/sys/kernel/debug/sched/latency_ns: Permission denied Error when starting systemd unit

[soal]

Fedora 35, kernel 5.14.16-301.fc35.x86_64, cfs-zen-tweaks installed via RPM from release page.

Interestingly, when I execute /usr/lib/cfs-zen-tweaks/script.sh or setting latency manually (echo 16000000 | tee /sys/kernel/debug/sched/latency_ns), no errors occured.

Wild guess: something selinux-related?

[igo95862]

something selinux-related?

Most likely. I think there should be an entry in journald when it happens.

[soal]

I've installed SELinux Troubleshooter and yeah, my guess was correct.
For anyone who will encounter this: I followed steps from Troubleshooter to allow script.sh to write to /sys/kernel/debug/sched/latency_ns and it fixed the issue:

sudo ausearch -c 'script.sh' --raw | audit2allow -M my-scriptsh
sudo semodule -X 300 -i my-scriptsh.pp

Don't know is it something actionable here though.

[igo95862]

I wonder if there is a SELinuxContext= option that can be put in the systemd unit to make it work out of the box. I will install fedora in VM to test.

Does not look like SELinux allow that.

[igo95862]

I've installed SELinux Troubleshooter and yeah, my guess was correct. For anyone who will encounter this: I followed steps from Troubleshooter to allow script.sh to write to /sys/kernel/debug/sched/latency_ns and it fixed the issue:

sudo ausearch -c 'script.sh' --raw | audit2allow -M my-scriptsh
sudo semodule -X 300 -i my-scriptsh.pp

Don't know is it something actionable here though.

It works but only for until reboot. I need to look deeper in to this issue. I need to find a way to ship selinux policy with package.

[igo95862]

Ok. I think I found a solution. The script should be placed in to the /usr/sbin directory and its SELinux user be set to unconfined_u. I think I will try to add an install script to RPM package.

[igo95862]

I published version 1.2.0 with the fix. (moving script to /usr/sbin)

@soal would you mind giving it a test. (also remove previous workarounds beforehand) I tested in a VM.

[soal]

1.2 fixed the issue, many thanks!

[not-a-dev-stein]

Weird, I'm still having the same issue here, even with 1.2.0. Are there any extra steps I need to do after installing it?

[soal]

I've tested on Fedora 35. Removed SELinux module with workaround, rebooted to check that systemd unit from 1.1.1 fails, installed 1.2, rebooted again and everything works fine. No extra steps....

[not-a-dev-stein]

Weird, here I just installed and enabled the systemd service and both before and after rebooting it fails only when setting the latency.

[igo95862]

it fails only when setting the latency

What do you mean?

What is your journalctl output?

Did you apply any fixes beforehand?

[not-a-dev-stein]

What do you mean? What is your journalctl output?

Pretty much this:
nov 20 11:21:20 fedora systemd[1]: Starting Set CFS tweaks...
nov 20 11:21:20 fedora set-cfs-zen-tweaks.bash[3487]: Targeted preemption latency for CPU-bound tasks: 4ms
nov 20 11:21:20 fedora set-cfs-zen-tweaks.bash[3487]: Minimal preemption granularity for CPU-bound tasks: 0.4ms
nov 20 11:21:20 fedora set-cfs-zen-tweaks.bash[3487]: Wake-up granularity: 0.5ms
nov 20 11:21:20 fedora set-cfs-zen-tweaks.bash[3487]: Task migration cost: 0.25ms
nov 20 11:21:20 fedora set-cfs-zen-tweaks.bash[3487]: Amount of runtime to allocate from global to local pool: 3ms
nov 20 11:21:20 fedora set-cfs-zen-tweaks.bash[3487]: /usr/sbin/set-cfs-zen-tweaks.bash: line 57: /sys/kernel/debug/sched/latency_ns: Permission denied
nov 20 11:21:20 fedora systemd[1]: set-cfs-tweaks.service: Main process exited, code=exited, status=1/FAILURE
nov 20 11:21:20 fedora systemd[1]: set-cfs-tweaks.service: Failed with result 'exit-code'.
nov 20 11:21:20 fedora systemd[1]: Failed to start Set CFS tweaks.

Did you apply any fixes beforehand?

Nope, I was just following the issue waiting for an official fix before installing it on my system.

[igo95862]

Do you get any lines about SELinux? What is your Fedora version?

Can you do ls -Z /usr/sbin/set-cfs-zen-tweaks.bash and post output?

[not-a-dev-stein]

Do you get any lines about SELinux? What is your Fedora version?

Pretty much stock Fedora 35, and at least nothing related shows up in journalctl.

Can you to ls -Z /usr/sbin/set-cfs-zen-tweaks.bash and post output?

system_u:object_r:bin_t:s0 /usr/sbin/set-cfs-zen-tweaks.bash

[igo95862]

Try systemctl cat set-cfs-tweaks.service and post the output.

Also try running the script directly with sudo and see if you get the error.

[not-a-dev-stein]

Try systemctl cat set-cfs-tweaks.service and post the output.

# /usr/lib/systemd/system/set-cfs-tweaks.service
# SPDX-License-Identifier: GPL-2.0-only
# Copyright (C) 2021  igo95862

# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation, version 2.

# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.

# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
[Unit]
Description=Set CFS tweaks
After=suspend.target hibernate.target hybrid-sleep.target suspend-then-hibernate.target

[Service]
ExecStart=/usr/sbin/set-cfs-zen-tweaks.bash
Type=oneshot

[Install]
WantedBy=multi-user.target suspend.target hibernate.target hybrid-sleep.target suspend-then-hibernate.target

[igo95862]

Try running the script directly with sudo and see if you get the error.

I am going to do fresh install of fedora in VM to see if there will be error.

[not-a-dev-stein]

Try running the script directly with sudo and see if you get the error.

Same thing, unfortunately.

[igo95862]

Try running the script directly with sudo and see if you get the error.

Same thing, unfortunately.

When there is some issue with /sys/kernel/debug/sched/ directory. See what kind of permissions are there.

This is what I have:

# sudo ls -l /sys/kernel/debug/sched

-r--r--r--  1 root root 0  debug
drwxr-xr-x 14 root root 0  domains
-rw-r--r--  1 root root 0  features
-rw-r--r--  1 root root 0  latency_ns
-rw-r--r--  1 root root 0  latency_warn_ms
-rw-r--r--  1 root root 0  latency_warn_once
-rw-r--r--  1 root root 0  migration_cost_ns
-rw-r--r--  1 root root 0  min_granularity_ns
-rw-r--r--  1 root root 0  nr_migrate
drwxr-xr-x  2 root root 0  numa_balancing
-rw-r--r--  1 root root 0  preempt
-rw-r--r--  1 root root 0  tunable_scaling
-rw-r--r--  1 root root 0  verbose
-rw-r--r--  1 root root 0  wakeup_granularity_ns

[not-a-dev-stein]

Looks like it's pretty much the same here, unless I'm missing something:

-r--r--r--.  1 root root 0 nov 20 11:19 debug
drwxr-xr-x. 10 root root 0 nov 20 11:19 domains
-rw-r--r--.  1 root root 0 nov 20 11:19 features
-rw-r--r--.  1 root root 0 nov 20 11:19 latency_ns
-rw-r--r--.  1 root root 0 nov 20 11:19 latency_warn_ms
-rw-r--r--.  1 root root 0 nov 20 11:19 latency_warn_once
-rw-r--r--.  1 root root 0 nov 20 11:19 migration_cost_ns
-rw-r--r--.  1 root root 0 nov 20 11:19 min_granularity_ns
-rw-r--r--.  1 root root 0 nov 20 11:19 nr_migrate
drwxr-xr-x.  2 root root 0 nov 20 11:19 numa_balancing
-rw-r--r--.  1 root root 0 nov 20 11:19 tunable_scaling
-rw-r--r--.  1 root root 0 nov 20 11:19 verbose
-rw-r--r--.  1 root root 0 nov 20 11:19 wakeup_granularity_ns

[igo95862]

Can you read/write manually to those values?

[not-a-dev-stein]

Can you read/write manually to those values?

Apparently not, getting the same "Operation not permitted" error when trying to do so.

[igo95862]

Can you read/write manually to those values?

Apparently not, getting the same "Operation not permitted" error when trying to do so.

Then there is definitely something wrong/unusual with your setup. Sorry I can't help more than that.

Maybe you have a custom kernel installed that uses some other scheduler... (fedora silverblue maybe?)