-
Bug
-
Resolution: Unresolved
-
Minor
-
rhel-9.6
-
No
-
Moderate
-
rhel-security-selinux
-
ssg_security
-
1
-
False
-
False
-
-
No
-
None
-
None
-
None
-
Release Note Not Required
-
Unspecified
-
Unspecified
-
Unspecified
-
-
All
-
None
What were you trying to do that didn't work?
Run `systemd-run --pipe` from a serial console.
What is the impact of this issue to you?
See the upstream bug https://github.com/coreos/bootupd/issues/902 We will probably change upstream to use --tty in the future.
Please provide the package NVR for which the bug is seen:
[core@localhost ~]$ rpm -q systemd selinux-policy systemd-252-51.el9.x86_64 selinux-policy-38.1.53-4.el9_6.noarch
I don't ever see any denials in the logs and `semanage dontaudit off` doesn't seem to make anything appear in the logs.
How reproducible is this bug?:
Steps to reproduce
1. log in via serial console
2. run `sudo env SYSTEMD_LOG_LEVEL=debug systemd-run --pipe echo "success"`
Expected results
The command runs.
Actual results
localhost login: core Password: Red Hat Enterprise Linux CoreOS 419.96.202504090041-0 Part of OpenShift 4.19, RHCOS is a Kubernetes-native operating system managed by the Machine Config Operator (`clusteroperator/machine-config`). WARNING: Direct SSH access to machines is not recommended; instead, make configuration changes via `machineconfig` objects: https://docs.openshift.com/container-platform/4.19/architecture/architecture-rhcos.html --- [core@localhost ~]$ [core@localhost ~]$ loginctl list-sessions SESSION UID USER SEAT TTY STATE IDLE SINCE 1 1000 core ttyS0 active no 1 sessions listed. [core@localhost ~]$ sudo journalctl -f --lines=0 & [1] 1970 sudo env SYSTEMD_LOG_LEVEL=debug systemd-run --pipe echo "success" Bus n/a: changing state UNSET → OPENINGG_LEVEL=debug systemd-run --pipe echo "success" sd-bus: starting bus by connecting to /run/dbus/system_bus_socket... Bus n/a: changing state OPENING → AUTHENTICATING Bus n/a: changing state AUTHENTICATING → HELLO Sent message type=method_call sender=n/a destination=org.freedesktop.DBus path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=Hello cookie=1 reply_cookie=0 signature=n/a error-name=n/a error-message=n/a Got message type=method_return sender=org.freedesktop.DBus destination=:1.15 path=n/a interface=n/a member=n/a cookie=4294967295 reply_cookie=1 signature=s error-name=n/a error-message=n/a Bus n/a: changing state HELLO → RUNNING Sent message type=method_call sender=n/a destination=org.freedesktop.systemd1 path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member=StartTransientUnit cookie=2 reply_cookie=0 signature=ssa(sv)a(sa(sv)) error-name=n/a error-message=n/a Bus n/a: changing state RUNNING → CLOSING Failed to start transient service unit: Connection reset by peer Bus n/a: changing state CLOSING → CLOSED [core@localhost ~]$ Apr 11 12:35:23 localhost.localdomain sudo[1973]: core : TTY=ttyS0 ; PWD=/var/home/core ; USER=root ; COMMAND=/bin/env SYSTEMD_LOG_LEVEL=debug systemd-run --pipe echo success Apr 11 12:35:23 localhost.localdomain sudo[1973]: pam_unix(sudo:session): session opened for user root(uid=0) by core(uid=1000) Apr 11 12:35:23 localhost.localdomain sudo[1973]: pam_unix(sudo:session): session closed for user root [core@localhost ~]$ rpm -q systemd selinux-policy systemd-252-51.el9.x86_64 selinux-policy-38.1.53-4.el9_6.noarch
If I set SELinux to permissive it works:
[core@localhost ~]$ sudo setenforce 0 [core@localhost ~]$ Apr 11 12:39:44 localhost.localdomain sudo[1984]: core : TTY=ttyS0 ; PWD=/var/home/core ; USER=root ; COMMAND=/sbin/setenforce 0 Apr 11 12:39:44 localhost.localdomain sudo[1984]: pam_unix(sudo:session): session opened for user root(uid=0) by core(uid=1000) Apr 11 12:39:44 localhost.localdomain sudo[1984]: pam_unix(sudo:session): session closed for user root [core@localhost ~]$ sudo env SYSTEMD_LOG_LEVEL=debug systemd-run --pipe echo "success" Bus n/a: changing state UNSET → OPENING sd-bus: starting bus by connecting to /run/dbus/system_bus_socket... Bus n/a: changing state OPENING → AUTHENTICATING Bus n/a: changing state AUTHENTICATING → HELLO Sent message type=method_call sender=n/a destination=org.freedesktop.DBus path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=Hello cookie=1 reply_cookie=0 signature=n/a error-name=n/a error-message=n/a Got message type=method_return sender=org.freedesktop.DBus destination=:1.18 path=n/a interface=n/a member=n/a cookie=4294967295 reply_cookie=1 signature=s error-name=n/a error-message=n/a Bus n/a: changing state HELLO → RUNNING Sent message type=method_call sender=n/a destination=org.freedesktop.systemd1 path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member=StartTransientUnit cookie=2 reply_cookie=0 signature=ssa(sv)a(sa(sv)) error-name=n/a error-message=n/a Got message type=method_return sender=:1.0 destination=:1.18 path=n/a interface=n/a member=n/a cookie=437 reply_cookie=2 signature=o error-name=n/a error-message=n/a Running as unit: run-u18.service Sent message type=method_call sender=n/a destination=org.freedesktop.DBus path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=AddMatch cookie=3 reply_cookie=0 signature=s error-name=n/a error-message=n/a Sent message type=method_call sender=n/a destination=org.freedesktop.systemd1 path=/org/freedesktop/systemd1/unit/run_2du18_2eservice interface=org.freedesktop.DBus.Properties member=GetAll cookie=4 reply_cookie=0 signature=s error-name=n/a error-message=n/a success Got message type=method_return sender=:1.0 destination=:1.18 path=n/a interface=n/a member=n/a cookie=453 reply_cookie=4 signature=a{sv} error-name=n/a error-message=n/a Got message type=signal sender=org.freedesktop.DBus destination=:1.18 path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=NameAcquired cookie=4294967295 reply_cookie=0 signature=s error-name=n/a error-message=n/a Got message type=method_return sender=org.freedesktop.DBus destination=:1.18 path=n/a interface=n/a member=n/a cookie=4294967295 reply_cookie=3 signature= error-name=n/a error-message=n/a Match type='signal',sender='org.freedesktop.systemd1',path='/org/freedesktop/systemd1/unit/run_2du18_2eservice',interface='org.freedesktop.DBus.Properties',member='PropertiesChanged' successfully installed. Got message type=signal sender=:1.0 destination=n/a path=/org/freedesktop/systemd1/unit/run_2du18_2eservice interface=org.freedesktop.DBus.Properties member=PropertiesChanged cookie=444 reply_cookie=0 signature=sa{sv}as error-name=n/a error-message=n/a Sent message type=method_call sender=n/a destination=org.freedesktop.systemd1 path=/org/freedesktop/systemd1/unit/run_2du18_2eservice interface=org.freedesktop.DBus.Properties member=GetAll cookie=5 reply_cookie=0 signature=s error-name=n/a error-message=n/a Got message type=method_return sender=:1.0 destination=:1.18 path=n/a interface=n/a member=n/a cookie=457 reply_cookie=5 signature=a{sv} error-name=n/a error-message=n/a Bus n/a: changing state RUNNING → CLOSED [core@localhost ~]$ Apr 11 12:39:49 localhost.localdomain sudo[1987]: core : TTY=ttyS0 ; PWD=/var/home/core ; USER=root ; COMMAND=/bin/env SYSTEMD_LOG_LEVEL=debug systemd-run --pipe echo success Apr 11 12:39:49 localhost.localdomain dbus-broker-launch[1627]: avc: op=setenforce lsm=selinux enforcing=0 res=1 Apr 11 12:39:49 localhost.localdomain sudo[1987]: pam_unix(sudo:session): session opened for user root(uid=0) by core(uid=1000) Apr 11 12:39:49 localhost.localdomain systemd[1]: Started /bin/echo success. Apr 11 12:39:49 localhost.localdomain systemd[1]: run-u18.service: Deactivated successfully. Apr 11 12:39:49 localhost.localdomain sudo[1987]: pam_unix(sudo:session): session closed for user root