SElinux guix-daemon.cil file

Open

Details

3 participants

Ludovic Courtès
Matt Wette
Ricardo Wurmus

Owner: unassigned

Submitted by: Matt Wette

Severity: normal

Matt Wette wrote on 18 Jan 2020 16:40

Recipients:(address . bug-guix@gnu.org)

Message-ID:b637f042-0881-ea44-eb6c-68118cca6b27@gmail.com

Hi All,

I appologize for the formatting.� I use tbird and I can't find a way to 
do plain-text mode.

I'm trying to get guix-1.0.1 running on Fedora-30 with its default 
SElinux set up.
I found (hint from 
https://lists.gnu.org/archive/html/guix-devel/2019-05/msg00109.html)
that the guix-daemon.cil file seems to be missing a few items. Without 
this patch
 ��� # restorecon -R /gnu/store
fails.

--- guix-daemon.cil.orig��� 2020-01-18 07:08:12.905986299 -0800
+++ guix-daemon.cil��� 2020-01-18 07:09:49.765737261 -0800
@@ -34,14 +34,19 @@
 �� (roletype object_r guix_daemon_t)
 �� (type guix_daemon_conf_t)
 �� (roletype object_r guix_daemon_conf_t)
+� (typeattributeset file_type guix_daemon_conf_t)
 �� (type guix_daemon_exec_t)
 �� (roletype object_r guix_daemon_exec_t)
+� (typeattributeset file_type guix_daemon_exec_t)
 �� (type guix_daemon_socket_t)
 �� (roletype object_r guix_daemon_socket_t)
+� (typeattributeset file_type guix_daemon_socket_t)
 �� (type guix_store_content_t)
 �� (roletype object_r guix_store_content_t)
+� (typeattributeset file_type guix_store_content_t)
 �� (type guix_profiles_t)
 �� (roletype object_r guix_profiles_t)
+� (typeattributeset file_type guix_profiles_t)

 �� ;; These types are domains, thereby allowing process rules
 �� (typeattributeset domain (guix_daemon_t guix_daemon_exec_t))

Ludovic Courtès wrote on 20 Jan 2020 10:13

Recipients:(address . 39172@debbugs.gnu.org)

Message-ID:87h80qij75.fsf@gnu.org

Hi Matt,

Matt Wette <matt.wette@gmail.com> skribis:

Toggle quote (9 lines)

> I'm trying to get guix-1.0.1 running on Fedora-30 with its default

> SElinux set up.

> I found (hint from

> https://lists.gnu.org/archive/html/guix-devel/2019-05/msg00109.html)

> that the guix-daemon.cil file seems to be missing a few items. Without

> this patch

> �� # restorecon -R /gnu/store

> fails.

OK, thanks for finding it out!

Toggle quote (23 lines)> --- guix-daemon.cil.orig��� 2020-01-18 07:08:12.905986299 -0800
> +++ guix-daemon.cil��� 2020-01-18 07:09:49.765737261 -0800
> @@ -34,14 +34,19 @@
> �� (roletype object_r guix_daemon_t)
> �� (type guix_daemon_conf_t)
> �� (roletype object_r guix_daemon_conf_t)
> +� (typeattributeset file_type guix_daemon_conf_t)
> �� (type guix_daemon_exec_t)
> �� (roletype object_r guix_daemon_exec_t)
> +� (typeattributeset file_type guix_daemon_exec_t)
> �� (type guix_daemon_socket_t)
> �� (roletype object_r guix_daemon_socket_t)
> +� (typeattributeset file_type guix_daemon_socket_t)
> �� (type guix_store_content_t)
> �� (roletype object_r guix_store_content_t)
> +� (typeattributeset file_type guix_store_content_t)
> �� (type guix_profiles_t)
> �� (roletype object_r guix_profiles_t)
> +� (typeattributeset file_type guix_profiles_t)
>
> �� ;; These types are domains, thereby allowing process rules
> �� (typeattributeset domain (guix_daemon_t guix_daemon_exec_t))

Ricardo, WDYT? I know nothing about this config file so I’d rather have

your approval before pushing.

Ludo’.

Ricardo Wurmus wrote on 20 Jan 2020 11:35

Recipients:(name . Ludovic Courtès)(address . ludo@gnu.org)

Message-ID:87iml6wh3b.fsf@elephly.net

Ludovic Courtès <ludo@gnu.org> writes:

Toggle quote (41 lines)> Hi Matt,
>
> Matt Wette <matt.wette@gmail.com> skribis:
>
>> I'm trying to get guix-1.0.1 running on Fedora-30 with its default
>> SElinux set up.
>> I found (hint from
>> https://lists.gnu.org/archive/html/guix-devel/2019-05/msg00109.html)
>> that the guix-daemon.cil file seems to be missing a few items. Without
>> this patch
>>     # restorecon -R /gnu/store
>> fails.
>
> OK, thanks for finding it out!
>
>> --- guix-daemon.cil.orig    2020-01-18 07:08:12.905986299 -0800
>> +++ guix-daemon.cil    2020-01-18 07:09:49.765737261 -0800
>> @@ -34,14 +34,19 @@
>>    (roletype object_r guix_daemon_t)
>>    (type guix_daemon_conf_t)
>>    (roletype object_r guix_daemon_conf_t)
>> +  (typeattributeset file_type guix_daemon_conf_t)
>>    (type guix_daemon_exec_t)
>>    (roletype object_r guix_daemon_exec_t)
>> +  (typeattributeset file_type guix_daemon_exec_t)
>>    (type guix_daemon_socket_t)
>>    (roletype object_r guix_daemon_socket_t)
>> +  (typeattributeset file_type guix_daemon_socket_t)
>>    (type guix_store_content_t)
>>    (roletype object_r guix_store_content_t)
>> +  (typeattributeset file_type guix_store_content_t)
>>    (type guix_profiles_t)
>>    (roletype object_r guix_profiles_t)
>> +  (typeattributeset file_type guix_profiles_t)
>>
>>    ;; These types are domains, thereby allowing process rules
>>    (typeattributeset domain (guix_daemon_t guix_daemon_exec_t))
>
> Ricardo, WDYT?  I know nothing about this config file so I’d rather have
> your approval before pushing.

Could we also do this in one expression?

(typeattributeset file_type (or guix_profiles_t

guix_daemon_conf_t

guix_daemon_exec_t

guix_daemon_socket_t

guix_store_content_t))

I also think we need to declare our use of “file_type” first:

(typeattribute file_type)

What do you think?

Ricardo

Ludovic Courtès wrote on 27 Jan 2020 22:50

Recipients:(name . Ricardo Wurmus)(address . rekado@elephly.net)

Message-ID:87d0b4fu1m.fsf@gnu.org

Hello,

Ricardo Wurmus <rekado@elephly.net> skribis:

Toggle quote (14 lines)> Could we also do this in one expression?
>
>     (typeattributeset file_type (or guix_profiles_t
>                                     guix_daemon_conf_t
>                                     guix_daemon_exec_t
>                                     guix_daemon_socket_t
>                                     guix_store_content_t))
>
> I also think we need to declare our use of “file_type” first:
>
>     (typeattribute file_type)
>
> What do you think?

Matt, does what Ricardo proposes work for you?

TIA,

Ludo’.

Matt Wette wrote on 28 Jan 2020 14:45

Recipients:(address . 39172@debbugs.gnu.org)

Message-ID:523bc412-7451-3d32-6ab5-854fab4063ff@gmail.com

On 1/27/20 1:50 PM, Ludovic Courtès wrote:

Toggle quote (20 lines)> Hello,
>
> Ricardo Wurmus <rekado@elephly.net> skribis:
>
>> Could we also do this in one expression?
>>
>>      (typeattributeset file_type (or guix_profiles_t
>>                                      guix_daemon_conf_t
>>                                      guix_daemon_exec_t
>>                                      guix_daemon_socket_t
>>                                      guix_store_content_t))
>>
>> I also think we need to declare our use of “file_type” first:
>>
>>      (typeattribute file_type)
>>
>> What do you think?
> Matt, does what Ricardo proposes work for you?
>

I can add that and see if it helps.� I am just coming up to speed on this.

There are other changes I may be proposing.

Note that use of

�� (block guix_daemon

�� ... guix_daemon_conf_t

�� )

results in the type guix_daemon.guix_daemon_conf_t.�� According to

�� https://github.com/SELinuxProject/cil/wiki

the convention is something like the following, with added typealias

�� (block guix

�� ... daemon_conf

� �� )

�� (typealias guix.daemon_conf guix_daemon_conf_t)

Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send an email to 39172@debbugs.gnu.org

is:open	open issues
is:done	closed issues
submitter:<who>	search issue submitter
author:<who>	search by message author
date:yesterday..now	search by issue date
mdate:3m..2d	search by message date