https://bugzilla.suse.com/show_bug.cgi?id=1187313 Bug ID: 1187313 Summary: selinux-policy-targeted breaks StandardOutput=tty Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: fvogt@suse.com QA Contact: qa-bugs@suse.de CC: kubic-bugs@opensuse.org Found By: --- Blocker: --- Services with StandardOutput=tty (like MicroOS-Firstboot) fail to start when the targeted policy is enforced: Jun 11 13:57:05 f195.suse.de systemd[1183]: MicroOS-firstboot.service: Failed to set up standard input: Permission denied Jun 11 13:57:05 f195.suse.de kernel: audit: type=1400 audit(1623419825.264:7): avc: denied { watch watch_reads } for pid=1183 comm="(irstboot)" path="/dev/console" dev="devtmpfs" ino=12 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:console_device_t:s0 tclass=chr_file permissive=0 Jun 11 13:57:05 f195.suse.de systemd[1183]: MicroOS-firstboot.service: Failed at step STDIN spawning /usr/libexec/MicroOS-firstboot: Permission denied The Fedora policy allows that for TTYs, so should probably do the same for console_device_t: https://github.com/fedora-selinux/selinux-policy/commit/f4a7e3a562499916c83c... -- You are receiving this mail because: You are on the CC list for the bug.