Bug 1389570

Summary:	icecc-scheduler doesn't run
Product:	[Fedora] Fedora	Reporter:	Ralph Giles <giles>
Component:	icecream	Assignee:	Michal Schmidt <mschmidt>
Status:	CLOSED ERRATA	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	25	CC:	code, helio, mschmidt
Target Milestone:	---
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	icecream-1.1-0.5.rc2.ga79f70f.fc24 icecream-1.1-0.5.rc2.ga79f70f.fc25	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2016-11-23 03:53:10 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:

Description Ralph Giles 2016-10-27 22:33:37 UTC

Description of problem:

The icecream scheduler service cannot be started through systemd

Version-Release number of selected component (if applicable):

icecream-1.0.98i-4.fc25
selinux-policy-3.13.1-220.fc25

How reproducible:

I think this worked immediately after installing from the 25-beta-1.1 live image, but it stopped soon after.

Steps to Reproduce:
1. sudo dnf install icecream
2. sudo systemctl enable iceccd
3. sudo systemctl enable icecc-scheduler

Actual results:

$ systemctl status icecc-scheduler
● icecc-scheduler.service - Icecream distributed compiler scheduler
   Loaded: loaded (/usr/lib/systemd/system/icecc-scheduler.service; enabled; vendor preset: disabled)
   Active: failed (Result: signal) since Thu 2016-10-27 15:01:18 PDT; 26min ago
  Process: 4053 ExecStart=/usr/libexec/icecc/icecc-scheduler-wrapper (code=killed, signal=SEGV)
 Main PID: 4053 (code=killed, signal=SEGV)

Oct 27 15:01:18 nanger systemd[1]: Started Icecream distributed compiler scheduler.
Oct 27 15:01:18 nanger systemd[1]: icecc-scheduler.service: Main process exited, code=killed, status=11/SEGV
Oct 27 15:01:18 nanger systemd[1]: icecc-scheduler.service: Unit entered failed state.
Oct 27 15:01:18 nanger systemd[1]: icecc-scheduler.service: Failed with result 'signal'.

At the same time, I got an selinux denial notice about icecc-scheduler wanting to execute /bin/bash.

Expected results:

Systemd should be able to start the service and it should accept jobs.

Additional info:

Comment 1 Michal Schmidt 2016-11-03 12:44:23 UTC

The SELinux denial is:

avc:  denied  { execute } for  pid=787 comm="icecc-scheduler" path="/usr/bin/bash" dev="vda1" ino=2358 scontext=system_u:system_r:icecc_scheduler_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0

This happens with kernel >= 4.8. I found this commit by git bisection:

  commit 9f834ec18defc369d73ccf9e87a2790bfa05bf46
  Author: Linus Torvalds <torvalds>
  Date:   Mon Aug 22 16:41:46 2016 -0700

      binfmt_elf: switch to new creds when switching to new mm

Before this commit SELinux did not need to allow icecc_scheduler_t to mmap shell_exec_t for execution, because the credentials of the process changed to icecc_scheduler_t only after mapping the ELF file (/usr/bin/bash).

The SIGSEGV appears probably because when the SELinux denial causes elf_map() to fail, the execing has progressed beyond the point of no return. The error path there should better kill the process with SIGKILL.

I'll adjust the SELinux policy for icecream. And I'll look into the error path in the kernel too.

Comment 2 Ralph Giles 2016-11-03 15:50:43 UTC

Thanks for the tidy analysis!

Comment 3 Daniel 2016-11-04 09:49:03 UTC

My report #1391871 for Fedora 24 isn’t an exact duplicate, is it?

Comment 4 Michal Schmidt 2016-11-04 11:06:27 UTC

No, it is different.

Comment 5 Daniel 2016-11-06 23:22:53 UTC

*** Bug 1392250 has been marked as a duplicate of this bug. ***

Comment 6 Fedora Update System 2016-11-08 12:43:26 UTC

icecream-1.1-0.3.rc2.ga79f70f.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2016-330757967d

Comment 7 Fedora Update System 2016-11-08 12:44:33 UTC

icecream-1.1-0.3.rc2.ga79f70f.fc24.1 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-39d33df0e3

Comment 8 Fedora Update System 2016-11-09 02:27:03 UTC

icecream-1.1-0.3.rc2.ga79f70f.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-330757967d

Comment 9 Fedora Update System 2016-11-10 04:58:18 UTC

icecream-1.1-0.3.rc2.ga79f70f.fc24.1 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-39d33df0e3

Comment 10 Fedora Update System 2016-11-14 15:23:37 UTC

icecream-1.1-0.5.rc2.ga79f70f.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2016-330757967d

Comment 11 Fedora Update System 2016-11-14 15:25:01 UTC

icecream-1.1-0.5.rc2.ga79f70f.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-39d33df0e3

Comment 12 Ralph Giles 2016-11-14 20:51:49 UTC

This version works for me. Thanks!

Comment 13 Fedora Update System 2016-11-15 02:29:24 UTC

icecream-1.1-0.5.rc2.ga79f70f.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-39d33df0e3

Comment 14 Fedora Update System 2016-11-15 13:26:02 UTC

icecream-1.1-0.5.rc2.ga79f70f.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-330757967d

Comment 15 Fedora Update System 2016-11-23 03:53:10 UTC

icecream-1.1-0.5.rc2.ga79f70f.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Comment 16 Fedora Update System 2016-11-23 18:52:35 UTC

icecream-1.1-0.5.rc2.ga79f70f.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.