Please ignore the one extra line in the expected results output. :)

Please check /var/log/messages and /var/log/iceccd for any relevant messages.

Forgot to mention that /var/log/iceccd does not exist. Anyhow, /var/log/messages seems to reveal more information:

Sep 24 16:47:27 jaber iceccd-wrapper[15371]: Error: -u requires a valid username
Sep 24 16:47:27 jaber iceccd-wrapper[15371]: usage: iceccd [-n <netname>] [-m <max_processes>] [--no-remote] [-w] [-d|--daemonize] [-l logfile] [-s <schedulerhost>] [-v[v[v]]] [-r|--run-as-user] [-b <env-basedir>] [-u|--nobody-uid <nobody_uid>] [--cache-limit <MB>] [-N <node_name>]
Sep 24 16:47:27 jaber systemd[1]: iceccd.service: control process exited, code=exited status=1
Sep 24 16:47:27 jaber systemd[1]: Unit iceccd.service entered failed state.
Sep 24 16:47:27 jaber setroubleshoot: SELinux is preventing /usr/sbin/iceccd from read access on the file /etc/passwd. For complete SELinux messages. run sealert -l 09b8cc88-923d-46a8-a9df-b1417b41359f

According to "systemctl status iceccd.service" it passes -u icecream. Should such user have been created during the installation of the icecream package?

Or does it need some elevated permissions? As far as I can see, there is "icecream" in /etc/passwd.

And here's the sealert output:


$ sealert -l 09b8cc88-923d-46a8-a9df-b1417b41359f
SELinux is preventing /usr/sbin/iceccd from read access on the file /etc/passwd.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that iceccd should be allowed read access on the passwd file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep iceccd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:iceccd_t:s0
Target Context                system_u:object_r:passwd_file_t:s0
Target Objects                /etc/passwd [ file ]
Source                        iceccd
Source Path                   /usr/sbin/iceccd
Port                          <Unknown>
Host                          jaber
Source RPM Packages           icecream-0.9.7-3.fc17.x86_64
Target RPM Packages           setup-2.8.48-1.fc17.noarch
Policy RPM                    selinux-policy-3.10.0-149.fc17.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     jaber
Platform                      Linux jaber 3.5.4-1.fc17.x86_64 #1 SMP Mon Sep 17
                              15:03:59 UTC 2012 x86_64 x86_64
Alert Count                   4
First Seen                    2012-09-24 09:56:53 CEST
Last Seen                     2012-09-24 16:47:27 CEST
Local ID                      09b8cc88-923d-46a8-a9df-b1417b41359f

Raw Audit Messages
type=AVC msg=audit(1348498047.366:209): avc:  denied  { read } for  pid=15371 comm="iceccd" name="passwd" dev="dm-1" ino=166326 scontext=system_u:system_r:iceccd_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file


type=SYSCALL msg=audit(1348498047.366:209): arch=x86_64 syscall=open success=no exit=EACCES a0=7f903e3c76ca a1=80000 a2=1b6 a3=238 items=0 ppid=1 pid=15371 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=iceccd exe=/usr/sbin/iceccd subj=system_u:system_r:iceccd_t:s0 key=(null)

Hash: iceccd,iceccd_t,passwd_file_t,file,read

audit2allow

#============= iceccd_t ==============
allow iceccd_t passwd_file_t:file read;

audit2allow -R

#============= iceccd_t ==============
allow iceccd_t passwd_file_t:file read;

Running the suggested commands doesn't seem to help:

$ sudo grep iceccd /var/log/audit/audit.log | audit2allow -M mypol
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i mypol.pp

$ sudo semodule -i mypol.pp
$ sudo systemctl start iceccd.service
Job failed. See system journal and 'systemctl status' for details.

Resulting to the same output in 'systemctl status' and /var/log/messages.

Does making iceccd_t a permissive domain help as a workaround?:
semanage permissive -a iceccd_t

FYI, it must've been a lookup-id from wrong instance that I passed to sealert. I got iceccd up and running now, but I wouldn't consider the bug resolved. :)

This message is a reminder that Fedora 17 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 17. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '17'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 17's end of life.

Bug Reporter:  Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 17 is end of life. If you 
would still like  to see this bug fixed and are able to reproduce it 
against a later version  of Fedora, you are encouraged  change the 
'version' to a later Fedora version prior to Fedora 17's end of life.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Fedora 17 changed to end-of-life (EOL) status on 2013-07-30. Fedora 17 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.