aug 08 22:38:16 systemd[1]: Starting Apply Kernel Variables...
Aug 08 22:38:16 systemd[1]: Condition check resulted in Create System Users being skipped.
Aug 08 22:38:16 systemd[1]: Starting Create Static Device Nodes in /dev...
Aug 08 22:38:16 systemd-journald[612]: Time spent on flushing to /var/log/journal/cf0bf479bcf04633b727cb244f663cd7 is 778.320ms for 1360 entries.
Aug 08 22:38:16 systemd-journald[612]: System Journal (/var/log/journal/cf0bf479bcf04633b727cb244f663cd7) is 2.0G, max 4.0G, 1.9G free.
Aug 08 22:38:17 kernel: acpi_cpufreq: overriding BIOS provided _PSD data
Aug 08 22:38:17 kernel: input: HP Wireless hotkeys as /devices/virtual/input/input26
Aug 08 22:38:16 audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=debug-shell comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
Aug 08 22:38:16 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=debug-shell comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Aug 08 22:38:16 audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=debug-shell comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Aug 08 22:38:16 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=debug-shell comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Aug 08 22:38:16 audit[626]: AVC avc:  denied  { watch } for  pid=626 comm="(sh)" path="/dev/tty9" dev="devtmpfs" ino=28 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file permissive=0
Aug 08 22:38:16 audit[626]: SYSCALL arch=c000003e syscall=254 success=no exit=-13 a0=3 a1=55680c9c0610 a2=18 a3=0 items=0 ppid=1 pid=626 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(sh)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
Aug 08 22:38:16 audit: PROCTITLE proctitle="(sh)"
Aug 08 22:38:16 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-sysctl comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Aug 08 22:38:16 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-random-seed comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Aug 08 22:38:16 audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=debug-shell comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
Aug 08 22:38:16 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=debug-shell comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Aug 08 22:38:16 audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=debug-shell comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Aug 08 22:38:16 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=debug-shell comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Aug 08 22:38:16 audit[628]: AVC avc:  denied  { watch } for  pid=628 comm="(sh)" path="/dev/tty9" dev="devtmpfs" ino=28 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file permissive=0
Aug 08 22:38:16 audit[628]: SYSCALL arch=c000003e syscall=254 success=no exit=-13 a0=3 a1=55680c9c0610 a2=18 a3=0 items=0 ppid=1 pid=628 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(sh)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
Aug 08 22:38:16 audit: PROCTITLE proctitle="(sh)"
Aug 08 22:38:16 audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=debug-shell comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
Aug 08 22:38:16 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=debug-shell comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Aug 08 22:38:16 audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=debug-shell comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Aug 08 22:38:16 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-tmpfiles-setup-dev comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Aug 08 22:38:16 audit: BPF prog-id=25 op=LOAD
Aug 08 22:38:16 audit: BPF prog-id=26 op=LOAD
Aug 08 22:38:16 audit: BPF prog-id=27 op=LOAD
Aug 08 22:38:16 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-udev-trigger comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Aug 08 22:38:16 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-udevd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Aug 08 22:38:16 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=modprobe@configfs comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Aug 08 22:38:16 audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=modprobe@configfs comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Aug 08 22:38:16 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=modprobe@fuse comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Aug 08 22:38:16 audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=modprobe@fuse comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Aug 08 22:38:17 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-journal-flush comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Aug 08 22:38:16 systemd[1]: debug-shell.service: Main process exited, code=exited, status=208/STDIN
Aug 08 22:38:16 systemd[1]: debug-shell.service: Failed with result 'exit-code'.
Aug 08 22:38:16 systemd[1]: debug-shell.service: Scheduled restart job, restart counter is at 3.
Aug 08 22:38:16 systemd[1]: Stopped Early root shell on /dev/tty9 FOR DEBUGGING ONLY.
Aug 08 22:38:16 systemd[1]: Started Early root shell on /dev/tty9 FOR DEBUGGING ONLY.
Aug 08 22:38:16 systemd[626]: debug-shell.service: Failed to set up standard input: Permission denied
Aug 08 22:38:16 systemd[626]: debug-shell.service: Failed at step STDIN spawning /bin/sh: Permission denied
Aug 08 22:38:16 systemd[1]: Finished Apply Kernel Variables.
Aug 08 22:38:16 systemd[1]: Finished Load/Save Random Seed.
Aug 08 22:38:16 systemd[1]: debug-shell.service: Main process exited, code=exited, status=208/STDIN
Aug 08 22:38:16 systemd[1]: debug-shell.service: Failed with result 'exit-code'.
Aug 08 22:38:16 systemd[1]: debug-shell.service: Scheduled restart job, restart counter is at 4.
Aug 08 22:38:16 systemd[1]: Condition check resulted in First Boot Complete being skipped.
Aug 08 22:38:16 systemd[1]: Stopped Early root shell on /dev/tty9 FOR DEBUGGING ONLY.
Aug 08 22:38:16 systemd[1]: Started Early root shell on /dev/tty9 FOR DEBUGGING ONLY.
Aug 08 22:38:16 systemd[628]: debug-shell.service: Failed to set up standard input: Permission denied
Aug 08 22:38:16 systemd[628]: debug-shell.service: Failed at step STDIN spawning /bin/sh: Permission denied
Aug 08 22:38:16 systemd[1]: debug-shell.service: Main process exited, code=exited, status=208/STDIN
Aug 08 22:38:16 systemd[1]: debug-shell.service: Failed with result 'exit-code'.
Aug 08 22:38:16 systemd[1]: debug-shell.service: Scheduled restart job, restart counter is at 5.
Aug 08 22:38:16 systemd[1]: Stopped Early root shell on /dev/tty9 FOR DEBUGGING ONLY.
Aug 08 22:38:16 systemd[1]: debug-shell.service: Start request repeated too quickly.
Aug 08 22:38:16 systemd[1]: debug-shell.service: Failed with result 'exit-code'.
Aug 08 22:38:16 systemd[1]: Failed to start Early root shell on /dev/tty9 FOR DEBUGGING ONLY.

I ran sudo systemctl enable debug-shell and rebooted. The same denials and errors happened on the following regular boots.

Version-Release number of selected component (if applicable):
selinux-policy-34.15-1.fc34.noarch
systemd-248.7-1.fc34.x86_64

How reproducible:
These denials happened every time I've run dnf offline-upgrade since 2021-7-16 at least, and they happened every boot after running sudo systemctl enable debug-shell.

Steps to Reproduce:
1. Boot a Fedora 34 KDE Plasma installation updated to 2021-8-8 with updates-testing enabled
2. sudo systemctl enable debug-shell
3. Reboot

Actual results:
sh was denied watching /dev/tty9 when debug-shell.service was started during boot

Expected results:
No denials or errors would happen.

Additional info:
These denials were reported and fixed at https://bugzilla.redhat.com/show_bug.cgi?id=1933902 I'm reporting them again since they're still happening for me at least.

Comment 1 Matt Fagnani 2021-09-08 03:38:11 UTC

The same debug shell denials and errors happen in a F35 KDE Plasma installation with selinux-policy-34.16-1.fc35, so I'm updating the version to 35.

Comment 2 Zdenek Pytela 2021-09-08 07:20:20 UTC

I can confirm the watch permission is missing:
# sesearch -A -s init_t -t tty_device_t -c chr_file
allow init_t device_node:chr_file { create getattr mounton relabelfrom relabelto setattr };
allow init_t tty_device_t:chr_file { append ioctl lock open read watch_reads write };

but I can't figure out why:

$ git show f4a7e3a562499916c83cb1a3dd9c94413e5224e1
commit f4a7e3a562499916c83cb1a3dd9c94413e5224e1
Author: Zdenek Pytela <zpytela>
Date:   Tue Mar 2 20:57:59 2021 +0100

    Allow systemd watch and watch_reads unallocated ttys
...
+term_watch_unallocated_ttys(init_t)
+term_watch_reads_unallocated_ttys(init_t)
...

$ macro-expander 'term_watch_unallocated_ttys(init_t)'
allow init_t tty_device_t:chr_file { getattr watch };
$ macro-expander 'term_watch_reads_unallocated_ttys(init_t)'
allow init_t tty_device_t:chr_file { getattr watch_reads };
$ rpm -q selinux-policy --changelog | grep -B12 unallocated
* Thu Mar 11 2021 Zdenek Pytela <zpytela> - 3.14.8-6
- Allow polkit-agent-helper-1 read logind sessions files
- Allow polkit-agent-helper read init state
- Allow login_userdomain watch generic device dirs
- Allow login_userdomain listen on bluetooth sockets
- Allow user_t and staff_t bind netlink_generic_socket
- Allow login_userdomain write inaccessible nodes
- Allow transition from xdm domain to unconfined_t domain.
- Add 'make validate' step to CI
- Disallow user_t run su/sudo and staff_t run su
- Fix typo in rsyncd.conf in rsync.if
- Add an alias for nvme_device_t
- Allow systemd watch and watch_reads unallocated ttys

I suppose it was confirmed working with bz#1933902 resolved.

Comment 3 Zdenek Pytela 2021-09-08 07:46:19 UTC

Bisecting the packages I managed to find the first version to hide the permission:

commit fe7971a7a70689dce44947a6a83361ac960c2b52
Author: Zdenek Pytela <zpytela>
Date:   Wed Jul 14 14:59:11 2021 +0200

    * Wed Jul 14 2021 Zdenek Pytela <zpytela> - 34.14-1
    - Revert "update libs_filetrans_named_content() to have support for /usr/lib/debug directory"
    - Remove references to init_watch_path_type attribute
    - Remove all redundant watch permissions for systemd
^^^ Looks like the optimization was overexcessive
    - Allow systemd watch non_security_file_type dirs, files, lnk_files
    - Removed adding to attribute unpriv_userdomain from userdom_unpriv_type template
    - Allow bacula get attributes of cgroup filesystems
    - Allow systemd-journal-upload watch logs and journal
    - Create a policy for systemd-journal-upload
    - Allow tcpdump and nmap get attributes of infiniband_device_t
    - Allow arpwatch get attributes of infiniband_device_t devices
    - Label /dev/wmi/dell-smbios as acpi_device_t

Will fix it soon:
https://github.com/fedora-selinux/selinux-policy/pull/865

Comment 4 Fedora Update System 2021-09-10 12:58:41 UTC

FEDORA-2021-856277e22b has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-856277e22b

Comment 5 Fedora Update System 2021-09-10 15:50:06 UTC

FEDORA-2021-856277e22b has been pushed to the Fedora 34 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-856277e22b`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-856277e22b

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 6 Fedora Update System 2021-09-13 14:40:11 UTC

FEDORA-2021-856277e22b has been pushed to the Fedora 34 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.