Description of problem: The icecream distributed compile system doesn't work on Fedora 17. The service does not launch, but throws an error as described below. Version-Release number of selected component (if applicable): icecream 0.9.7 How reproducible: Always Steps to Reproduce: 1. enable & start iceccd.service Actual results: $ sudo systemctl enable iceccd.service ln -s '/usr/lib/systemd/system/iceccd.service' '/etc/systemd/system/multi-user.target.wants/iceccd.service' $ sudo systemctl start iceccd.service Job failed. See system journal and 'systemctl status' for details. $ sudo systemctl status iceccd.service iceccd.service - Icecream Distributed Compiler Loaded: loaded (/usr/lib/systemd/system/iceccd.service; enabled) Active: failed (Result: exit-code) since Mon, 24 Sep 2012 15:51:02 +0200; 5s ago Process: 24199 ExecStart=/usr/lib/icecream/iceccd-wrapper -d -u icecream -b /var/cache/icecream -l /var/log/iceccd (code=exited, status=1/FAILURE) CGroup: name=systemd:/system/iceccd.service Expected results: $ sudo systemctl status iceccd.service iceccd.service - Icecream Distributed Compiler Loaded: loaded (/usr/lib/systemd/system/iceccd.service; enabled) Active: failed (Result: exit-code) since Mon, 24 Sep 2012 15:51:02 +0200; 5s ago Active: active (running) since [...] CGroup: name=systemd:/system/iceccd.service Additional info: N/A
Please ignore the one extra line in the expected results output. :)
Please check /var/log/messages and /var/log/iceccd for any relevant messages.
Forgot to mention that /var/log/iceccd does not exist. Anyhow, /var/log/messages seems to reveal more information: Sep 24 16:47:27 jaber iceccd-wrapper[15371]: Error: -u requires a valid username Sep 24 16:47:27 jaber iceccd-wrapper[15371]: usage: iceccd [-n <netname>] [-m <max_processes>] [--no-remote] [-w] [-d|--daemonize] [-l logfile] [-s <schedulerhost>] [-v[v[v]]] [-r|--run-as-user] [-b <env-basedir>] [-u|--nobody-uid <nobody_uid>] [--cache-limit <MB>] [-N <node_name>] Sep 24 16:47:27 jaber systemd[1]: iceccd.service: control process exited, code=exited status=1 Sep 24 16:47:27 jaber systemd[1]: Unit iceccd.service entered failed state. Sep 24 16:47:27 jaber setroubleshoot: SELinux is preventing /usr/sbin/iceccd from read access on the file /etc/passwd. For complete SELinux messages. run sealert -l 09b8cc88-923d-46a8-a9df-b1417b41359f According to "systemctl status iceccd.service" it passes -u icecream. Should such user have been created during the installation of the icecream package?
Or does it need some elevated permissions? As far as I can see, there is "icecream" in /etc/passwd.
And here's the sealert output: $ sealert -l 09b8cc88-923d-46a8-a9df-b1417b41359f SELinux is preventing /usr/sbin/iceccd from read access on the file /etc/passwd. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that iceccd should be allowed read access on the passwd file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep iceccd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:iceccd_t:s0 Target Context system_u:object_r:passwd_file_t:s0 Target Objects /etc/passwd [ file ] Source iceccd Source Path /usr/sbin/iceccd Port <Unknown> Host jaber Source RPM Packages icecream-0.9.7-3.fc17.x86_64 Target RPM Packages setup-2.8.48-1.fc17.noarch Policy RPM selinux-policy-3.10.0-149.fc17.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name jaber Platform Linux jaber 3.5.4-1.fc17.x86_64 #1 SMP Mon Sep 17 15:03:59 UTC 2012 x86_64 x86_64 Alert Count 4 First Seen 2012-09-24 09:56:53 CEST Last Seen 2012-09-24 16:47:27 CEST Local ID 09b8cc88-923d-46a8-a9df-b1417b41359f Raw Audit Messages type=AVC msg=audit(1348498047.366:209): avc: denied { read } for pid=15371 comm="iceccd" name="passwd" dev="dm-1" ino=166326 scontext=system_u:system_r:iceccd_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file type=SYSCALL msg=audit(1348498047.366:209): arch=x86_64 syscall=open success=no exit=EACCES a0=7f903e3c76ca a1=80000 a2=1b6 a3=238 items=0 ppid=1 pid=15371 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=iceccd exe=/usr/sbin/iceccd subj=system_u:system_r:iceccd_t:s0 key=(null) Hash: iceccd,iceccd_t,passwd_file_t,file,read audit2allow #============= iceccd_t ============== allow iceccd_t passwd_file_t:file read; audit2allow -R #============= iceccd_t ============== allow iceccd_t passwd_file_t:file read;
Running the suggested commands doesn't seem to help: $ sudo grep iceccd /var/log/audit/audit.log | audit2allow -M mypol ******************** IMPORTANT *********************** To make this policy package active, execute: semodule -i mypol.pp $ sudo semodule -i mypol.pp $ sudo systemctl start iceccd.service Job failed. See system journal and 'systemctl status' for details. Resulting to the same output in 'systemctl status' and /var/log/messages.
Does making iceccd_t a permissive domain help as a workaround?: semanage permissive -a iceccd_t
FYI, it must've been a lookup-id from wrong instance that I passed to sealert. I got iceccd up and running now, but I wouldn't consider the bug resolved. :)
This message is a reminder that Fedora 17 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 17. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '17'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 17's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 17 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior to Fedora 17's end of life. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Fedora 17 changed to end-of-life (EOL) status on 2013-07-30. Fedora 17 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. Thank you for reporting this bug and we are sorry it could not be fixed.