2298080 – SELinux policy prevents systemd-getty-generator from enabling serial-getty@ttyS0.service

Bug 2298080 - SELinux policy prevents systemd-getty-generator from enabling serial-getty

Summary: SELinux policy prevents systemd-getty-generator from enabling serial-getty@tt...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	40
Hardware:	Unspecified
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Zdenek Pytela
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2024-07-16 08:31 UTC by Sam Morris
Modified:	2024-07-30 01:32 UTC (History)
CC List:	7 users (show)
Fixed In Version:	selinux-policy-40.26-1.fc40
Clone Of:
Environment:
Last Closed:	2024-07-30 01:32:39 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Sam Morris 2024-07-16 08:31:57 UTC

When I run systemd-getty-generator by hand (unconfined):

  root@fedora:~# SYSTEMD_LOG_LEVEL=debug /lib/systemd/system-generators/systemd-getty-generator /tmp/1 /tmp/2 /tmp/3
  Found cgroup2 on /sys/fs/cgroup/, full unified hierarchy
  Found container virtualization none.
  Automatically adding serial getty for /dev/ttyS0.

... it correctly enables serial-getty (creates /tmp/1/getty.target.wants/serial-getty).

But when it's run by systemd (for instance, when I run systemctl daemon-reload) it doesn't create the symlink.

It logs the following message, which is not logged when I run it by hand:

  Jul 16 08:58:41 systemd-getty-generator[2076]: Failed to parse $SYSTEMD_GETTY_AUTO environment variable, ignoring: Permission denied

After disabling dontaudit rules I see a bunch of AVC audit events.

Jul 16 08:58:41 systemd[1]: Reloading requested from client PID 2038 ('systemctl') (unit session-1.scope)...
Jul 16 08:58:41 systemd[1]: Reloading...
Jul 16 08:58:41 audit[765]: USER_MAC_POLICY_LOAD pid=765 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  op=load_policy lsm=selinux seqno=2 res=1 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'
Jul 16 08:58:41 audit[2070]: AVC avc:  denied  { read } for  pid=2070 comm="selinux-autorel" name="passwd" dev="sdc3" ino=348597 scontext=system_u:system_r:selinux_autorelabel_generator_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=0
Jul 16 08:58:41 audit[2071]: AVC avc:  denied  { search } for  pid=2071 comm="systemd-bless-b" name="1" dev="proc" ino=346 scontext=system_u:system_r:systemd_bless_boot_generator_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dir permissive=0
Jul 16 08:58:41 audit[2071]: AVC avc:  denied  { search } for  pid=2071 comm="systemd-bless-b" name="1" dev="proc" ino=346 scontext=system_u:system_r:systemd_bless_boot_generator_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dir permissive=0
Jul 16 08:58:41 audit[2071]: AVC avc:  denied  { net_admin } for  pid=2071 comm="systemd-bless-b" capability=12  scontext=system_u:system_r:systemd_bless_boot_generator_t:s0 tcontext=system_u:system_r:systemd_bless_boot_generator_t:s0 tclass=capability permissive=0
Jul 16 08:58:41 audit[2082]: AVC avc:  denied  { search } for  pid=2082 comm="systemd-rc-loca" name="1" dev="proc" ino=346 scontext=system_u:system_r:systemd_rc_local_generator_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dir permissive=0
Jul 16 08:58:41 audit[2082]: AVC avc:  denied  { search } for  pid=2082 comm="systemd-rc-loca" name="1" dev="proc" ino=346 scontext=system_u:system_r:systemd_rc_local_generator_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dir permissive=0
Jul 16 08:58:41 audit[2082]: AVC avc:  denied  { net_admin } for  pid=2082 comm="systemd-rc-loca" capability=12  scontext=system_u:system_r:systemd_rc_local_generator_t:s0 tcontext=system_u:system_r:systemd_rc_local_generator_t:s0 tclass=capability permissive=0
Jul 16 08:58:41 audit[2078]: AVC avc:  denied  { search } for  pid=2078 comm="systemd-gpt-aut" name="1" dev="proc" ino=346 scontext=system_u:system_r:systemd_gpt_generator_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dir permissive=0
Jul 16 08:58:41 audit[2078]: AVC avc:  denied  { search } for  pid=2078 comm="systemd-gpt-aut" name="1" dev="proc" ino=346 scontext=system_u:system_r:systemd_gpt_generator_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dir permissive=0
Jul 16 08:58:41 audit[2078]: AVC avc:  denied  { net_admin } for  pid=2078 comm="systemd-gpt-aut" capability=12  scontext=system_u:system_r:systemd_gpt_generator_t:s0 tcontext=system_u:system_r:systemd_gpt_generator_t:s0 tclass=capability permissive=0
Jul 16 08:58:41 audit[2074]: AVC avc:  denied  { search } for  pid=2074 comm="systemd-debug-g" name="1" dev="proc" ino=346 scontext=system_u:system_r:systemd_debug_generator_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dir permissive=0
Jul 16 08:58:41 audit[2074]: AVC avc:  denied  { search } for  pid=2074 comm="systemd-debug-g" name="1" dev="proc" ino=346 scontext=system_u:system_r:systemd_debug_generator_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dir permissive=0
Jul 16 08:58:41 audit[2074]: AVC avc:  denied  { net_admin } for  pid=2074 comm="systemd-debug-g" capability=12  scontext=system_u:system_r:systemd_debug_generator_t:s0 tcontext=system_u:system_r:systemd_debug_generator_t:s0 tclass=capability permissive=0
Jul 16 08:58:41 audit[2078]: AVC avc:  denied  { sys_admin } for  pid=2078 comm="systemd-gpt-aut" capability=21  scontext=system_u:system_r:systemd_gpt_generator_t:s0 tcontext=system_u:system_r:systemd_gpt_generator_t:s0 tclass=capability permissive=0
Jul 16 08:58:41 audit[2076]: AVC avc:  denied  { search } for  pid=2076 comm="systemd-getty-g" name="1" dev="proc" ino=346 scontext=system_u:system_r:systemd_getty_generator_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dir permissive=0
Jul 16 08:58:41 audit[2076]: AVC avc:  denied  { search } for  pid=2076 comm="systemd-getty-g" name="1" dev="proc" ino=346 scontext=system_u:system_r:systemd_getty_generator_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dir permissive=0
Jul 16 08:58:41 audit[2075]: AVC avc:  denied  { search } for  pid=2075 comm="systemd-fstab-g" name="1" dev="proc" ino=346 scontext=system_u:system_r:systemd_fstab_generator_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dir permissive=0
Jul 16 08:58:41 audit[2075]: AVC avc:  denied  { search } for  pid=2075 comm="systemd-fstab-g" name="1" dev="proc" ino=346 scontext=system_u:system_r:systemd_fstab_generator_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dir permissive=0
Jul 16 08:58:41 audit[2075]: AVC avc:  denied  { net_admin } for  pid=2075 comm="systemd-fstab-g" capability=12  scontext=system_u:system_r:systemd_fstab_generator_t:s0 tcontext=system_u:system_r:systemd_fstab_generator_t:s0 tclass=capability permissive=0
Jul 16 08:58:41 audit[2076]: AVC avc:  denied  { net_admin } for  pid=2076 comm="systemd-getty-g" capability=12  scontext=system_u:system_r:systemd_getty_generator_t:s0 tcontext=system_u:system_r:systemd_getty_generator_t:s0 tclass=capability permissive=0
Jul 16 08:58:41 systemd-getty-generator[2076]: Failed to parse $SYSTEMD_GETTY_AUTO environment variable, ignoring: Permission denied
Jul 16 08:58:41 audit[2076]: AVC avc:  denied  { search } for  pid=2076 comm="systemd-getty-g" name="1" dev="proc" ino=346 scontext=system_u:system_r:systemd_getty_generator_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dir permissive=0
Jul 16 08:58:41 audit[2076]: AVC avc:  denied  { read write } for  pid=2076 comm="systemd-getty-g" name="ttyS0" dev="devtmpfs" ino=101 scontext=system_u:system_r:systemd_getty_generator_t:s0 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file permissive=0
Jul 16 08:58:41 audit[2089]: AVC avc:  denied  { search } for  pid=2089 comm="systemd-sysv-ge" name="1" dev="proc" ino=346 scontext=system_u:system_r:systemd_sysv_generator_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dir permissive=0
Jul 16 08:58:41 audit[2089]: AVC avc:  denied  { search } for  pid=2089 comm="systemd-sysv-ge" name="1" dev="proc" ino=346 scontext=system_u:system_r:systemd_sysv_generator_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dir permissive=0
Jul 16 08:58:41 audit[2089]: AVC avc:  denied  { net_admin } for  pid=2089 comm="systemd-sysv-ge" capability=12  scontext=system_u:system_r:systemd_sysv_generator_t:s0 tcontext=system_u:system_r:systemd_sysv_generator_t:s0 tclass=capability permissive=0
Jul 16 08:58:41 audit[2092]: AVC avc:  denied  { search } for  pid=2092 comm="systemd-detect-" name="1" dev="proc" ino=346 scontext=system_u:system_r:systemd_zram_generator_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dir permissive=1
Jul 16 08:58:41 audit[2092]: AVC avc:  denied  { read } for  pid=2092 comm="systemd-detect-" name="environ" dev="proc" ino=2323 scontext=system_u:system_r:systemd_zram_generator_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file permissive=1
Jul 16 08:58:41 audit[2092]: AVC avc:  denied  { open } for  pid=2092 comm="systemd-detect-" path="/proc/1/environ" dev="proc" ino=2323 scontext=system_u:system_r:systemd_zram_generator_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file permissive=1
Jul 16 08:58:41 audit[2092]: AVC avc:  denied  { getattr } for  pid=2092 comm="systemd-detect-" path="/proc/1/environ" dev="proc" ino=2323 scontext=system_u:system_r:systemd_zram_generator_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file permissive=1
Jul 16 08:58:41 audit[2092]: AVC avc:  denied  { ioctl } for  pid=2092 comm="systemd-detect-" path="/proc/1/environ" dev="proc" ino=2323 ioctlcmd=0x5401 scontext=system_u:system_r:systemd_zram_generator_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file permissive=1
Jul 16 08:58:42 systemd[1]: Reloading finished in 269 ms.


Reproducible: Always

Steps to Reproduce:
1. Boot with console=ttyS0,115200n8 console=tty0 kernel parameters
2. Run 'systemctl status serial-getty'

Actual Results:  
Unit is not running

Expected Results:  
Unit should be running

Just focussing on the events for systemd-getty-generator, I believe the final event prevents the generator from working:

type=AVC msg=audit(16/07/24 08:58:41.866:450) : avc:  denied  { read write } for  pid=2076 comm=systemd-getty-g name=ttyS0 dev="devtmpfs" ino=101 scontext=system_u:system_r:systemd_getty_generator_t:s0 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file permissive=0 

Here's the relevant code: https://github.com/systemd/systemd/blob/d350651c47da0377d835b926d6cabe292f10c745/src/getty-generator/getty-generator.c#L265 that calls verify_tty("ttyS0") if that function returns a negative int (error code) then add_serial_getty("ttyS0") is not called.

verify_tty returns an error code if opening /dev/ttyS0 fails and it is this operation that is blocked by SELinux policy.

Workaround: run 'semanage permissive -a systemd_getty_generator_t' then 'systemctl daemon-reload' and observe that /run/systemd/generator/getty.target.wants/serial-getty has been created, then run systemctl status serial-getty and observe that it is 'enabled-runtime'.

As for the other events:

* I don't know what the first three 'search' events for dev="proc" relate to

* dev="proc", ino=346 is the generator attempting to read /proc/1/environ so that it can check for the SYSTEMD_GETTY_AUTO environment variable

* I'm not sure why net_admin appears

* I can file separate bugs for the denials for the other domains if you want - I don't use/haven't noticed those funtinoalities being broken myself

Comment 1 Sam Morris 2024-07-16 08:32:50 UTC

NVR: selinux-policy-40.23-1.fc40.noarch

Comment 2 Zdenek Pytela 2024-07-16 09:43:56 UTC

The getty generator issue should be resolved in the next F40 and F41 builds, see also https://bugzilla.redhat.com/show_bug.cgi?id=2290482

There are other fixes which should appear in the subsequent one, but I still don't have enough information or good reproducers.

You can get more information out of audit, e.g.

type=PROCTITLE msg=audit(07/16/2024 00:12:40.383:984) : proctitle=systemd-detect-virt --quiet --container 
type=PATH msg=audit(07/16/2024 00:12:40.383:984) : item=0 name=/proc/1/environ inode=27032 dev=00:16 mode=file,400 ouid=root ogid=root rdev=00:00 obj=system_u:system_r:init_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(07/16/2024 00:12:40.383:984) : cwd=/ 
type=SYSCALL msg=audit(07/16/2024 00:12:40.383:984) : arch=x86_64 syscall=openat success=yes exit=3 a0=AT_FDCWD a1=0x7ffdde0d0b60 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=4054 pid=4061 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-detect- exe=/usr/bin/systemd-detect-virt subj=system_u:system_r:systemd_zram_generator_t:s0 key=(null) 
type=AVC msg=audit(07/16/2024 00:12:40.383:984) : avc:  denied  { open } for  pid=4061 comm=systemd-detect- path=/proc/1/environ dev="proc" ino=27032 scontext=system_u:system_r:systemd_zram_generator_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file permissive=1 
type=AVC msg=audit(07/16/2024 00:12:40.383:984) : avc:  denied  { read } for  pid=4061 comm=systemd-detect- name=environ dev="proc" ino=27032 scontext=system_u:system_r:systemd_zram_generator_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file permissive=1 
type=AVC msg=audit(07/16/2024 00:12:40.383:984) : avc:  denied  { search } for  pid=4061 comm=systemd-detect- name=1 dev="proc" ino=407 scontext=system_u:system_r:systemd_zram_generator_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dir permissive=1 

which is important for troubleshooting and suggesting a fix.

Comment 3 Fedora Update System 2024-07-23 14:44:03 UTC

FEDORA-2024-391cfa58c2 (selinux-policy-40.25-1.fc40) has been submitted as an update to Fedora 40.
https://bodhi.fedoraproject.org/updates/FEDORA-2024-391cfa58c2

Comment 4 Fedora Update System 2024-07-24 03:51:14 UTC

FEDORA-2024-391cfa58c2 has been pushed to the Fedora 40 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-391cfa58c2`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-391cfa58c2

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 5 Fedora Update System 2024-07-26 01:58:53 UTC

FEDORA-2024-f6d12d5c36 has been pushed to the Fedora 40 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-f6d12d5c36`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-f6d12d5c36

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 6 Fedora Update System 2024-07-30 01:32:39 UTC

FEDORA-2024-f6d12d5c36 (selinux-policy-40.26-1.fc40) has been pushed to the Fedora 40 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.