There is a weird issue with ras-mc-ctl.service (part of the rasdaemon package) on Fedora. In the Enforcing mode it just fails to start without any log entries in the audit.log:
# systemctl status ras-mc-ctl.service
× ras-mc-ctl.service - Initialize EDAC v3.0.0 Drivers For Machine Hardware
Loaded: loaded (/usr/lib/systemd/system/ras-mc-ctl.service; enabled; preset: disabled)
Drop-In: /usr/lib/systemd/system/service.d
└─10-timeout-abort.conf
Active: failed (Result: exit-code) since Sat 2024-03-02 12:12:11 +05; 1s ago
Duration: 16min 7.651s
Process: 19995 ExecStart=/usr/sbin/ras-mc-ctl --register-labels (code=exited, status=1/FAILURE)
Main PID: 19995 (code=exited, status=1/FAILURE)
CPU: 28ms
Mar 02 12:12:11 im-desktop.local systemd[1]: Starting ras-mc-ctl.service - Initialize EDAC v3.0.0 Drivers For Machine Hardware...
Mar 02 12:12:11 im-desktop.local systemd[1]: ras-mc-ctl.service: Main process exited, code=exited, status=1/FAILURE
Mar 02 12:12:11 im-desktop.local systemd[1]: ras-mc-ctl.service: Failed with result 'exit-code'.
Mar 02 12:12:11 im-desktop.local systemd[1]: Failed to start ras-mc-ctl.service - Initialize EDAC v3.0.0 Drivers For Machine Hardware.
In the Permissive mode it works just fine and I see following in the audit.log:
As a temporary workaround I just replaced the service's ExecStart with /usr/bin/perl /usr/sbin/ras-mc-ctl --register-labels. I suppose it works because there is no specific SELinux rules for perl and everything is simply allowed. Ah yes, this tool is a perl script if it matters.
There is a weird issue with ras-mc-ctl.service (part of the rasdaemon package) on Fedora. In the Enforcing mode it just fails to start without any log entries in the audit.log:
In the Permissive mode it works just fine and I see following in the audit.log:
I tried to fix the denied write: https://github.com/im-0/selinux-policy/commit/6a707410e96e0d3aa9cb693cb2c2f4b5e3864af8. But it does not help. As if SELinux just silently prevents ras-mc-ctl from starting.
Any idea on why this happens and how to debug this?
By the way, I am not the only one facing this issue:
As a temporary workaround I just replaced the service's ExecStart with
/usr/bin/perl /usr/sbin/ras-mc-ctl --register-labels
. I suppose it works because there is no specific SELinux rules for perl and everything is simply allowed. Ah yes, this tool is a perl script if it matters.