SElinux guix-daemon.cil file

Open

Details

3 participants

Ludovic Courtès
Matt Wette
Ricardo Wurmus

Owner: unassigned

Submitted by: Matt Wette

Severity: normal

Matt Wette wrote on 18 Jan 2020 16:40

Recipients:(address . bug-guix@gnu.org)

Message-ID:b637f042-0881-ea44-eb6c-68118cca6b27@gmail.com

Hi All,

I appologize for the formatting.  I use tbird and I can't find a way to 
do plain-text mode.

I'm trying to get guix-1.0.1 running on Fedora-30 with its default 
SElinux set up.
I found (hint from 
https://lists.gnu.org/archive/html/guix-devel/2019-05/msg00109.html)
that the guix-daemon.cil file seems to be missing a few items. Without 
this patch
     # restorecon -R /gnu/store
fails.

--- guix-daemon.cil.orig    2020-01-18 07:08:12.905986299 -0800
+++ guix-daemon.cil    2020-01-18 07:09:49.765737261 -0800
@@ -34,14 +34,19 @@
    (roletype object_r guix_daemon_t)
    (type guix_daemon_conf_t)
    (roletype object_r guix_daemon_conf_t)
+  (typeattributeset file_type guix_daemon_conf_t)
    (type guix_daemon_exec_t)
    (roletype object_r guix_daemon_exec_t)
+  (typeattributeset file_type guix_daemon_exec_t)
    (type guix_daemon_socket_t)
    (roletype object_r guix_daemon_socket_t)
+  (typeattributeset file_type guix_daemon_socket_t)
    (type guix_store_content_t)
    (roletype object_r guix_store_content_t)
+  (typeattributeset file_type guix_store_content_t)
    (type guix_profiles_t)
    (roletype object_r guix_profiles_t)
+  (typeattributeset file_type guix_profiles_t)

    ;; These types are domains, thereby allowing process rules
    (typeattributeset domain (guix_daemon_t guix_daemon_exec_t))

Ludovic Courtès wrote on 20 Jan 2020 10:13

Recipients:(address . 39172@debbugs.gnu.org)

Message-ID:87h80qij75.fsf@gnu.org

Hi Matt,

Matt Wette <matt.wette@gmail.com> skribis:

Toggle quote (9 lines)

> I'm trying to get guix-1.0.1 running on Fedora-30 with its default

> SElinux set up.

> I found (hint from

> https://lists.gnu.org/archive/html/guix-devel/2019-05/msg00109.html)

> that the guix-daemon.cil file seems to be missing a few items. Without

> this patch

> # restorecon -R /gnu/store

> fails.

OK, thanks for finding it out!

Toggle quote (23 lines)> --- guix-daemon.cil.orig    2020-01-18 07:08:12.905986299 -0800
> +++ guix-daemon.cil    2020-01-18 07:09:49.765737261 -0800
> @@ -34,14 +34,19 @@
>    (roletype object_r guix_daemon_t)
>    (type guix_daemon_conf_t)
>    (roletype object_r guix_daemon_conf_t)
> +  (typeattributeset file_type guix_daemon_conf_t)
>    (type guix_daemon_exec_t)
>    (roletype object_r guix_daemon_exec_t)
> +  (typeattributeset file_type guix_daemon_exec_t)
>    (type guix_daemon_socket_t)
>    (roletype object_r guix_daemon_socket_t)
> +  (typeattributeset file_type guix_daemon_socket_t)
>    (type guix_store_content_t)
>    (roletype object_r guix_store_content_t)
> +  (typeattributeset file_type guix_store_content_t)
>    (type guix_profiles_t)
>    (roletype object_r guix_profiles_t)
> +  (typeattributeset file_type guix_profiles_t)
>
>    ;; These types are domains, thereby allowing process rules
>    (typeattributeset domain (guix_daemon_t guix_daemon_exec_t))

Ricardo, WDYT? I know nothing about this config file so I’d rather have

your approval before pushing.

Ludo’.

Ricardo Wurmus wrote on 20 Jan 2020 11:35

Recipients:(name . Ludovic Courtès)(address . ludo@gnu.org)

Message-ID:87iml6wh3b.fsf@elephly.net

Ludovic Courtès <ludo@gnu.org> writes:

Toggle quote (41 lines)> Hi Matt,
>
> Matt Wette <matt.wette@gmail.com> skribis:
>
>> I'm trying to get guix-1.0.1 running on Fedora-30 with its default
>> SElinux set up.
>> I found (hint from
>> https://lists.gnu.org/archive/html/guix-devel/2019-05/msg00109.html)
>> that the guix-daemon.cil file seems to be missing a few items. Without
>> this patch
>>     # restorecon -R /gnu/store
>> fails.
>
> OK, thanks for finding it out!
>
>> --- guix-daemon.cil.orig    2020-01-18 07:08:12.905986299 -0800
>> +++ guix-daemon.cil    2020-01-18 07:09:49.765737261 -0800
>> @@ -34,14 +34,19 @@
>>    (roletype object_r guix_daemon_t)
>>    (type guix_daemon_conf_t)
>>    (roletype object_r guix_daemon_conf_t)
>> +  (typeattributeset file_type guix_daemon_conf_t)
>>    (type guix_daemon_exec_t)
>>    (roletype object_r guix_daemon_exec_t)
>> +  (typeattributeset file_type guix_daemon_exec_t)
>>    (type guix_daemon_socket_t)
>>    (roletype object_r guix_daemon_socket_t)
>> +  (typeattributeset file_type guix_daemon_socket_t)
>>    (type guix_store_content_t)
>>    (roletype object_r guix_store_content_t)
>> +  (typeattributeset file_type guix_store_content_t)
>>    (type guix_profiles_t)
>>    (roletype object_r guix_profiles_t)
>> +  (typeattributeset file_type guix_profiles_t)
>>
>>    ;; These types are domains, thereby allowing process rules
>>    (typeattributeset domain (guix_daemon_t guix_daemon_exec_t))
>
> Ricardo, WDYT?  I know nothing about this config file so I’d rather have
> your approval before pushing.

Could we also do this in one expression?

(typeattributeset file_type (or guix_profiles_t

guix_daemon_conf_t

guix_daemon_exec_t

guix_daemon_socket_t

guix_store_content_t))

I also think we need to declare our use of “file_type” first:

(typeattribute file_type)

What do you think?

Ricardo

Ludovic Courtès wrote on 27 Jan 2020 22:50

Recipients:(name . Ricardo Wurmus)(address . rekado@elephly.net)

Message-ID:87d0b4fu1m.fsf@gnu.org

Hello,

Ricardo Wurmus <rekado@elephly.net> skribis:

Toggle quote (14 lines)> Could we also do this in one expression?
>
>     (typeattributeset file_type (or guix_profiles_t
>                                     guix_daemon_conf_t
>                                     guix_daemon_exec_t
>                                     guix_daemon_socket_t
>                                     guix_store_content_t))
>
> I also think we need to declare our use of “file_type” first:
>
>     (typeattribute file_type)
>
> What do you think?

Matt, does what Ricardo proposes work for you?

TIA,

Ludo’.

Matt Wette wrote on 28 Jan 2020 14:45

Recipients:(address . 39172@debbugs.gnu.org)

Message-ID:523bc412-7451-3d32-6ab5-854fab4063ff@gmail.com

On 1/27/20 1:50 PM, Ludovic Courtès wrote:

Toggle quote (20 lines)> Hello,
>
> Ricardo Wurmus <rekado@elephly.net> skribis:
>
>> Could we also do this in one expression?
>>
>>      (typeattributeset file_type (or guix_profiles_t
>>                                      guix_daemon_conf_t
>>                                      guix_daemon_exec_t
>>                                      guix_daemon_socket_t
>>                                      guix_store_content_t))
>>
>> I also think we need to declare our use of “file_type” first:
>>
>>      (typeattribute file_type)
>>
>> What do you think?
> Matt, does what Ricardo proposes work for you?
>

I can add that and see if it helps. I am just coming up to speed on this.

There are other changes I may be proposing.

Note that use of

(block guix_daemon

... guix_daemon_conf_t

)

results in the type guix_daemon.guix_daemon_conf_t. According to

https://github.com/SELinuxProject/cil/wiki

the convention is something like the following, with added typealias

(block guix

... daemon_conf

)

(typealias guix.daemon_conf guix_daemon_conf_t)

Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send an email to 39172@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it

mumi current 39172

Then, you may apply the latest patchset in this issue (with sign off)

mumi am -- -s

Or, compose a reply to this issue

mumi compose

Or, send patches to this issue

mumi send-email *.patch

is:open	open issues
is:done	closed issues
submitter:<who>	search issue submitter
author:<who>	search by message author
date:yesterday..now	search by issue date
mdate:3m..2d	search by message date