1419946 – "agetty: can not connect on UNIX socket" on tty1 after boot, have to use tty2 to log in after 3.13.1-236 update

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1419946 - "agetty: can not connect on UNIX socket" on tty1 after boot, have to use tty2 to log in after 3.13.1-236 update

Summary: "agetty: can not connect on UNIX socket" on tty1 after boot, have to use tty2...

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	AcceptedBlocker
Depends On:
Blocks:	F26BetaBlocker
TreeView+	depends on / blocked

Reported:	2017-02-07 13:34 UTC by Jan Pokorný [poki]
Modified:	2017-02-15 02:22 UTC (History)
CC List:	14 users (show)
Fixed In Version:	selinux-policy-3.13.1-239.fc26
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-02-15 02:22:22 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Jan Pokorný [poki] 2017-02-07 13:34:39 UTC

Likely relevant in audit.log incl. single systemd instance:

type=AVC msg=audit(1486473506.809:320): avc:  denied  { connectto } for  pid=1489 comm="(agetty)" path="/run/systemd/journal/stdout" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1486473506.814:321): avc:  denied  { connectto } for  pid=1489 comm="agetty" path=002F6F72672F667265656465736B746F702F706C796D6F75746864 scontext=system_u:system_r:getty_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1486473506.814:322): avc:  denied  { connectto } for  pid=1489 comm="agetty" path=002F6F72672F667265656465736B746F702F706C796D6F75746864 scontext=system_u:system_r:getty_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_stream_socket permissive=0
type=SERVICE_START msg=audit(1486473509.525:323): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=getty@tty3 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1486473509.525:324): avc:  denied  { connectto } for  pid=1 comm="systemd" path=002F6F72672F667265656465736B746F702F706C796D6F75746864 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1486473509.554:325): avc:  denied  { connectto } for  pid=1490 comm="(agetty)" path="/run/systemd/journal/stdout" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1486473509.564:326): avc:  denied  { connectto } for  pid=1490 comm="agetty" path=002F6F72672F667265656465736B746F702F706C796D6F75746864 scontext=system_u:system_r:getty_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1486473509.564:327): avc:  denied  { connectto } for  pid=1490 comm="agetty" path=002F6F72672F667265656465736B746F702F706C796D6F75746864 scontext=system_u:system_r:getty_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_stream_socket permissive=0

Comment 1 Paul Whalen 2017-02-07 20:37:28 UTC

Also hitting this after upgrading to selinux-policy-3.13.1-236.fc26.noarch on aarch64 and armhfp.

Comment 2 Paul Whalen 2017-02-08 19:06:39 UTC

Serial console login isn't possible. Nominating as a blocker for F26 Alpha - "A system installed without a graphical package set must boot to a state where it is possible to log in through at least one of the default virtual consoles"

Comment 3 Adam Williamson 2017-02-08 19:07:58 UTC

This is breaking just about every openQA test, also (they wind up at a login prompt, but on tty6 with the Plymouth color scheme...)

+1 blocker.

Comment 4 Adam Williamson 2017-02-08 19:20:00 UTC

booting with enforcing=0 does indeed seem to resolve this, so it definitely looks like an SELinux issue.

Comment 5 Geoffrey Marr 2017-02-13 19:52:34 UTC

Discussed during the 2017-02-13 blocker review meeting: [1]

The decision was made to classify this bug as an AcceptedBlocker (Beta) as it violates the following Beta blocker criteria:

"The installer must be able to complete an installation using the serial console interface." combined with "A system installed without a graphical package set must boot to a working login prompt without any unintended user intervention"

[1] https://meetbot.fedoraproject.org/fedora-blocker-review/2017-02-13/f26-blocker-review.2017-02-13-18.01.txt

Comment 6 Jan Pokorný [poki] 2017-02-13 20:31:31 UTC

Confirming this issue went away with -239.fc26 package + reboot.

Comment 7 Jens Petersen 2017-02-15 02:18:52 UTC

Yep, looks good to me too, thanks

Comment 8 Adam Williamson 2017-02-15 02:22:22 UTC

Yeah, this is confirmed fixed in the 20170213.n.1 and 20170214.n.0 composes.

Note You need to log in before you can comment on or make changes to this bug.