Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ras-mc-ctl service from rasdaemon package is blocked from starting and denials are dontaudited #2376

Open
chenxiaolong opened this issue Oct 6, 2024 · 0 comments
Open

ras-mc-ctl service from rasdaemon package is blocked from starting and denials are dontaudited #2376

chenxiaolong opened this issue Oct 6, 2024 · 0 comments

Comments

@chenxiaolong
Copy link

The rasdaemon package (for ECC memory error reporting) contains a ras-mc-ctl systemd service that assigns labels to memory DIMM slots on boot using sysfs. The current selinux policy (selinux-policy-40.27-1.fc40.noarch) prevents that service from running properly and it seems that the denials are dontaudited.

These are the denials I'm encountering after temporarily disabling dontaudit rules:

type=AVC msg=audit(1728173866.109:4201): avc:  denied  { getattr } for  pid=31214 comm="ras-mc-ctl" path="/usr/bin/kmod" dev="dm-0" ino=14899622 scontext=system_u:system_r:rasdaemon_t:s0 tcontext=system_u:object_r:kmod_exec_t:s0 tclass=file permissive=0
type=AVC msg=audit(1728174190.135:4744): avc:  denied  { write } for  pid=32393 comm="ras-mc-ctl" name="dimm_label" dev="sysfs" ino=73902 scontext=system_u:system_r:rasdaemon_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0

For the second denial, the dimm_label filename are from paths like /sys/devices/system/edac/mc/mc0/rank4/dimm_label.

To work around the problem, I created the following CIL policy and the service was able to successfully run afterwards:

# Required for the process to run at all. Without this, it exits with status 1 without doing anything.
(allow rasdaemon_t kmod_exec_t (file (getattr)))
# Required for the process to actually make the necessary sysfs writes. Without this, it fails with: `Unable to open /sys/devices/system/edac/mc/mc0/rank4/dimm_label`.
(allow rasdaemon_t sysfs_t (file (write)))

This is reproducible 100% time, but to test it, it requires access to a motherboard that both uses ECC memory and supports reporting errors via an EDAC driver.

  1. Install rasdaemon

    sudo dnf install rasdaemon

  2. Configure human readable labels in /etc/ras/dimm_labels.d/foobar

    Example:

    Vendor: ASUSTeK COMPUTER INC.
Model: ProArt X870E-CREATOR WIFI
DIMM_A1: 0.0.0, 0.1.0
DIMM_A2: 0.2.0, 0.3.0
DIMM_B1: 0.0.1, 0.1.1
DIMM_B2: 0.2.1, 0.3.1

    (The vendor and model can be found with ras-mc-ctl --mainboard. The available locations can be found in ras-mc-ctl --print-labels. mc0 csrow 2 channel 0, for example, corresponds to 0.2.0. The label names, like DIMM_A1, are arbitrary strings.)

  3. Temporarily disable dontaudit rules

    sudo semanage dontaudit off

  4. Start ras-mc-ctl

    sudo systemctl start ras-mc-ctl

  5. The service fails to start and the denials from above are sent to the audit log. The SYSFS CONTENTS column of ras-mc-ctl --print-labels shows that the labels did not get written to sysfs.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@chenxiaolong