Bug 1226888 - [Build 20240622] SELinux breaks systemd-getty-generator
Summary: [Build 20240622] SELinux breaks systemd-getty-generator
Status: VERIFIED FIXED
Alias: None
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Security (show other bugs)
Version: Current
Hardware: Other Other
: P5 - None : Normal (vote)
Target Milestone: ---
Assignee: Cathy Hu
QA Contact: E-mail List
URL: https://openqa.opensuse.org/tests/429...
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-06-24 11:46 UTC by Martin Loviska
Modified: 2024-07-18 06:54 UTC (History)
4 users (show)

See Also:
Found By: openQA
Services Priority:
Business Priority:
Blocker: Yes
Marketing QA Status: ---
IT Deployment: ---

Attachments
journal + list of avcs (323.00 KB, application/x-xz)
2024-07-02 12:13 UTC, Martin Loviska 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Martin Loviska 2024-06-24 11:46:54 UTC 
## Observation

openQA test in scenario microos-Tumbleweed-MicroOS-Image-sdboot-x86_64-microos-wizard@uefi fails in
[firstrun](https://openqa.opensuse.org/tests/4292687/modules/firstrun/steps/13)

## Test suite description
Like MicroOS, but use neither combustion nor ignition for the intial configuration, so jeos-firstboot runs.

Encryption recovery key should be visible in [ttyS0](https://openqa.opensuse.org/tests/4292687/logfile?filename=serial0.txt) as in is in tty0 .

Both consoles are set among kernel parameters during firstboot and console are listed in active according to /sys/devices/virtual/tty/console/active

## Reproducible

Fails since (at least) Build [20240614](https://openqa.opensuse.org/tests/4275351)


## Expected result

Last good: [20240613](https://openqa.opensuse.org/tests/4271502) (or more recent)


## Further details

Always latest result in this scenario: [latest](https://openqa.opensuse.org/tests/latest?arch=x86_64&distri=microos&flavor=MicroOS-Image-sdboot&machine=uefi&test=microos-wizard&version=Tumbleweed)
Comment 1 Martin Loviska 2024-07-02 12:13:49 UTC 
Created attachment 875831 [details]
journal + list of avcs
Comment 2 Martin Loviska 2024-07-02 12:16:44 UTC 
Suspicious log entries regarding getty generator

> Jul 02 11:53:49 localhost.localdomain systemd-getty-generator[1546]: Failed to  parse $SYSTEMD_GETTY_AUTO environment variable, ignoring: Permission denied
> Jul 02 11:54:44 localhost.localdomain systemd-getty-generator[1575]: Failed to parse $SYSTEMD_GETTY_AUTO environment variable, ignoring: Permission denied
> Jul 02 11:57:39 localhost.localdomain systemd-getty-generator[1617]: Failed to parse $SYSTEMD_GETTY_AUTO environment variable, ignoring: Permission denied
> Jul 02 11:57:43 localhost.localdomain systemd-getty-generator[1645]: Failed to parse $SYSTEMD_GETTY_AUTO environment variable, ignoring: Permission denied
Comment 3 Fabian Vogt 2024-07-10 13:33:35 UTC 
getty-generator does:
> r = getenv_for_pid(1, "SYSTEMD_GETTY_AUTO", &getty_auto);

Opening /proc/1/environ fails with EACCESS. According to the code it should effectively treat that as "true", but apparently that's not the case?
Comment 4 Fabian Vogt 2024-07-15 08:57:08 UTC 
(In reply to Fabian Vogt from comment #3)
> getty-generator does:
> > r = getenv_for_pid(1, "SYSTEMD_GETTY_AUTO", &getty_auto);
> 
> Opening /proc/1/environ fails with EACCESS. According to the code it should
> effectively treat that as "true", but apparently that's not the case?

^ is a bug as well, but a red herring. With strace it's visible that it tries to open /dev/ttyS0 but fails with -EACCES. No denial in audit.log though.
Comment 5 Johannes Segitz 2024-07-15 09:40:04 UTC 
please try again with dontaudit rules disabled
semodule -DB
that sounds very much like a candidate
Comment 6 Cathy Hu 2024-07-15 10:04:00 UTC 
fabian found the solution, i will queue up an update
Comment 8 Fabian Vogt 2024-07-15 12:18:41 UTC 
(In reply to Cathy Hu from comment #7)
> https://build.opensuse.org/request/show/1187549

Works!