[Bug 1187313] New: selinux-policy-targeted breaks StandardOutput=tty
https://bugzilla.suse.com/show_bug.cgi?id=1187313 Bug ID: 1187313 Summary: selinux-policy-targeted breaks StandardOutput=tty Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: fvogt@suse.com QA Contact: qa-bugs@suse.de CC: kubic-bugs@opensuse.org Found By: --- Blocker: --- Services with StandardOutput=tty (like MicroOS-Firstboot) fail to start when the targeted policy is enforced: Jun 11 13:57:05 f195.suse.de systemd[1183]: MicroOS-firstboot.service: Failed to set up standard input: Permission denied Jun 11 13:57:05 f195.suse.de kernel: audit: type=1400 audit(1623419825.264:7): avc: denied { watch watch_reads } for pid=1183 comm="(irstboot)" path="/dev/console" dev="devtmpfs" ino=12 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:console_device_t:s0 tclass=chr_file permissive=0 Jun 11 13:57:05 f195.suse.de systemd[1183]: MicroOS-firstboot.service: Failed at step STDIN spawning /usr/libexec/MicroOS-firstboot: Permission denied The Fedora policy allows that for TTYs, so should probably do the same for console_device_t: https://github.com/fedora-selinux/selinux-policy/commit/f4a7e3a562499916c83c... -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1187313
https://bugzilla.suse.com/show_bug.cgi?id=1187313#c1
Johannes Segitz
https://bugzilla.suse.com/show_bug.cgi?id=1187313
https://bugzilla.suse.com/show_bug.cgi?id=1187313#c2
--- Comment #2 from Fabian Vogt
yes, that's something we can add.
How can this be reproduced? I would expect that this triggers on the first boot after install with SELinux enabled, but it doesn't for me
It only runs when /etc/machine-id doesn't exist, but with DVD installs that's done by YaST already. You can either remove that and reboot or try one of the images from https://build.opensuse.org/package/show/home:favogt:microselinux/openSUSE-Mi... -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1187313
https://bugzilla.suse.com/show_bug.cgi?id=1187313#c3
--- Comment #3 from Fabian Vogt
https://bugzilla.suse.com/show_bug.cgi?id=1187313
Ludwig Nussel
https://bugzilla.suse.com/show_bug.cgi?id=1187313
https://bugzilla.suse.com/show_bug.cgi?id=1187313#c4
--- Comment #4 from Ludwig Nussel
https://bugzilla.suse.com/show_bug.cgi?id=1187313
https://bugzilla.suse.com/show_bug.cgi?id=1187313#c5
Thorsten Kukuk
While the report is certainly valid for services that have tty as output the blocker can be resolved by dropping the firstboot "wizard" from MicroOS. It serves no purpose anymore.
And who creates in that case /etc/machine-id? -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1187313
https://bugzilla.suse.com/show_bug.cgi?id=1187313#c6
Ludwig Nussel
https://bugzilla.suse.com/show_bug.cgi?id=1187313
https://bugzilla.suse.com/show_bug.cgi?id=1187313#c7
--- Comment #7 from Fabian Vogt
https://bugzilla.suse.com/show_bug.cgi?id=1187313
https://bugzilla.suse.com/show_bug.cgi?id=1187313#c8
--- Comment #8 from Johannes Segitz
https://bugzilla.suse.com/show_bug.cgi?id=1187313
Johannes Segitz
https://bugzilla.suse.com/show_bug.cgi?id=1187313
https://bugzilla.suse.com/show_bug.cgi?id=1187313#c11
--- Comment #11 from Fabian Vogt
While the report is certainly valid for services that have tty as output the blocker can be resolved by dropping the firstboot "wizard" from MicroOS. It serves no purpose anymore.
FTR, also breaks systemd-firstboot: Oct 07 09:12:59.683128 localhost systemd[1151]: systemd-firstboot.service: Failed to set up standard input: Permission denied -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1187313
https://bugzilla.suse.com/show_bug.cgi?id=1187313#c12
--- Comment #12 from Fabian Vogt
sorry I didn't see that, for some reason I don't get emails for this bug (last one in my mails is when I asked for the reproduction steps, then nothing).
The change is already in security:SELinux. I'll submit it for Micro as a patch
I still see the failure with selinux-policy{,-targeted}-20210716-4.1 from latest Tumbleweed, same state as security:SELinux. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1187313
https://bugzilla.suse.com/show_bug.cgi?id=1187313#c13
Fabian Vogt
The change is already in security:SELinux. I'll submit it for Micro as a patch
It appears like that wasn't actually true at that point. The change done by the patch was not in security:SELinux until 20211111, so also not part of my test. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1187313
https://bugzilla.suse.com/show_bug.cgi?id=1187313#c14
--- Comment #14 from Swamp Workflow Management
participants (1)
-
bugzilla_noreply@suse.com