Dear Maintainer,
On a fresh bookworm installation, I have enabled selinux following [1]. I enabled
enforcing mode, and tried to log in at the console tty (tty1, tty2, and tty6).
journalctl -f shows an authentication error.
Moreover, audit2why -al indicated that agetty was being denied when trying to
use checkpoint_restore. I used audit2allow -m local to create a policy and
then compile and load it. This eliminated the selinux denial audit event, but
did not change the overall behavior: I cannot login as root at any ttys.
I can, however, log in as regular user, and use su to elevate to root privileges,
though. Creating a /etc/securetty file with tty0-tty6 and console does not
change the situation. I've tried relabeling the filesystem several times.
The remaining audit2why -al all seem innocuous:
NetworkManager, run-parts, utmp, apcupds, ModemManager, wall
The only possibly suspect one is comm="(spawn)" accessing files under /proc
(scontext=system_u:system_r:udev_t:s0), thought I would think that's not
a problem.
I'm at a loss for what could be different between enforcing and permissive
mode, and I'm not even sure what logs to look at.
Best,
Antonio
[1] https://wiki.debian.org/SELinux/Setup