Bug 1999526 - avc: denied { watch watch_reads } comm="systemd-tty-ask" path="/dev/tty1
Summary: avc: denied { watch watch_reads } comm="systemd-tty-ask" path="/dev/tty1
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 34
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-08-31 08:26 UTC by Martin Pitt
Modified: 2021-09-30 01:13 UTC (History)
7 users (show)

Fixed In Version: selinux-policy-34.21-1.fc34
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-09-30 01:13:53 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)
full journal (66.14 KB, text/plain)
2021-08-31 08:27 UTC, Martin Pitt
no flags Details

Description Martin Pitt 2021-08-31 08:26:11 UTC
Description of problem: A relatively new Cockpit integration test [1] sets up a systemd-tty-askpass agent to reply to the LUKS password prompt at boot. This spuriously creates an SELinux violation:


audit: type=1400 audit(1630396253.336:96): avc:  denied  { watch watch_reads } for  pid=480 comm="systemd-tty-ask" path="/dev/tty1" dev="devtmpfs" ino=20 scontext=system_u:system_r:systemd_passwd_agent_t:s0 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file permissive=0
audit: type=1300 audit(1630396253.336:96): arch=c000003e syscall=254 success=no exit=-13 a0=7 a1=7ffe9c946f23 a2=18 a3=564142057830 items=0 ppid=476 pid=480 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-tty-ask" exe="/usr/bin/systemd-tty-ask-password-agent" subj=system_u:system_r:systemd_passwd_agent_t:s0 key=(null)

This doesn't appear to be something between systemd and SELinux, not influenced by our custom agent. That seems to have merely triggered this code.

Version-Release number of selected component (if applicable):

systemd-248.7-1.fc34.x86_64
selinux-policy-34.16-1.fc34.noarch

How reproducible: Seldomly

[1] https://github.com/cockpit-project/cockpit/blob/254b2b8f4e865d98a7/test/verify/check-storage-luks#L478
[2] https://github.com/cockpit-project/cockpit/blob/254b2b8f4e865d98a7338d131ebaf8d02add45b3/test/verify/storagelib.py#L439

Comment 1 Martin Pitt 2021-08-31 08:27:47 UTC
Created attachment 1819294 [details]
full journal

Attaching full journal in case that is useful.

Comment 2 Zdenek Pytela 2021-09-21 19:05:45 UTC
I've submitted a Fedora PR to address the issue:
https://github.com/fedora-selinux/selinux-policy/pull/885

Comment 3 Fedora Update System 2021-09-24 09:55:33 UTC
FEDORA-2021-a15b7e7314 has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-a15b7e7314

Comment 4 Fedora Update System 2021-09-24 21:48:45 UTC
FEDORA-2021-a15b7e7314 has been pushed to the Fedora 34 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-a15b7e7314`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-a15b7e7314

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 5 Fedora Update System 2021-09-30 01:13:53 UTC
FEDORA-2021-a15b7e7314 has been pushed to the Fedora 34 stable repository.
If problem still persists, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.