ras-mc-ctl.service does not start when Enforcing #2054
Comments
im-0
added a commit
to im-0/selinux-policy
that referenced
this issue
Mar 3, 2024
ras-mc-ctl.service fails to start when in Enforcing mode:
# systemctl status ras-mc-ctl.service
× ras-mc-ctl.service - Initialize EDAC v3.0.0 Drivers For Machine Hardware
Loaded: loaded (/usr/lib/systemd/system/ras-mc-ctl.service; enabled; preset: disabled)
Drop-In: /usr/lib/systemd/system/service.d
└─10-timeout-abort.conf
Active: failed (Result: exit-code) since Sat 2024-03-02 12:12:11 +05; 1s ago
Duration: 16min 7.651s
Process: 19995 ExecStart=/usr/sbin/ras-mc-ctl --register-labels (code=exited, status=1/FAILURE)
Main PID: 19995 (code=exited, status=1/FAILURE)
CPU: 28ms
Mar 02 12:12:11 im-desktop.local systemd[1]: Starting ras-mc-ctl.service - Initialize EDAC v3.0.0 Drivers For Machine Hardware...
Mar 02 12:12:11 im-desktop.local systemd[1]: ras-mc-ctl.service: Main process exited, code=exited, status=1/FAILURE
Mar 02 12:12:11 im-desktop.local systemd[1]: ras-mc-ctl.service: Failed with result 'exit-code'.
Mar 02 12:12:11 im-desktop.local systemd[1]: Failed to start ras-mc-ctl.service - Initialize EDAC v3.0.0 Drivers For Machine Hardware.
audit.log shows following error when in Permissive mode:
type=AVC msg=audit(1709359272.102:3163): avc: denied { write } for pid=15841 comm="ras-mc-ctl" name="dimm_label" dev="sysfs" ino=53742 scontext=system_u:system_r:rasdaemon_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
Those are two separate problems:
1) `modutils_dontaudit_exec_kmod(rasdaemon_t)` prevents ras-mc-ctl from
finding modprobe binary at https://github.com/mchehab/rasdaemon/blob/v0.8.0/util/ras-mc-ctl.in#L42
It also suppresses all audit events about this.
2) There is no write access for /sys/. It is required to write DIMM
labels in /sys/devices/system/edac/mc/.
Resolves: rhbz#1836861
Resolves: fedora-selinux#2054
Resolves: mchehab/rasdaemon#79
Signed-off-by: Ivan Mironov <[email protected]>
im-0
added a commit
to im-0/rasdaemon
that referenced
this issue
Mar 3, 2024
It is not used and prevents ras-mc-ctl.service from starting on Fedora when SELinux is in Enforcing mode. Resolves: rhbz#1836861 Resolves: fedora-selinux/selinux-policy#2054 Resolves: mchehab#79 Signed-off-by: Ivan Mironov <[email protected]>
|
I was able to figure out what is going on. Please see #2055 and mchehab/rasdaemon#148 |
mchehab
pushed a commit
to mchehab/rasdaemon
that referenced
this issue
Jun 11, 2024
It is not used and prevents ras-mc-ctl.service from starting on Fedora when SELinux is in Enforcing mode. Resolves: rhbz#1836861 Resolves: fedora-selinux/selinux-policy#2054 Resolves: #79 Signed-off-by: Ivan Mironov <[email protected]> Signed-off-by: Mauro Carvalho Chehab <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
There is a weird issue with ras-mc-ctl.service (part of the rasdaemon package) on Fedora. In the Enforcing mode it just fails to start without any log entries in the audit.log:
In the Permissive mode it works just fine and I see following in the audit.log:
I tried to fix the denied write: im-0@6a70741. But it does not help. As if SELinux just silently prevents ras-mc-ctl from starting.
Any idea on why this happens and how to debug this?
By the way, I am not the only one facing this issue:
As a temporary workaround I just replaced the service's ExecStart with
/usr/bin/perl /usr/sbin/ras-mc-ctl --register-labels. I suppose it works because there is no specific SELinux rules for perl and everything is simply allowed. Ah yes, this tool is a perl script if it matters.The text was updated successfully, but these errors were encountered: