search

fedora-selinux / selinux-policy

selinux-policy for Fedora is a large patch off the mainline
GNU General Public License v2.0
156 stars 157 forks source link

ras-mc-ctl.service does not start when Enforcing #2054

Open im-0 opened 4 months ago

im-0 commented 4 months ago

There is a weird issue with ras-mc-ctl.service (part of the rasdaemon package) on Fedora. In the Enforcing mode it just fails to start without any log entries in the audit.log:

# systemctl status ras-mc-ctl.service
× ras-mc-ctl.service - Initialize EDAC v3.0.0 Drivers For Machine Hardware
         Loaded: loaded (/usr/lib/systemd/system/ras-mc-ctl.service; enabled; preset: disabled)
        Drop-In: /usr/lib/systemd/system/service.d
                         └─10-timeout-abort.conf
         Active: failed (Result: exit-code) since Sat 2024-03-02 12:12:11 +05; 1s ago
   Duration: 16min 7.651s
        Process: 19995 ExecStart=/usr/sbin/ras-mc-ctl --register-labels (code=exited, status=1/FAILURE)
   Main PID: 19995 (code=exited, status=1/FAILURE)
                CPU: 28ms

Mar 02 12:12:11 im-desktop.local systemd[1]: Starting ras-mc-ctl.service - Initialize EDAC v3.0.0 Drivers For Machine Hardware...
Mar 02 12:12:11 im-desktop.local systemd[1]: ras-mc-ctl.service: Main process exited, code=exited, status=1/FAILURE
Mar 02 12:12:11 im-desktop.local systemd[1]: ras-mc-ctl.service: Failed with result 'exit-code'.
Mar 02 12:12:11 im-desktop.local systemd[1]: Failed to start ras-mc-ctl.service - Initialize EDAC v3.0.0 Drivers For Machine Hardware.

In the Permissive mode it works just fine and I see following in the audit.log:

type=AVC msg=audit(1709359272.102:3163): avc:  denied  { write } for  pid=15841 comm="ras-mc-ctl" name="dimm_label" dev="sysfs" ino=53742 scontext=system_u:system_r:rasdaemon_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1

I tried to fix the denied write: https://github.com/im-0/selinux-policy/commit/6a707410e96e0d3aa9cb693cb2c2f4b5e3864af8. But it does not help. As if SELinux just silently prevents ras-mc-ctl from starting.

Any idea on why this happens and how to debug this?

By the way, I am not the only one facing this issue:

As a temporary workaround I just replaced the service's ExecStart with /usr/bin/perl /usr/sbin/ras-mc-ctl --register-labels. I suppose it works because there is no specific SELinux rules for perl and everything is simply allowed. Ah yes, this tool is a perl script if it matters.

im-0 commented 4 months ago

I was able to figure out what is going on. Please see https://github.com/fedora-selinux/selinux-policy/pull/2055 and https://github.com/mchehab/rasdaemon/pull/148