Description of problem: The icecream scheduler service cannot be started through systemd Version-Release number of selected component (if applicable): icecream-1.0.98i-4.fc25 selinux-policy-3.13.1-220.fc25 How reproducible: I think this worked immediately after installing from the 25-beta-1.1 live image, but it stopped soon after. Steps to Reproduce: 1. sudo dnf install icecream 2. sudo systemctl enable iceccd 3. sudo systemctl enable icecc-scheduler Actual results: $ systemctl status icecc-scheduler ● icecc-scheduler.service - Icecream distributed compiler scheduler Loaded: loaded (/usr/lib/systemd/system/icecc-scheduler.service; enabled; vendor preset: disabled) Active: failed (Result: signal) since Thu 2016-10-27 15:01:18 PDT; 26min ago Process: 4053 ExecStart=/usr/libexec/icecc/icecc-scheduler-wrapper (code=killed, signal=SEGV) Main PID: 4053 (code=killed, signal=SEGV) Oct 27 15:01:18 nanger systemd[1]: Started Icecream distributed compiler scheduler. Oct 27 15:01:18 nanger systemd[1]: icecc-scheduler.service: Main process exited, code=killed, status=11/SEGV Oct 27 15:01:18 nanger systemd[1]: icecc-scheduler.service: Unit entered failed state. Oct 27 15:01:18 nanger systemd[1]: icecc-scheduler.service: Failed with result 'signal'. At the same time, I got an selinux denial notice about icecc-scheduler wanting to execute /bin/bash. Expected results: Systemd should be able to start the service and it should accept jobs. Additional info:
The SELinux denial is: avc: denied { execute } for pid=787 comm="icecc-scheduler" path="/usr/bin/bash" dev="vda1" ino=2358 scontext=system_u:system_r:icecc_scheduler_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0 This happens with kernel >= 4.8. I found this commit by git bisection: commit 9f834ec18defc369d73ccf9e87a2790bfa05bf46 Author: Linus Torvalds <torvalds> Date: Mon Aug 22 16:41:46 2016 -0700 binfmt_elf: switch to new creds when switching to new mm Before this commit SELinux did not need to allow icecc_scheduler_t to mmap shell_exec_t for execution, because the credentials of the process changed to icecc_scheduler_t only after mapping the ELF file (/usr/bin/bash). The SIGSEGV appears probably because when the SELinux denial causes elf_map() to fail, the execing has progressed beyond the point of no return. The error path there should better kill the process with SIGKILL. I'll adjust the SELinux policy for icecream. And I'll look into the error path in the kernel too.
Thanks for the tidy analysis!
My report #1391871 for Fedora 24 isn’t an exact duplicate, is it?
No, it is different.
*** Bug 1392250 has been marked as a duplicate of this bug. ***
icecream-1.1-0.3.rc2.ga79f70f.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2016-330757967d
icecream-1.1-0.3.rc2.ga79f70f.fc24.1 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-39d33df0e3
icecream-1.1-0.3.rc2.ga79f70f.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-330757967d
icecream-1.1-0.3.rc2.ga79f70f.fc24.1 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-39d33df0e3
icecream-1.1-0.5.rc2.ga79f70f.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2016-330757967d
icecream-1.1-0.5.rc2.ga79f70f.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-39d33df0e3
This version works for me. Thanks!
icecream-1.1-0.5.rc2.ga79f70f.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-39d33df0e3
icecream-1.1-0.5.rc2.ga79f70f.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-330757967d
icecream-1.1-0.5.rc2.ga79f70f.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
icecream-1.1-0.5.rc2.ga79f70f.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.