Two util-linux denials on Fedora Rawhide

[DaanDeMeyer]

Jul 11 11:22:51 localhost audit[585]: AVC avc:  denied  { read } for  pid=585 comm="agetty" name="agetty.autologin" dev="tmpfs" ino=2 scontext=system_u:system_r:getty_t:s0-s0:c0.c1023 tcontext=system_u:object_r:init_var_run_t:s0 tclass>
Jul 11 11:22:51 localhost audit[585]: AVC avc:  denied  { open } for  pid=585 comm="agetty" path="/run/credentials/[email protected]/agetty.autologin" dev="tmpfs" ino=2 scontext=system_u:system_r:getty_t:s0-s0:c0.c1023 tcontext>
Jul 11 11:22:51 localhost audit[584]: AVC avc:  denied  { read } for  pid=584 comm="login" name="login.noauth" dev="tmpfs" ino=3 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:init_var_run_t:s0 tclas>
Jul 11 11:22:51 localhost audit[585]: AVC avc:  denied  { open } for  pid=585 comm="login" path="/run/credentials/[email protected]/login.noauth" dev="tmpfs" ino=3 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontex>
~

In the latest util-linux release, agetty and login will read systemd credentials to allow configuring their behavior. Reading the credentials should be allowed by the policy.

To reproduce:

git clone https://github.com/systemd/mkosi
cd mkosi
sudo bin/mkosi -d fedora -r rawhide -p selinux-policy-targeted --selinux-relabel=yes -t disk --tools-tree -f qemu
journalctl -g AVC

[zpytela]

@DaanDeMeyer The logs are trimmed. It would be even more helpful if there were audit logs with full auditing enabled. The above reproducer seems not to be complete, so I cannot investigate further.

[DaanDeMeyer]

@zpytela Apologies, these are the non-truncated logs, not with full auditing enabled though, I need to work on getting that enabled:

Jul 17 22:28:09 localhost audit[581]: AVC avc:  denied  { read } for  pid=581 comm="agetty" name="agetty.autologin" dev="tmpfs" ino=2 scontext=system_u:system_r:getty_t:s0-s0:c0.c1023 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file permissive=0
Jul 17 22:28:09 localhost audit[580]: AVC avc:  denied  { read } for  pid=580 comm="agetty" name="agetty.autologin" dev="tmpfs" ino=3 scontext=system_u:system_r:getty_t:s0-s0:c0.c1023 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file permissive=0

[zpytela]

np, but can you add a functional reproducer or additional information - what path is the agetty.autologin file and which service creates it?

edit:
now i see it's /run/credentials/[email protected]/agetty.autologin and /run/credentials/[email protected]/login.noauth
reproducer would really be helpful

[DaanDeMeyer]

np, but can you add a functional reproducer or additional information - what path is the agetty.autologin file and which service creates it?

edit:
now i see it's /run/credentials/[email protected]/agetty.autologin and /run/credentials/[email protected]/login.noauth
reproducer would really be helpful

The mkosi reproducer is not sufficient? I have some local logic that allows building and installing new selinux-policy rpms from source into the mkosi image if that makes life easier. Though it's awfully slow because the spec calls make clean all over the place.

[zpytela]

In selinux-policy specfile I see make clean once in the install phase which imho is correct.

[DaanDeMeyer]

In selinux-policy specfile I see make clean once in the install phase which imho is correct.

It probably is but it does make incremental builds using rpmbuild --build-in-place impossible so one has to wait a very long time between builds.

[DaanDeMeyer]

@zpytela Anything I can do to make debugging this easier for you?

[zpytela]

Yes, a simple reproducer. mkosi did not work for me for some reason. I'll give it another go.