SELinux denial when systemd unit try to log to /dev/tty1

Hi all,

I have upgraded to FCOS 34. I have a systemd service defined via Ignition.
The content of the unit is like below:

        [Unit]
        Description=A service that will take over console for outputing logs
        Requires=network-online.target
        After=network-online.target
        
        [Service]
        ExecStart=/bin/bash "/path/to/script.sh"
        Type=notify
        StandardOutput=tty
        StandardInput=tty
        StandardError=tty
        TTYPath=/dev/tty1
        TTYReset=yes
        TTYVHangup=yes
        RemainAfterExit=no
        TimeoutSec=1200
        NotifyAccess=all

Basically I am trying to dump some logs to the console.

What behaves differently compared when it runs on FCOS 32 is: I am getting this error when the service starts:

Aug 11 10:20:06 audit[1015]: AVC avc:  denied  { watch } for  pid=1015 comm="(bash)" path="/dev/tty1" dev="devtmpfs" ino=13 scontext=system_u:system_r:init_t:s0 tcontext=syste>
Aug 11 10:20:06 audit[1015]: SYSCALL arch=c000003e syscall=254 success=no exit=-13 a0=3 a1=55c43a0a5c60 a2=18 a3=0 items=0 ppid=1 pid=1015 auid=4294967295 uid=0 gid=0 euid=0 s>
Aug 11 10:20:06 audit: PROCTITLE proctitle="(bash)"
Aug 11 10:20:06 systemd[1015]: my-unit.service: Failed to set up standard input: Permission denied
Aug 11 10:20:06 systemd[1015]: my-unit.service: Failed at step STDIN spawning /bin/bash: Permission denied
Aug 11 10:20:06 systemd[1]: my-unit.service: Main process exited, code=exited, status=208/STDIN

The unit file generated by ignition is:

ls /etc/systemd/system/my-unit.service -lisaZ
3835631 4 -rw-r--r--. 1 root root system_u:object_r:systemd_unit_file_t:s0 595 Aug 11 10:20 /etc/systemd/system/my-unit.service

Could someone please suggest how to get around with this issue?

Thanks!

EDIT 1:
Btw, I disabled the getty@tty1.service as well:

    - path: /etc/systemd/system/getty@tty1.service.d/condition-path.conf
      overwrite: true
      contents:
        inline: |
          # stopping the login prompt unless the path exists
          [Unit]
          ConditionPathExists=/does/not/exit/yet
      mode: 0500

EDIT 2:
The avc deny is gone after I remove this line: StandardInput=tty. Instead of status=208/STDIN I am getting an error Failed with result 'protocol'. Maybe I need to focus on fixing that instead.

But still, it would be nice to know the reason behind…