Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1933902
Summary: | selinux prevents systemd early debug-shell from working | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Chris Murphy <bugzilla> | ||||
Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> | ||||
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | medium | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | 34 | CC: | awilliam, bugzilla, dwalsh, grepl.miroslav, lvrabec, mmalik, omosnace, plautrba, vmojzis, zpytela | ||||
Target Milestone: | --- | Keywords: | Triaged | ||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | AcceptedFreezeException | ||||||
Fixed In Version: | selinux-policy-3.14.7-25.fc34 | Doc Type: | If docs needed, set a value | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2021-03-16 00:29:01 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 1829023 | ||||||
Attachments: |
|
I've submitted a Fedora PR to address the issue: https://github.com/fedora-selinux/selinux-policy/pull/627 Proposed as a Freeze Exception for 34-beta by Fedora user chrismurphy using the blocker tracking app because: Early debug shell is used for debugging, it'd be nice to have it working for beta release. +3 in https://pagure.io/fedora-qa/blocker-review/issue/276 , marking accepted. PR merged, will be in the next package build. *** Bug 1937580 has been marked as a duplicate of this bug. *** Zdenek, can we please get a package build? We are already building Beta candidates and it would be very good to have this fixed in them. Both F34 and F35 are already in process, there are dist-git PRs waiting for CI to finish. FEDORA-2021-1e99f2ed79 has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-1e99f2ed79 FEDORA-2021-1e99f2ed79 has been pushed to the Fedora 34 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-1e99f2ed79` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-1e99f2ed79 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2021-1e99f2ed79 has been pushed to the Fedora 34 stable repository. If problem still persists, please make note of it in this bug report. |
Created attachment 1760121 [details] journal.log Description of problem: [chris@fmac ~]$ systemctl status debug-shell.service × debug-shell.service - Early root shell on /dev/tty9 FOR DEBUGGING ONLY Loaded: loaded (/usr/lib/systemd/system/debug-shell.service; enabled; vendor preset: disabled) Active: failed (Result: exit-code) since Mon 2021-03-01 17:49:29 MST; 8min ago Docs: man:systemd-debug-generator(8) Process: 579 ExecStart=/bin/sh (code=exited, status=208/STDIN) Version-Release number of selected component (if applicable): selinux-policy-3.14.7-23.fc34.noarch How reproducible: Always Steps to Reproduce: 1. systemctl enable debug-shell.service 2. reboot 3. Actual results: Multiple instances of: [ 7.079494] systemd[1]: Started Early root shell on /dev/tty9 FOR DEBUGGING ONLY. [ 7.083976] kernel: audit: type=1130 audit(1614618011.508:71): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=debug-shell comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' [ 7.084956] systemd[1]: Starting Create list of static device nodes for the current kernel... [ 7.090204] kernel: audit: type=1400 audit(1614618011.514:72): avc: denied { watch watch_reads } for pid=550 comm="(sh)" path="/dev/tty9" dev="devtmpfs" ino=28 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file permissive=0 [ 7.090205] systemd[550]: debug-shell.service: Failed to set up standard input: Permission denied [ 7.090208] kernel: audit: type=1300 audit(1614618011.514:72): arch=c000003e syscall=254 success=no exit=-13 a0=3 a1=557373cb7d80 a2=18 a3=0 items=0 ppid=1 pid=550 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(sh)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null) Expected results: The service should start Additional info: