Bug 859979 - iceccd.service fails to start
iceccd.service fails to start
Status: CLOSED WONTFIX
Product: Fedora
Classification: Fedora
Component: icecream (Show other bugs)
17
x86_64 Linux
unspecified Severity unspecified
: ---
: ---
Assigned To: Michal Schmidt
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-09-24 10:35 EDT by J-P Nurmi
Modified: 2013-08-01 01:21 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-08-01 01:20:58 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description J-P Nurmi 2012-09-24 10:35:43 EDT
Description of problem:
The icecream distributed compile system doesn't work on Fedora 17. The service does not launch, but throws an error as described below.

Version-Release number of selected component (if applicable):
icecream 0.9.7

How reproducible:
Always

Steps to Reproduce:
1. enable & start iceccd.service

Actual results:
$ sudo systemctl enable iceccd.service
ln -s '/usr/lib/systemd/system/iceccd.service' '/etc/systemd/system/multi-user.target.wants/iceccd.service'

$ sudo systemctl start iceccd.service 
Job failed. See system journal and 'systemctl status' for details.

$ sudo systemctl status iceccd.service
iceccd.service - Icecream Distributed Compiler
	  Loaded: loaded (/usr/lib/systemd/system/iceccd.service; enabled)
	  Active: failed (Result: exit-code) since Mon, 24 Sep 2012 15:51:02 +0200; 5s ago
	 Process: 24199 ExecStart=/usr/lib/icecream/iceccd-wrapper -d -u icecream -b /var/cache/icecream -l /var/log/iceccd (code=exited, status=1/FAILURE)
	  CGroup: name=systemd:/system/iceccd.service

Expected results:
$ sudo systemctl status iceccd.service
iceccd.service - Icecream Distributed Compiler
	  Loaded: loaded (/usr/lib/systemd/system/iceccd.service; enabled)
	  Active: failed (Result: exit-code) since Mon, 24 Sep 2012 15:51:02 +0200; 5s ago
	  Active: active (running) since [...]
	  CGroup: name=systemd:/system/iceccd.service

Additional info:
N/A
Comment 1 J-P Nurmi 2012-09-24 10:36:33 EDT
Please ignore the one extra line in the expected results output. :)
Comment 2 Michal Schmidt 2012-09-24 10:43:32 EDT
Please check /var/log/messages and /var/log/iceccd for any relevant messages.
Comment 3 J-P Nurmi 2012-09-24 10:50:41 EDT
Forgot to mention that /var/log/iceccd does not exist. Anyhow, /var/log/messages seems to reveal more information:

Sep 24 16:47:27 jaber iceccd-wrapper[15371]: Error: -u requires a valid username
Sep 24 16:47:27 jaber iceccd-wrapper[15371]: usage: iceccd [-n <netname>] [-m <max_processes>] [--no-remote] [-w] [-d|--daemonize] [-l logfile] [-s <schedulerhost>] [-v[v[v]]] [-r|--run-as-user] [-b <env-basedir>] [-u|--nobody-uid <nobody_uid>] [--cache-limit <MB>] [-N <node_name>]
Sep 24 16:47:27 jaber systemd[1]: iceccd.service: control process exited, code=exited status=1
Sep 24 16:47:27 jaber systemd[1]: Unit iceccd.service entered failed state.
Sep 24 16:47:27 jaber setroubleshoot: SELinux is preventing /usr/sbin/iceccd from read access on the file /etc/passwd. For complete SELinux messages. run sealert -l 09b8cc88-923d-46a8-a9df-b1417b41359f

According to "systemctl status iceccd.service" it passes -u icecream. Should such user have been created during the installation of the icecream package?
Comment 4 J-P Nurmi 2012-09-24 10:52:21 EDT
Or does it need some elevated permissions? As far as I can see, there is "icecream" in /etc/passwd.
Comment 5 J-P Nurmi 2012-09-24 10:53:35 EDT
And here's the sealert output:


$ sealert -l 09b8cc88-923d-46a8-a9df-b1417b41359f
SELinux is preventing /usr/sbin/iceccd from read access on the file /etc/passwd.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that iceccd should be allowed read access on the passwd file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep iceccd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:iceccd_t:s0
Target Context                system_u:object_r:passwd_file_t:s0
Target Objects                /etc/passwd [ file ]
Source                        iceccd
Source Path                   /usr/sbin/iceccd
Port                          <Unknown>
Host                          jaber
Source RPM Packages           icecream-0.9.7-3.fc17.x86_64
Target RPM Packages           setup-2.8.48-1.fc17.noarch
Policy RPM                    selinux-policy-3.10.0-149.fc17.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     jaber
Platform                      Linux jaber 3.5.4-1.fc17.x86_64 #1 SMP Mon Sep 17
                              15:03:59 UTC 2012 x86_64 x86_64
Alert Count                   4
First Seen                    2012-09-24 09:56:53 CEST
Last Seen                     2012-09-24 16:47:27 CEST
Local ID                      09b8cc88-923d-46a8-a9df-b1417b41359f

Raw Audit Messages
type=AVC msg=audit(1348498047.366:209): avc:  denied  { read } for  pid=15371 comm="iceccd" name="passwd" dev="dm-1" ino=166326 scontext=system_u:system_r:iceccd_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file


type=SYSCALL msg=audit(1348498047.366:209): arch=x86_64 syscall=open success=no exit=EACCES a0=7f903e3c76ca a1=80000 a2=1b6 a3=238 items=0 ppid=1 pid=15371 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=iceccd exe=/usr/sbin/iceccd subj=system_u:system_r:iceccd_t:s0 key=(null)

Hash: iceccd,iceccd_t,passwd_file_t,file,read

audit2allow

#============= iceccd_t ==============
allow iceccd_t passwd_file_t:file read;

audit2allow -R

#============= iceccd_t ==============
allow iceccd_t passwd_file_t:file read;
Comment 6 J-P Nurmi 2012-09-24 10:58:55 EDT
Running the suggested commands doesn't seem to help:

$ sudo grep iceccd /var/log/audit/audit.log | audit2allow -M mypol
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i mypol.pp

$ sudo semodule -i mypol.pp
$ sudo systemctl start iceccd.service
Job failed. See system journal and 'systemctl status' for details.

Resulting to the same output in 'systemctl status' and /var/log/messages.
Comment 7 Michal Schmidt 2012-09-24 11:03:01 EDT
Does making iceccd_t a permissive domain help as a workaround?:
semanage permissive -a iceccd_t
Comment 8 J-P Nurmi 2012-09-24 11:04:00 EDT
FYI, it must've been a lookup-id from wrong instance that I passed to sealert. I got iceccd up and running now, but I wouldn't consider the bug resolved. :)
Comment 9 Fedora End Of Life 2013-07-03 21:10:26 EDT
This message is a reminder that Fedora 17 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 17. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '17'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 17's end of life.

Bug Reporter:  Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 17 is end of life. If you 
would still like  to see this bug fixed and are able to reproduce it 
against a later version  of Fedora, you are encouraged  change the 
'version' to a later Fedora version prior to Fedora 17's end of life.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.
Comment 10 Fedora End Of Life 2013-08-01 01:21:01 EDT
Fedora 17 changed to end-of-life (EOL) status on 2013-07-30. Fedora 17 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.