Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

When SELinux is enabled, ras-mc-ctl.service fails to be started #79

Closed
xiaoge1001 opened this issue Dec 6, 2022 · 3 comments · May be fixed by fedora-selinux/selinux-policy#2055
Closed

When SELinux is enabled, ras-mc-ctl.service fails to be started #79

xiaoge1001 opened this issue Dec 6, 2022 · 3 comments · May be fixed by fedora-selinux/selinux-policy#2055

Comments

@xiaoge1001
Copy link

Reproduction procedure:

dnf install -y rasdaemon
setenforce 1
systemctl start ras-mc-ctl.service
systemctl status ras-mc-ctl.service

This problem occurs in my machine, but I don't get valuable output error information. Why does the service fail to be started?
@xiaoge1001
Copy link
Author

I don't know why. I temporarily use the following method to avoid it. Is this the right? What's the risk?

https://gitee.com/src-openeuler/rasdaemon/blob/c2d3dc48710e7958919ad8166123a39c0332f1cc/fix-ras-mc-ctl.service-startup-failed-when-selinux-is-no.patch

@mchehab
Copy link
Owner

mchehab commented Jan 21, 2023

It seems to be a distro-specific issue. Perhaps some permissions are missing for rasdaemon at the selinux policies.

@Nuke79 Nuke79 mentioned this issue May 17, 2023
Open
im-0 added a commit to im-0/selinux-policy that referenced this issue Mar 2, 2024
@im-0
Fix ras-mc-ctl.service
6a70741 
ras-mc-ctl.service fails to start when in Enforcing mode:

	# systemctl status ras-mc-ctl.service
	× ras-mc-ctl.service - Initialize EDAC v3.0.0 Drivers For Machine Hardware
		 Loaded: loaded (/usr/lib/systemd/system/ras-mc-ctl.service; enabled; preset: disabled)
		Drop-In: /usr/lib/systemd/system/service.d
				 └─10-timeout-abort.conf
		 Active: failed (Result: exit-code) since Sat 2024-03-02 12:12:11 +05; 1s ago
	   Duration: 16min 7.651s
		Process: 19995 ExecStart=/usr/sbin/ras-mc-ctl --register-labels (code=exited, status=1/FAILURE)
	   Main PID: 19995 (code=exited, status=1/FAILURE)
			CPU: 28ms

	Mar 02 12:12:11 im-desktop.local systemd[1]: Starting ras-mc-ctl.service - Initialize EDAC v3.0.0 Drivers For Machine Hardware...
	Mar 02 12:12:11 im-desktop.local systemd[1]: ras-mc-ctl.service: Main process exited, code=exited, status=1/FAILURE
	Mar 02 12:12:11 im-desktop.local systemd[1]: ras-mc-ctl.service: Failed with result 'exit-code'.
	Mar 02 12:12:11 im-desktop.local systemd[1]: Failed to start ras-mc-ctl.service - Initialize EDAC v3.0.0 Drivers For Machine Hardware.

audit.log shows following error when in Permissive mode:

	type=AVC msg=audit(1709359272.102:3163): avc:  denied  { write } for  pid=15841 comm="ras-mc-ctl" name="dimm_label" dev="sysfs" ino=53742 scontext=system_u:system_r:rasdaemon_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1

Resolves: rhbz#1836861
Resolves: mchehab/rasdaemon#79
Signed-off-by: Ivan Mironov <[email protected]>
@im-0 im-0 mentioned this issue Mar 2, 2024
Open
im-0 added a commit to im-0/selinux-policy that referenced this issue Mar 3, 2024
@im-0
Fix ras-mc-ctl.service (rasdaemon)
0a5eee6 
ras-mc-ctl.service fails to start when in Enforcing mode:

	# systemctl status ras-mc-ctl.service
	× ras-mc-ctl.service - Initialize EDAC v3.0.0 Drivers For Machine Hardware
		 Loaded: loaded (/usr/lib/systemd/system/ras-mc-ctl.service; enabled; preset: disabled)
		Drop-In: /usr/lib/systemd/system/service.d
				 └─10-timeout-abort.conf
		 Active: failed (Result: exit-code) since Sat 2024-03-02 12:12:11 +05; 1s ago
	   Duration: 16min 7.651s
		Process: 19995 ExecStart=/usr/sbin/ras-mc-ctl --register-labels (code=exited, status=1/FAILURE)
	   Main PID: 19995 (code=exited, status=1/FAILURE)
			CPU: 28ms

	Mar 02 12:12:11 im-desktop.local systemd[1]: Starting ras-mc-ctl.service - Initialize EDAC v3.0.0 Drivers For Machine Hardware...
	Mar 02 12:12:11 im-desktop.local systemd[1]: ras-mc-ctl.service: Main process exited, code=exited, status=1/FAILURE
	Mar 02 12:12:11 im-desktop.local systemd[1]: ras-mc-ctl.service: Failed with result 'exit-code'.
	Mar 02 12:12:11 im-desktop.local systemd[1]: Failed to start ras-mc-ctl.service - Initialize EDAC v3.0.0 Drivers For Machine Hardware.

audit.log shows following error when in Permissive mode:

	type=AVC msg=audit(1709359272.102:3163): avc:  denied  { write } for  pid=15841 comm="ras-mc-ctl" name="dimm_label" dev="sysfs" ino=53742 scontext=system_u:system_r:rasdaemon_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1

Those are two separate problems:

1) `modutils_dontaudit_exec_kmod(rasdaemon_t)` prevents ras-mc-ctl from
   finding modprobe binary at https://github.com/mchehab/rasdaemon/blob/v0.8.0/util/ras-mc-ctl.in#L42
   It also suppresses all audit events about this.

2) There is no write access for /sys/. It is required to write DIMM
   labels in /sys/devices/system/edac/mc/.

Resolves: rhbz#1836861
Resolves: fedora-selinux#2054
Resolves: mchehab/rasdaemon#79
Signed-off-by: Ivan Mironov <[email protected]>
@im-0 im-0 mentioned this issue Mar 3, 2024
Open
im-0 added a commit to im-0/rasdaemon that referenced this issue Mar 3, 2024
@im-0
rasdaemon: ras-mc-ctl: Do not try to find modprobe
18dc88e 
It is not used and prevents ras-mc-ctl.service from starting on Fedora
when SELinux is in Enforcing mode.

Resolves: rhbz#1836861
Resolves: fedora-selinux/selinux-policy#2054
Resolves: mchehab#79
Signed-off-by: Ivan Mironov <[email protected]>
@im-0 im-0 mentioned this issue Mar 3, 2024
Closed
@im-0
Copy link
Contributor

im-0 commented Mar 3, 2024

I was able to figure out what is going on. Please see fedora-selinux/selinux-policy#2055 and #148

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
3 participants
@mchehab @im-0 @xiaoge1001