Bug 1226888

Summary: [Build 20240622] SELinux breaks systemd-getty-generator
Product: [openSUSE] openSUSE Tumbleweed Reporter: Martin Loviska <mloviska>
Component: SecurityAssignee: Cathy Hu <cathy.hu>
Status: VERIFIED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None CC: cathy.hu, felix.niederwanger, fvogt, jsegitz
Version: Current   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://openqa.opensuse.org/tests/4292687/modules/firstrun/steps/13
Whiteboard:
Found By: openQA Services Priority:
Business Priority: Blocker: Yes
Marketing QA Status: --- IT Deployment: ---
Attachments: journal + list of avcs

Description Martin Loviska 2024-06-24 11:46:54 UTC 
## Observation

openQA test in scenario microos-Tumbleweed-MicroOS-Image-sdboot-x86_64-microos-wizard@uefi fails in
[firstrun](https://openqa.opensuse.org/tests/4292687/modules/firstrun/steps/13)

## Test suite description
Like MicroOS, but use neither combustion nor ignition for the intial configuration, so jeos-firstboot runs.

Encryption recovery key should be visible in [ttyS0](https://openqa.opensuse.org/tests/4292687/logfile?filename=serial0.txt) as in is in tty0 .

Both consoles are set among kernel parameters during firstboot and console are listed in active according to /sys/devices/virtual/tty/console/active

## Reproducible

Fails since (at least) Build [20240614](https://openqa.opensuse.org/tests/4275351)


## Expected result

Last good: [20240613](https://openqa.opensuse.org/tests/4271502) (or more recent)


## Further details

Always latest result in this scenario: [latest](https://openqa.opensuse.org/tests/latest?arch=x86_64&distri=microos&flavor=MicroOS-Image-sdboot&machine=uefi&test=microos-wizard&version=Tumbleweed)
Comment 1 Martin Loviska 2024-07-02 12:13:49 UTC 
Created attachment 875831 [details]
journal + list of avcs
Comment 2 Martin Loviska 2024-07-02 12:16:44 UTC 
Suspicious log entries regarding getty generator

> Jul 02 11:53:49 localhost.localdomain systemd-getty-generator[1546]: Failed to  parse $SYSTEMD_GETTY_AUTO environment variable, ignoring: Permission denied
> Jul 02 11:54:44 localhost.localdomain systemd-getty-generator[1575]: Failed to parse $SYSTEMD_GETTY_AUTO environment variable, ignoring: Permission denied
> Jul 02 11:57:39 localhost.localdomain systemd-getty-generator[1617]: Failed to parse $SYSTEMD_GETTY_AUTO environment variable, ignoring: Permission denied
> Jul 02 11:57:43 localhost.localdomain systemd-getty-generator[1645]: Failed to parse $SYSTEMD_GETTY_AUTO environment variable, ignoring: Permission denied
Comment 3 Fabian Vogt 2024-07-10 13:33:35 UTC 
getty-generator does:
> r = getenv_for_pid(1, "SYSTEMD_GETTY_AUTO", &getty_auto);

Opening /proc/1/environ fails with EACCESS. According to the code it should effectively treat that as "true", but apparently that's not the case?
Comment 4 Fabian Vogt 2024-07-15 08:57:08 UTC 
(In reply to Fabian Vogt from comment #3)
> getty-generator does:
> > r = getenv_for_pid(1, "SYSTEMD_GETTY_AUTO", &getty_auto);
> 
> Opening /proc/1/environ fails with EACCESS. According to the code it should
> effectively treat that as "true", but apparently that's not the case?

^ is a bug as well, but a red herring. With strace it's visible that it tries to open /dev/ttyS0 but fails with -EACCES. No denial in audit.log though.
Comment 5 Johannes Segitz 2024-07-15 09:40:04 UTC 
please try again with dontaudit rules disabled
semodule -DB
that sounds very much like a candidate
Comment 6 Cathy Hu 2024-07-15 10:04:00 UTC 
fabian found the solution, i will queue up an update
Comment 8 Fabian Vogt 2024-07-15 12:18:41 UTC 
(In reply to Cathy Hu from comment #7)
> https://build.opensuse.org/request/show/1187549

Works!