(name . Guix Patches List)(address . guix-patches@gnu.org)
87sg9h8s5j.fsf@db48x.net
[PATCH] etc: updates for the guix-daemon SELinux policy
- Done
Details
- 2 participants
- Daniel Brooks
- Marius Bakke
- Owner
- unassigned
- Submitted by
- Daniel Brooks
- Severity
- normal
D
M
87361ecm7f.fsf@gnu.org
Hello Daniel,
Thanks a lot for this.
Daniel Brooks <db48x@db48x.net> writes:
Toggle quote (11 lines)
>>From 7dd9ed6da01c5bf125c95592f4978b579198731a Mon Sep 17 00:00:00 2001
> From: Daniel Brooks <db48x@db48x.net>
> Date: Mon, 9 Nov 2020 07:03:42 -0800
> Subject: [PATCH] etc: updates for the guix-daemon SELinux policy
>
> * etc/guix-daemon.cil.in: I can't promise that this is a complete list of
> everything that guix-daemon needs, but it's probably most of them. It can
> search for, install, upgrade, and remove packages, create virtual machines,
> update itself, and so on. I haven't tried creating containers yet, which might
> reveal more things to add.
This commit message is somewhat unorthodox. :-)
Perhaps it can be shortened to:
* etc/guix-daemon.cil.in (guix_daemon): Specify more permissions for
guix-daemon to account for daemon updates and newer SELinux.
[...]
Toggle quote (20 lines)
> diff --git a/etc/guix-daemon.cil.in b/etc/guix-daemon.cil.in
> index e0c9113498..666e5677a3 100644
> --- a/etc/guix-daemon.cil.in
> +++ b/etc/guix-daemon.cil.in
> @@ -21,6 +21,18 @@
> ;; Intermediate Language (CIL). It refers to types that must be defined in
> ;; the system's base policy.
>
> +;; If you, like me, need advice about fixing an SELinux policy, I recommend
> +;; reading https://danwalsh.livejournal.com/55324.html
> +
> +;; In particular, you can run semanage permissive -a guix_daemon.guix_daemon_t
> +;; to allow guix-daemon to do whatever it wants. SELinux will still check its
> +;; permissions, and when it doesn't have permission it will still send an
> +;; audit message to your system logs. This lets you know what permissions it
> +;; ought to have. Use ausearch --raw to find the permissions violations, then
> +;; pipe that to audit2allow to generate an updated policy. You'll still need
> +;; to translate that policy into CIL in order to update this file, but that's
> +;; fairly straight-forward. Annoying, but easy.
I'm not sure about the second paragraph. It's mainly a rehash of the
blog post, no? And there are many other ways to go about
troubleshooting SELinux (I did not use ausearch at all).
Anyway! I tried it on RHEL8, and had to do a few more tweaks to get it
working:
Toggle diff (38 lines)
diff --git a/etc/guix-daemon.cil.in b/etc/guix-daemon.cil.in
index 666e5677a3..b5909f1b18 100644
--- a/etc/guix-daemon.cil.in
+++ b/etc/guix-daemon.cil.in
@@ -84,6 +84,9 @@
(allow init_t
guix_daemon_t
(process (transition)))
+ (allow init_t
+ guix_store_content_t
+ (lnk_file (read)))
(allow init_t
guix_store_content_t
(file (open read execute)))
@@ -166,6 +169,9 @@
(allow guix_daemon_t
root_t
(dir (mounton)))
+ (allow guix_daemon_t
+ guix_daemon_socket_t
+ (sock_file (unlink)))
(allow guix_daemon_t
fs_t
(filesystem (getattr)))
@@ -348,7 +354,12 @@
getopt setopt)))
(allow guix_daemon_t
self
- (tcp_socket (accept listen bind connect create setopt getopt getattr ioctl)))
+ (netlink_route_socket (read write)))
+ (allow guix_daemon_t
+ self
+ (tcp_socket (accept
+ listen bind connect create read write
+ setopt getopt getattr ioctl)))
(allow guix_daemon_t
unreserved_port_t
(tcp_socket (name_bind name_connect accept listen)))
Can you test these additional changes on Fedora?
With this, I no longer have to go through 'guix pack' and 'podman' to
run Guix packages on my RHEL workstation! :-)
Also, is it OK to add you to the list of contributors at the top of the
file with this name and address?
Thanks! It's really great to get this in before 1.2.0.
-----BEGIN PGP SIGNATURE-----
iQFDBAEBCgAtFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAl+tpZQPHG1hcml1c0Bn
bnUub3JnAAoJEKKgbfKjOlT6cUYH/RcCeYftR07ihnJ/PbTP+qESpzxhoR4lqRZC
1ygHeXM2tvuwgMcP3cglxcs2TYNMn+Ovu9KcHAvebMWs1FtZrIHRr8VfZ0Cxo1BK
8MEqvB97v7QguIQ+EFB3Gv9rzzU0CkRzJdOOHKaljiy80Hv6+Kk+IIpWbw1w9r7p
iHkvBkmf7clw8n8uU2mFeWveBd9Hkly7xojdjUv76/lDi52qoSoEZO9kDlh4eTd6
V/9PREmVBpNudzmO4LlIMM/3bjeNZqbzLG4bCT8cnfGoS9NHJcD/ZD6ur91rQFmQ
aQT1FDA0XbGOgKK3tiFizyjGQB6pgLHRwzdiiZzqQAOV/WeKuj0=
=I3w+
-----END PGP SIGNATURE-----
D
(name . Marius Bakke)(address . marius@gnu.org)(address . 44549@debbugs.gnu.org)
87v9ea6yhl.fsf@db48x.net
Marius Bakke <marius@gnu.org> writes:
Toggle quote (4 lines)
> Hello Daniel,
>
> Thanks a lot for this.
You're welcome.
Toggle quote (21 lines)
>
> Daniel Brooks <db48x@db48x.net> writes:
>
>>>From 7dd9ed6da01c5bf125c95592f4978b579198731a Mon Sep 17 00:00:00 2001
>> From: Daniel Brooks <db48x@db48x.net>
>> Date: Mon, 9 Nov 2020 07:03:42 -0800
>> Subject: [PATCH] etc: updates for the guix-daemon SELinux policy
>>
>> * etc/guix-daemon.cil.in: I can't promise that this is a complete list of
>> everything that guix-daemon needs, but it's probably most of them. It can
>> search for, install, upgrade, and remove packages, create virtual machines,
>> update itself, and so on. I haven't tried creating containers yet, which might
>> reveal more things to add.
>
> This commit message is somewhat unorthodox. :-)
>
> Perhaps it can be shortened to:
>
> * etc/guix-daemon.cil.in (guix_daemon): Specify more permissions for
> guix-daemon to account for daemon updates and newer SELinux.
I suppose. Personally I dislike the changelog style commit messages, but
when in Rome…
Toggle quote (13 lines)
>> +;; In particular, you can run semanage permissive -a guix_daemon.guix_daemon_t
>> +;; to allow guix-daemon to do whatever it wants. SELinux will still check its
>> +;; permissions, and when it doesn't have permission it will still send an
>> +;; audit message to your system logs. This lets you know what permissions it
>> +;; ought to have. Use ausearch --raw to find the permissions violations, then
>> +;; pipe that to audit2allow to generate an updated policy. You'll still need
>> +;; to translate that policy into CIL in order to update this file, but that's
>> +;; fairly straight-forward. Annoying, but easy.
>
> I'm not sure about the second paragraph. It's mainly a rehash of the
> blog post, no? And there are many other ways to go about
> troubleshooting SELinux (I did not use ausearch at all).
True. I just wanted a quick summary somewhere in the source so that
future us won't have to rely on a random blog post, even one from Dan
Walsh.
Toggle quote (12 lines)
> diff --git a/etc/guix-daemon.cil.in b/etc/guix-daemon.cil.in
> index 666e5677a3..b5909f1b18 100644
> --- a/etc/guix-daemon.cil.in
> +++ b/etc/guix-daemon.cil.in
> @@ -84,6 +84,9 @@
> (allow init_t
> guix_daemon_t
> (process (transition)))
> + (allow init_t
> + guix_store_content_t
> + (lnk_file (read)))
This one is a little unusual; is your service file symlinked or something?
Toggle quote (11 lines)
> (allow init_t
> guix_store_content_t
> (file (open read execute)))
> @@ -166,6 +169,9 @@
> (allow guix_daemon_t
> root_t
> (dir (mounton)))
> + (allow guix_daemon_t
> + guix_daemon_socket_t
> + (sock_file (unlink)))
That shouldn't be a problem, though we don't have any other rules for
guix_daemon_socket_t. Possibly that is because my socket file is labeled
guix_daemon_conf_t, for unknown reasons. Perhaps it was not labeled
correctly when created, and hasn't been relabeled since.
Toggle quote (15 lines)
> (allow guix_daemon_t
> fs_t
> (filesystem (getattr)))
> @@ -348,7 +354,12 @@
> getopt setopt)))
> (allow guix_daemon_t
> self
> - (tcp_socket (accept listen bind connect create setopt getopt getattr ioctl)))
> + (netlink_route_socket (read write)))
> + (allow guix_daemon_t
> + self
> + (tcp_socket (accept
> + listen bind connect create read write
> + setopt getopt getattr ioctl)))
These are fine; in fact I discovered these myself this morning and was
going to send a patch.
Toggle quote (2 lines)
> Can you test these additional changes on Fedora?
Yes, I'll let you know if there are any problems. Also, I'll investigate
the socket file some more.
Toggle quote (4 lines)
>
> With this, I no longer have to go through 'guix pack' and 'podman' to
> run Guix packages on my RHEL workstation! :-)
Ideal :)
Toggle quote (4 lines)
>
> Also, is it OK to add you to the list of contributors at the top of the
> file with this name and address?
Certainly.
db48x
M
(name . Daniel Brooks)(address . db48x@db48x.net)(address . 44549@debbugs.gnu.org)
87tutub4l9.fsf@gnu.org
Daniel Brooks <db48x@db48x.net> writes:
Toggle quote (23 lines)
>> Daniel Brooks <db48x@db48x.net> writes:
>>
>>>>From 7dd9ed6da01c5bf125c95592f4978b579198731a Mon Sep 17 00:00:00 2001
>>> From: Daniel Brooks <db48x@db48x.net>
>>> Date: Mon, 9 Nov 2020 07:03:42 -0800
>>> Subject: [PATCH] etc: updates for the guix-daemon SELinux policy
>>>
>>> * etc/guix-daemon.cil.in: I can't promise that this is a complete list of
>>> everything that guix-daemon needs, but it's probably most of them. It can
>>> search for, install, upgrade, and remove packages, create virtual machines,
>>> update itself, and so on. I haven't tried creating containers yet, which might
>>> reveal more things to add.
>>
>> This commit message is somewhat unorthodox. :-)
>>
>> Perhaps it can be shortened to:
>>
>> * etc/guix-daemon.cil.in (guix_daemon): Specify more permissions for
>> guix-daemon to account for daemon updates and newer SELinux.
>
> I suppose. Personally I dislike the changelog style commit messages, but
> when in Rome…
It's not a very strong opinion. I think it would be fine without the
first person style.
Toggle quote (17 lines)
>>> +;; In particular, you can run semanage permissive -a guix_daemon.guix_daemon_t
>>> +;; to allow guix-daemon to do whatever it wants. SELinux will still check its
>>> +;; permissions, and when it doesn't have permission it will still send an
>>> +;; audit message to your system logs. This lets you know what permissions it
>>> +;; ought to have. Use ausearch --raw to find the permissions violations, then
>>> +;; pipe that to audit2allow to generate an updated policy. You'll still need
>>> +;; to translate that policy into CIL in order to update this file, but that's
>>> +;; fairly straight-forward. Annoying, but easy.
>>
>> I'm not sure about the second paragraph. It's mainly a rehash of the
>> blog post, no? And there are many other ways to go about
>> troubleshooting SELinux (I did not use ausearch at all).
>
> True. I just wanted a quick summary somewhere in the source so that
> future us won't have to rely on a random blog post, even one from Dan
> Walsh.
Fair point. I can imagine a scenario when I'm stuck on a SELinux system
without an internet connection.
Toggle quote (14 lines)
>> diff --git a/etc/guix-daemon.cil.in b/etc/guix-daemon.cil.in
>> index 666e5677a3..b5909f1b18 100644
>> --- a/etc/guix-daemon.cil.in
>> +++ b/etc/guix-daemon.cil.in
>> @@ -84,6 +84,9 @@
>> (allow init_t
>> guix_daemon_t
>> (process (transition)))
>> + (allow init_t
>> + guix_store_content_t
>> + (lnk_file (read)))
>
> This one is a little unusual; is your service file symlinked or something?
Hmm. Could it be because /etc/systemd/system/guix-daemon.service refers
to /var/guix/profiles/per-user/root/current-guix/bin/guix-daemon?
Toggle quote (16 lines)
>> (allow init_t
>> guix_store_content_t
>> (file (open read execute)))
>> @@ -166,6 +169,9 @@
>> (allow guix_daemon_t
>> root_t
>> (dir (mounton)))
>> + (allow guix_daemon_t
>> + guix_daemon_socket_t
>> + (sock_file (unlink)))
>
> That shouldn't be a problem, though we don't have any other rules for
> guix_daemon_socket_t. Possibly that is because my socket file is labeled
> guix_daemon_conf_t, for unknown reasons. Perhaps it was not labeled
> correctly when created, and hasn't been relabeled since.
It could also be an artifact from my ancient experiments with Guix and
SELinux on this system. Perhaps we should test on a "clean" system to
verify, I can do that next week.
Toggle quote (23 lines)
>> (allow guix_daemon_t
>> fs_t
>> (filesystem (getattr)))
>> @@ -348,7 +354,12 @@
>> getopt setopt)))
>> (allow guix_daemon_t
>> self
>> - (tcp_socket (accept listen bind connect create setopt getopt getattr ioctl)))
>> + (netlink_route_socket (read write)))
>> + (allow guix_daemon_t
>> + self
>> + (tcp_socket (accept
>> + listen bind connect create read write
>> + setopt getopt getattr ioctl)))
>
> These are fine; in fact I discovered these myself this morning and was
> going to send a patch.
>
>> Can you test these additional changes on Fedora?
>
> Yes, I'll let you know if there are any problems. Also, I'll investigate
> the socket file some more.
Awesome, thanks a lot!
Can you "squash" the relevant changes from my patch and send a new patch
when you are done?
As a side note, I've seen a couple other audit messages from
guix-daemon, although though they don't seem to cause a problem in
practice.
type=AVC msg=audit(1605189801.627:8637388): avc: denied { read } for pid=2312896 comm="guix-daemon" path="socket:[74336318]" dev="sockfs" ino=74336318 scontext=system_u:system_r:guix_daemon.guix_daemon_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1605189801.627:8637388): avc: denied { read } for pid=2312896 comm="guix-daemon" path="socket:[74336318]" dev="sockfs" ino=74336318 scontext=system_u:system_r:guix_daemon.guix_daemon_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1605189801.627:8637388): avc: denied { siginh } for pid=2312896 comm="guix-daemon" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:guix_daemon.guix_daemon_t:s0 tclass=process permissive=0
Not sure what that's about.
-----BEGIN PGP SIGNATURE-----
iQFDBAEBCgAtFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAl+ttQIPHG1hcml1c0Bn
bnUub3JnAAoJEKKgbfKjOlT6CTIH/2FjjrWerYv+sxeFsEIgJ9f4PCqwqquU4LSl
2ebfNR2VSqKqbYpjLVM1eOY6sRe+pYtbUzoJS9Avw0JESxm9C+LWuOL+yfz4AnK1
/CpcpBr16nn4Wdc0UsF17cv7JKbrgvvc3v9tqQlm3ZBIBmzDJb4DkzCMfX+fiuRu
4wtyimlArOlGacIqmomhcSJ0w6GvS8EgHpsG+8Ee/vcwsI44zp9wMU223E2mdE0d
0hMxe6p28JD1uYa6yZGPh9vJ6l9wyvm31QOlgkfLxao1vf+fbwnTkZdXzyohpc9x
AfVwq1/RRQ3T+NtHM+OxuApSB0yKII1wrrdJe9cS1YrvSncRV6Q=
=oXtF
-----END PGP SIGNATURE-----
D
(name . Marius Bakke)(address . marius@gnu.org)(address . 44549@debbugs.gnu.org)
87eeky6sfd.fsf@db48x.net
Marius Bakke <marius@gnu.org> writes:
Toggle quote (9 lines)
>>> + (allow init_t
>>> + guix_store_content_t
>>> + (lnk_file (read)))
>>
>> This one is a little unusual; is your service file symlinked or something?
>
> Hmm. Could it be because /etc/systemd/system/guix-daemon.service refers
> to /var/guix/profiles/per-user/root/current-guix/bin/guix-daemon?
That was it. Not sure how I left that one out, in fact.
Toggle quote (13 lines)
>>> + (allow guix_daemon_t
>>> + guix_daemon_socket_t
>>> + (sock_file (unlink)))
>>
>> That shouldn't be a problem, though we don't have any other rules for
>> guix_daemon_socket_t. Possibly that is because my socket file is labeled
>> guix_daemon_conf_t, for unknown reasons. Perhaps it was not labeled
>> correctly when created, and hasn't been relabeled since.
>
> It could also be an artifact from my ancient experiments with Guix and
> SELinux on this system. Perhaps we should test on a "clean" system to
> verify, I can do that next week.
Ok, I figured this one out. When the socket file is created it is
labeled at guix_daemon_conf_t, but the filecon rules will cause that to
be relabeled to guix_daemon_socket_t at some point in the future. When
the guix-daemon process stops it tries to delete the socket file, but
can't. I'll go ahead and include the rule.
Toggle quote (3 lines)
> Can you "squash" the relevant changes from my patch and send a new patch
> when you are done?
Will do.
Toggle quote (20 lines)
>
> As a side note, I've seen a couple other audit messages from
> guix-daemon, although though they don't seem to cause a problem in
> practice.
>
> type=AVC msg=audit(1605189801.627:8637388): avc: denied { read } for
> pid=2312896 comm="guix-daemon" path="socket:[74336318]" dev="sockfs"
> ino=74336318 scontext=system_u:system_r:guix_daemon.guix_daemon_t:s0
> tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket
> permissive=0
> type=AVC msg=audit(1605189801.627:8637388): avc: denied { read } for
> pid=2312896 comm="guix-daemon" path="socket:[74336318]" dev="sockfs"
> ino=74336318 scontext=system_u:system_r:guix_daemon.guix_daemon_t:s0
> tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket
> permissive=0
> type=AVC msg=audit(1605189801.627:8637388): avc: denied { siginh } for
> pid=2312896 comm="guix-daemon" scontext=system_u:system_r:init_t:s0
> tcontext=system_u:system_r:guix_daemon.guix_daemon_t:s0 tclass=process
> permissive=0
The first two are already covered by the new policy, and the third is
inconsequential. The kernel checks on our behalf to see if our child
processes are allowed to inherit our signal state. That's usually
disallowed, so that rule is marked 'dontaudit' so that it doesn't spam
the logs; you probably had that disabled. I'm not going to add a rule
allowing that one; It would just cause accidents.
db48x
D
[PATCH v2] etc: updates for the guix-daemon SELinux policy
(address . 44549@debbugs.gnu.org)
87a6vm6s5p.fsf@db48x.net
D
[PATCH v3] etc: updates for the guix-daemon SELinux policy
(address . 44549@debbugs.gnu.org)
875z6a6rvr.fsf@db48x.net
M
Re: [bug#44549] [PATCH] etc: updates for the guix-daemon SELinux policy
(name . Daniel Brooks)(address . db48x@db48x.net)(address . 44549@debbugs.gnu.org)
87r1oxb96j.fsf@gnu.org
Daniel Brooks <db48x@db48x.net> writes:
Toggle quote (19 lines)
>>>> + (allow guix_daemon_t
>>>> + guix_daemon_socket_t
>>>> + (sock_file (unlink)))
>>>
>>> That shouldn't be a problem, though we don't have any other rules for
>>> guix_daemon_socket_t. Possibly that is because my socket file is labeled
>>> guix_daemon_conf_t, for unknown reasons. Perhaps it was not labeled
>>> correctly when created, and hasn't been relabeled since.
>>
>> It could also be an artifact from my ancient experiments with Guix and
>> SELinux on this system. Perhaps we should test on a "clean" system to
>> verify, I can do that next week.
>
> Ok, I figured this one out. When the socket file is created it is
> labeled at guix_daemon_conf_t, but the filecon rules will cause that to
> be relabeled to guix_daemon_socket_t at some point in the future. When
> the guix-daemon process stops it tries to delete the socket file, but
> can't. I'll go ahead and include the rule.
OK.
Toggle quote (26 lines)
>> As a side note, I've seen a couple other audit messages from
>> guix-daemon, although though they don't seem to cause a problem in
>> practice.
>>
>> type=AVC msg=audit(1605189801.627:8637388): avc: denied { read } for
>> pid=2312896 comm="guix-daemon" path="socket:[74336318]" dev="sockfs"
>> ino=74336318 scontext=system_u:system_r:guix_daemon.guix_daemon_t:s0
>> tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket
>> permissive=0
>> type=AVC msg=audit(1605189801.627:8637388): avc: denied { read } for
>> pid=2312896 comm="guix-daemon" path="socket:[74336318]" dev="sockfs"
>> ino=74336318 scontext=system_u:system_r:guix_daemon.guix_daemon_t:s0
>> tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket
>> permissive=0
>> type=AVC msg=audit(1605189801.627:8637388): avc: denied { siginh } for
>> pid=2312896 comm="guix-daemon" scontext=system_u:system_r:init_t:s0
>> tcontext=system_u:system_r:guix_daemon.guix_daemon_t:s0 tclass=process
>> permissive=0
>
> The first two are already covered by the new policy, and the third is
> inconsequential. The kernel checks on our behalf to see if our child
> processes are allowed to inherit our signal state. That's usually
> disallowed, so that rule is marked 'dontaudit' so that it doesn't spam
> the logs; you probably had that disabled. I'm not going to add a rule
> allowing that one; It would just cause accidents.
Thanks for investigating.
Interestingly, after updating the system (both RHEL8 and Guix) and
rebooting, I got new SELinux troubles!
I had to add these additional rules to make guix-daemon start again:
Toggle diff (21 lines)
diff --git a/etc/guix-daemon.cil.in b/etc/guix-daemon.cil.in
index 47fd12a214..3e254a2187 100644
--- a/etc/guix-daemon.cil.in
+++ b/etc/guix-daemon.cil.in
@@ -86,12 +86,15 @@
(allow init_t
guix_daemon_t
(process (transition)))
+ (allow init_t
+ self
+ (process (execmem)))
(allow init_t
guix_store_content_t
(lnk_file (read)))
(allow init_t
guix_store_content_t
- (file (open read execute)))
+ (file (open read execute execute_no_trans map)))
;; guix-daemon needs to know the names of users
(allow guix_daemon_t
Do these look sane to you? I can squash them into the commit if so.
-----BEGIN PGP SIGNATURE-----
iQFDBAEBCgAtFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAl+uncQPHG1hcml1c0Bn
bnUub3JnAAoJEKKgbfKjOlT6LsoIAKp33a9Rq5wI/POwb1n3XS7C9iFSSGsKlKOv
EeF8gNdqiIvnh/1BNpNFlWmUQv3z7+B3+Ulp8DeoS7lla6NX4O+UGFU9qtf0Y2HX
P+nNbGVRkQ5ptQiphjdJ5NqWvaezMRfmXEESjYElNIh1eC+eEP7RfoFZ8a86R3XG
PvxnceZSqQy3cnw2ovpSmo2IjYCqXNMUi15vvQIeGoWVOdb+USxYFPXJKZQLV2PV
hJExs1YmqYQrSH2r16BOQO9fRij81j3ZWHzv0Mht2oNShvr3PgiyWllPkHE7QqwK
GrNtm3X4xdLQC0xvwcb8LW22a/LxStBFK8R99w01mWItBFpZ0aE=
=YIeS
-----END PGP SIGNATURE-----
D
(name . Marius Bakke)(address . marius@gnu.org)(address . 44549@debbugs.gnu.org)
87v9e95l03.fsf@db48x.net
Marius Bakke <marius@gnu.org> writes:
Toggle quote (17 lines)
> Interestingly, after updating the system (both RHEL8 and Guix) and
> rebooting, I got new SELinux troubles!
>
> I had to add these additional rules to make guix-daemon start again:
>
> diff --git a/etc/guix-daemon.cil.in b/etc/guix-daemon.cil.in
> index 47fd12a214..3e254a2187 100644
> --- a/etc/guix-daemon.cil.in
> +++ b/etc/guix-daemon.cil.in
> @@ -86,12 +86,15 @@
> (allow init_t
> guix_daemon_t
> (process (transition)))
> + (allow init_t
> + self
> + (process (execmem)))
At some point we should track down why that one is necessary, perhaps
Guile has a JIT compiler or something?
Toggle quote (5 lines)
> (allow init_t
> guix_store_content_t
> - (file (open read execute)))
> + (file (open read execute execute_no_trans map)))
This one looks pretty suspicious. I think it would allow any file
labeled guix_store_content_t to run in the init_t domain? We wouldn't
want that.
db48x
M
(name . Daniel Brooks)(address . db48x@db48x.net)(address . 44549@debbugs.gnu.org)
87ima9b62v.fsf@gnu.org
Daniel Brooks <db48x@db48x.net> writes:
Toggle quote (22 lines)
> Marius Bakke <marius@gnu.org> writes:
>
>> Interestingly, after updating the system (both RHEL8 and Guix) and
>> rebooting, I got new SELinux troubles!
>>
>> I had to add these additional rules to make guix-daemon start again:
>>
>> diff --git a/etc/guix-daemon.cil.in b/etc/guix-daemon.cil.in
>> index 47fd12a214..3e254a2187 100644
>> --- a/etc/guix-daemon.cil.in
>> +++ b/etc/guix-daemon.cil.in
>> @@ -86,12 +86,15 @@
>> (allow init_t
>> guix_daemon_t
>> (process (transition)))
>> + (allow init_t
>> + self
>> + (process (execmem)))
>
> At some point we should track down why that one is necessary, perhaps
> Guile has a JIT compiler or something?
Toggle quote (9 lines)
>> (allow init_t
>> guix_store_content_t
>> - (file (open read execute)))
>> + (file (open read execute execute_no_trans map)))
>
> This one looks pretty suspicious. I think it would allow any file
> labeled guix_store_content_t to run in the init_t domain? We wouldn't
> want that.
Right. The guix_store_content_t file in question was 'guile', which I
suppose is a kind of special case. Can you think of any workarounds
for this?
Are you testing with the latest version of guix-daemon?
-----BEGIN PGP SIGNATURE-----
iQFDBAEBCgAtFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAl+urXkPHG1hcml1c0Bn
bnUub3JnAAoJEKKgbfKjOlT6GBAH/2l8/6lRmpFu1KlRIT4hLppslJuDL1i9uQVR
Sat+LpUqlkkGHjK82EkYs4M+ghJgEfn3yq5VT1H16rv9qJjWzPUgxjVRrzP/PwpW
L1Z6TiT4OtCYzo4gaoJq4mhqR3h6RJg70c+rqd6DB8Vh3+TX/EwDgx5+Lk3wzwb/
K9J9Ef1LCXhh1+ZyVyBDs42URyjjklZH0VyDjnum/+n1uceyxEBfo896+Zcufyl2
wrPgZaoWj8UdlulnBX4LPKUsdf97iHfn7bAg0DgIz5JnIRMU/43rMSu49NNIJpq5
E9XBVeIJ+i3GMz1NwY68BFUyNrlISst6TpA/JGghSUzMYRvWcd4=
=9CUY
-----END PGP SIGNATURE-----
D
[PATCH v4] etc: updates for the guix-daemon SELinux policy
(address . 44549@debbugs.gnu.org)
87mtzk56lc.fsf@db48x.net
This update adds a filecon rule for the guix-daemon shell script in the store.
D
[PATCH v4] doc: add a note about relabling after upgrades to the guix deamon
(address . 44549@debbugs.gnu.org)
87a6vj6fzd.fsf@db48x.net
From b29749885c93811f901d0ec4e13de38f70f8c100 Mon Sep 17 00:00:00 2001
From: Daniel Brooks <db48x@db48x.net>
Date: Sat, 14 Nov 2020 08:04:30 -0800
Subject: [PATCH v4] doc: add a note about relabling after upgrades to the
SELinux Support section of the manual
* doc/guix.texi (SELinux Support): add note about upgrades
---
doc/guix.texi | 5 +++++
1 file changed, 5 insertions(+)
Toggle diff (18 lines)
diff --git a/doc/guix.texi b/doc/guix.texi
index 8440ffffc7..67f5155b9f 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -1398,6 +1398,11 @@ install and run it, which lifts it into the @code{guix_daemon_t} domain.
At that point SELinux could not prevent it from accessing files that are
allowed for processes in that domain.
+You will need to relabel the @file{/gnu} directory after all upgrades to
+@file{guix-daemon}, such as with @code{guix pull}. You can do this with
+@code{restorecon -vR /gnu}, or by other means provided by your operating
+system.
+
We could generate a much more restrictive policy at installation time,
so that only the @emph{exact} file name of the currently installed
@code{guix-daemon} executable would be labelled with
--
2.26.2
M
87y2j29sc6.fsf@gnu.org
Daniel Brooks <db48x@db48x.net> writes:
Toggle quote (8 lines)
>>From b29749885c93811f901d0ec4e13de38f70f8c100 Mon Sep 17 00:00:00 2001
> From: Daniel Brooks <db48x@db48x.net>
> Date: Sat, 14 Nov 2020 08:04:30 -0800
> Subject: [PATCH v4] doc: add a note about relabling after upgrades to the
> SELinux Support section of the manual
>
> * doc/guix.texi (SELinux Support): add note about upgrades
I reworded this slightly and pushed to 'master'.
-----BEGIN PGP SIGNATURE-----
iQFDBAEBCgAtFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAl+xqUkPHG1hcml1c0Bn
bnUub3JnAAoJEKKgbfKjOlT6NQYH/3agsLuNegqw6eiF7X20/XwOEutgddrYRDY2
31axTq/eaEgpdj6P/BjkA9YgdJFaaqVtEBNM21RCPCLv6CxZ2mci34Tv9yCUR7gr
McpPQI9Xq5Hm/s2qmUD/Z/0YUBmytRewuJ8swjdEFx0aVZiSebs4mkLzBz3+WvZy
MJ8FQPHumJICq3GK0Q564T6lG+pE8cssLMgqjilMuQbGlvKi5GDiAf2qobb++Vzl
J/hb3QwwO0F1wm007ysX08pl6l/djLBJ/HCFhCVquWIhcwOfBo7tdTZwPcTnBbgt
SH6U1c8yQoRl3s70RPdzdYEnhVxIYtZF5QG/bDTTEhVQ+s1pE8k=
=MRPF
-----END PGP SIGNATURE-----
M
Re: [bug#44549] [PATCH v4] etc: updates for the guix-daemon SELinux policy
87v9e69sa8.fsf@gnu.org
Daniel Brooks <db48x@db48x.net> writes:
Toggle quote (15 lines)
> This update adds a filecon rule for the guix-daemon shell script in the store.
>
>>From 8858b4df306e7846a1709c420ba7f7b194f05a97 Mon Sep 17 00:00:00 2001
> From: Daniel Brooks <db48x@db48x.net>
> Date: Mon, 9 Nov 2020 07:03:42 -0800
> Subject: [PATCH v4] etc: updates for the guix-daemon SELinux policy
>
> * etc/guix-daemon.cil.in (guix_daemon): Specify more permissions for
> guix-daemon to account for daemon updates and newer SELinux.
>
> I can't promise that this is a complete list of everything that guix-daemon
> needs, but it's probably most of them. It can search for, install, upgrade,
> and remove packages, create virtual machines and containers, update itself,
> and so on.
Pushed to the 'version-1.2.0' branch, which will show up on 'master'
eventually. Thank you!
-----BEGIN PGP SIGNATURE-----
iQFDBAEBCgAtFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAl+xqY8PHG1hcml1c0Bn
bnUub3JnAAoJEKKgbfKjOlT68qgH/1t/KiLxItaGdzpi1YSpP34Bzw1n9c4X5rdl
q84Q5JfZbRPBHH+o1BO3qz11+PfHGTK367+cfJKm6bGvgWTIa4SCmNmumSLa/oaT
Y2T79Klad3KusqKwtc8jW5esBVKk0O7ekfLGyIqnpidS56MdpD3tXlvS3BskMTpq
Q2pVH5ylBJd7SX7b2f5mB451UdS2iYej9jZw4La3ApvR/P/9gBwF0MieVUZGlZ3F
dZ8vm4gl8xiKIuTCjBgNHaMz67Exjr8+sk4IOO6olDBaithB+VvUmgfBGd6PeUq+
MBxfXLlJNF93gH4v0um4XDLts4EjzqYn4neI7TFs1VjuKQAtWQY=
=SNBq
-----END PGP SIGNATURE-----
Closed
?