Created attachment 1194295 [details]
sealert to: SELinux is preventing openipmi-helper from execute access on the file grep.
Created attachment 1194296 [details]
Output of "ausearch -c openipmi-helper" after starting ipmi.service has failed
Created attachment 1194297 [details]
Output of "ausearch -c openipmi-helper" after starting ipmi.service was started successful because of SELinux in permissive mode
Created attachment 1194300 [details]
Output of "ausearch -c modprobe"
I could fix the problem with a new SELinux-Module (my-fixipmi.te):
---
module my-fixipmi 1.0;
require {
type ipmievd_t;
type watchdog_device_t;
class capability sys_module;
class chr_file getattr;
}
#============= ipmievd_t ==============
allow ipmievd_t self:capability sys_module;
allow ipmievd_t watchdog_device_t:chr_file getattr;
---
You can create the .pp file with:
checkmodule -M -m my-fixipmi.te -o my-fixipmi.mod
semodule_package -m my-fixipmi.mod -o my-fixipmi.pp
and then install it with:
semodule -i my-fixipmi.pp
It fixed the problem for me, ipmi.service starts now and loads the necessary kernel modules.
JM
This message is a reminder that Fedora 24 is nearing its end of life. Approximately 2 (two) weeks from now Fedora will stop maintaining and issuing updates for Fedora 24. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '24'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 24 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The problem seems to be solved in Fedora26. I don't see error messages in journal after ipmi was started. |
Created attachment 1194294 [details] Last lines of output of "journalctl -e -u ipmi.service" after starting ipmi.service has failed Description of problem: ipmitool does not run with open interface because ipmi* kernel drives are not loaded. Trying to load them using "systemctl start ipmi.service" fails with errors. It seems these are SELinux errors. When I temporary set SELinux in permissive mode, then these commands succeed. # ipmitool lan print Could not open device at /dev/ipmi0 or /dev/ipmi/0 or /dev/ipmidev/0: No such file or directory # LANG=C systemctl start ipmi.service Job for ipmi.service failed because the control process exited with error code. See "systemctl status ipmi.service" and "journalctl -xe" for details. # LANG=C systemctl status ipmi.service * ipmi.service - IPMI Driver Loaded: loaded (/usr/lib/systemd/system/ipmi.service; enabled; vendor preset: enabled) Active: failed (Result: exit-code) since Fri 2016-08-26 11:58:58 CEST; 13s ago Process: 16383 ExecStart=/usr/libexec/openipmi-helper start (code=exited, status=3) Main PID: 16383 (code=exited, status=3) Aug 26 11:58:58 sumpfweihe.ims.uni-stuttgart.de openipmi-helper[16383]: /usr/libexec/openipmi-helper: Zeile 91: /sbin/lsmod: Permission denied Aug 26 11:58:58 sumpfweihe.ims.uni-stuttgart.de openipmi-helper[16383]: /usr/libexec/openipmi-helper: Zeile 269: lsmod: Kommando nicht gefunden. Aug 26 11:58:58 sumpfweihe.ims.uni-stuttgart.de openipmi-helper[16383]: /usr/libexec/openipmi-helper: Zeile 269: /usr/bin/grep: Permission denied Aug 26 11:58:58 sumpfweihe.ims.uni-stuttgart.de openipmi-helper[16383]: /usr/libexec/openipmi-helper: Zeile 269: [: -eq: Einstelliger (un<C3><A4>rer) Operator erwartet. Aug 26 11:58:58 sumpfweihe.ims.uni-stuttgart.de openipmi-helper[16383]: /usr/libexec/openipmi-helper: Zeile 91: /sbin/lsmod: Permission denied Aug 26 11:58:58 sumpfweihe.ims.uni-stuttgart.de openipmi-helper[16383]: Startup failed. Aug 26 11:58:58 sumpfweihe.ims.uni-stuttgart.de systemd[1]: ipmi.service: Main process exited, code=exited, status=3/NOTIMPLEMENTED Aug 26 11:58:58 sumpfweihe.ims.uni-stuttgart.de systemd[1]: Failed to start IPMI Driver. Aug 26 11:58:58 sumpfweihe.ims.uni-stuttgart.de systemd[1]: ipmi.service: Unit entered failed state. Aug 26 11:58:58 sumpfweihe.ims.uni-stuttgart.de systemd[1]: ipmi.service: Failed with result 'exit-code'. Version-Release number of selected component (if applicable): kernel-4.6.7-300.fc24.x86_64 selinux-policy-targeted-3.13.1-191.12.fc24.noarch ipmitool-1.8.17-1.fc24.x86_64 How reproducible: Always Steps to Reproduce: 1. Reboot 2. Run "systemctl start ipmi.service" 3. Check error messages in journal and audit log.