Description of problem: kbdrate cannot access tty through StandardInput=tty as a systemd service Sep 04 12:58:34 localhost.localdomain systemd[1170]: kbdrate.service: Failed to set up standard input: Permission denied Sep 04 12:58:34 localhost.localdomain systemd[1170]: kbdrate.service: Failed at step STDIN spawning /usr/bin/kbdrate: Permission denied The following AVC denial is the culprit type=AVC msg=audit(04/09/21 12:58:34.422:149) : avc: denied { watch watch_reads } for pid=1170 comm=(kbdrate) path=/dev/console dev="devtmpfs" ino=12 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:console_device_t:s0 tclass=chr_file permissive=0 Version-Release number of selected component (if applicable): kbd-2.4.0-2.fc34.x86_64 selinux-policy-34.16-1.fc34.noarch How reproducible: Create a kbdrate service file as explained here https://wiki.archlinux.org/title/Linux_console/Keyboard_configuration#Systemd_service. Then enable it and restart the computer. Steps to Reproduce: 1. Create a kbdrate service as explained here https://wiki.archlinux.org/title/Linux_console/Keyboard_configuration#Systemd_service 2. Enable the service 3. Restart the computer Actual results: Service fails because it kbdrate cannot access tty through StandardInput=tty Expected results: kbdrate accesses tty and sets repeat rate. Additional info: audit2allow gives the following proposal require { type console_device_t; type init_t; class chr_file { watch watch_reads }; } #============= init_t ============== allow init_t console_device_t:chr_file { watch watch_reads };
I believe this is also breaking systemd's debug-shell.service, which should spawn a root console (no authentication needed) on tty9 when enabled. If you boot in enforcing mode, there is nothing on tty9, and the service shows as failed with those same "Permission denied" errors. debug-shell.service does also use StandardInput=tty . Bumping severity to medium, as debug-shell.service is pretty important. Of course you can boot with enforcing=0 to make it work.
Following SELinux denial appears in enforcing mode: ---- type=PROCTITLE msg=audit(09/08/2021 09:04:12.734:306) : proctitle=(kbdrate) type=PATH msg=audit(09/08/2021 09:04:12.734:306) : item=0 name=/dev/console inode=12 dev=00:05 mode=character,620 ouid=root ogid=tty rdev=05:01 obj=system_u:object_r:console_device_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(09/08/2021 09:04:12.734:306) : cwd=/ type=SYSCALL msg=audit(09/08/2021 09:04:12.734:306) : arch=x86_64 syscall=inotify_add_watch success=no exit=EACCES(Permission denied) a0=0x3 a1=0x562691305e8e a2=0x18 a3=0x0 items=1 ppid=1 pid=1168 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=(kbdrate) exe=/usr/lib/systemd/systemd subj=system_u:system_r:init_t:s0 key=(null) type=AVC msg=audit(09/08/2021 09:04:12.734:306) : avc: denied { watch watch_reads } for pid=1168 comm=(kbdrate) path=/dev/console dev="devtmpfs" ino=12 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:console_device_t:s0 tclass=chr_file permissive=0 ---- Following SELinux denial appears in permissive mode: ---- type=PROCTITLE msg=audit(09/08/2021 09:05:03.510:316) : proctitle=(kbdrate) type=PATH msg=audit(09/08/2021 09:05:03.510:316) : item=0 name=/dev/console inode=12 dev=00:05 mode=character,620 ouid=root ogid=tty rdev=05:01 obj=system_u:object_r:console_device_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(09/08/2021 09:05:03.510:316) : cwd=/ type=SYSCALL msg=audit(09/08/2021 09:05:03.510:316) : arch=x86_64 syscall=inotify_add_watch success=yes exit=1 a0=0x3 a1=0x562691305e8e a2=0x18 a3=0x0 items=1 ppid=1 pid=1202 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=(kbdrate) exe=/usr/lib/systemd/systemd subj=system_u:system_r:init_t:s0 key=(null) type=AVC msg=audit(09/08/2021 09:05:03.510:316) : avc: denied { watch watch_reads } for pid=1202 comm=(kbdrate) path=/dev/console dev="devtmpfs" ino=12 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:console_device_t:s0 tclass=chr_file permissive=1 ---- # rpm -qa selinux\* kbd\* | sort kbd-2.4.0-6.fc35.x86_64 kbd-misc-2.4.0-6.fc35.noarch selinux-policy-34.16-1.fc35.noarch selinux-policy-targeted-34.16-1.fc35.noarch #
(In reply to Adam Williamson from comment #1) > I believe this is also breaking systemd's debug-shell.service, which should > spawn a root console (no authentication needed) on tty9 when enabled. If you > boot in enforcing mode, there is nothing on tty9, and the service shows as > failed with those same "Permission denied" errors. debug-shell.service does > also use StandardInput=tty . > > Bumping severity to medium, as debug-shell.service is pretty important. Of > course you can boot with enforcing=0 to make it work. debug-shell uses tty9 which has the tty_device_t label; there is some problem with it too though. bz#1991329
I've submitted a Fedora PR to address the issue: https://github.com/fedora-selinux/selinux-policy/pull/892
FEDORA-2021-a15b7e7314 has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-a15b7e7314
FEDORA-2021-a15b7e7314 has been pushed to the Fedora 34 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-a15b7e7314` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-a15b7e7314 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Tested the update and left feedback. It works, thanks!
FEDORA-2021-a15b7e7314 has been pushed to the Fedora 34 stable repository. If problem still persists, please make note of it in this bug report.