Bug ID 1187313
Summary selinux-policy-targeted breaks StandardOutput=tty
Classification openSUSE
Product openSUSE Tumbleweed
Version Current
Hardware Other
OS Other
Status NEW
Severity Normal
Priority P5 - None
Component Security
Assignee security-team@suse.de
Reporter fvogt@suse.com
QA Contact qa-bugs@suse.de
CC kubic-bugs@opensuse.org
Found By ---
Blocker --- 

Services with StandardOutput=tty (like MicroOS-Firstboot) fail to start when
the targeted policy is enforced:

Jun 11 13:57:05 f195.suse.de systemd[1183]: MicroOS-firstboot.service: Failed
to set up standard input: Permission denied
Jun 11 13:57:05 f195.suse.de kernel: audit: type=1400 audit(1623419825.264:7):
avc:  denied  { watch watch_reads } for  pid=1183 comm="(irstboot)"
path="/dev/console" dev="devtmpfs" ino=12 scontext=system_u:system_r:init_t:s0
tcontext=system_u:object_r:console_device_t:s0 tclass=chr_file permissive=0
Jun 11 13:57:05 f195.suse.de systemd[1183]: MicroOS-firstboot.service: Failed
at step STDIN spawning /usr/libexec/MicroOS-firstboot: Permission denied

The Fedora policy allows that for TTYs, so should probably do the same for
console_device_t:
https://github.com/fedora-selinux/selinux-policy/commit/f4a7e3a562499916c83cb1a3dd9c94413e5224e1

You are receiving this mail because: