Bug ID | 1187313 |
---|---|
Summary | selinux-policy-targeted breaks StandardOutput=tty |
Classification | openSUSE |
Product | openSUSE Tumbleweed |
Version | Current |
Hardware | Other |
OS | Other |
Status | NEW |
Severity | Normal |
Priority | P5 - None |
Component | Security |
Assignee | security-team@suse.de |
Reporter | fvogt@suse.com |
QA Contact | qa-bugs@suse.de |
CC | kubic-bugs@opensuse.org |
Found By | --- |
Blocker | --- |
Services with StandardOutput=tty (like MicroOS-Firstboot) fail to start when the targeted policy is enforced: Jun 11 13:57:05 f195.suse.de systemd[1183]: MicroOS-firstboot.service: Failed to set up standard input: Permission denied Jun 11 13:57:05 f195.suse.de kernel: audit: type=1400 audit(1623419825.264:7): avc: denied { watch watch_reads } for pid=1183 comm="(irstboot)" path="/dev/console" dev="devtmpfs" ino=12 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:console_device_t:s0 tclass=chr_file permissive=0 Jun 11 13:57:05 f195.suse.de systemd[1183]: MicroOS-firstboot.service: Failed at step STDIN spawning /usr/libexec/MicroOS-firstboot: Permission denied The Fedora policy allows that for TTYs, so should probably do the same for console_device_t: https://github.com/fedora-selinux/selinux-policy/commit/f4a7e3a562499916c83cb1a3dd9c94413e5224e1