CentOS : SELinux is preventing /usr/lib/systemd/systemd from read access on the lnk_file current-guix

Hi,

I am starting with Guix and I just installed it on a CentOS Linux 8 x86_64 (kernel 4.18.0-240.15.1.el8_3.x86_64)

It went well but the daemon service exited and I couldn't install a package :

$ sudo systemctl status guix-daemon.service

? guix-daemon.service - Build daemon for GNU Guix

Loaded: loaded (/etc/systemd/system/guix-daemon.service; enabled; vendor preset: disabled)

Active: failed (Result: exit-code) since Sat 2021-04-24 01:44:16 CEST; 16min ago

Process: 92489 ExecStart=/var/guix/profiles/per-user/root/current-guix/bin/guix-daemon --build-users-group=guixbuild (code=exited, status=203/EXEC)

Main PID: 92489 (code=exited, status=203/EXEC)

Apr 24 01:44:16 localhost.localdomain systemd[1]: Started Build daemon for GNU Guix.

Apr 24 01:44:16 localhost.localdomain systemd[1]: guix-daemon.service: Main process exited, code=exited, status=203/EXEC

Apr 24 01:44:16 localhost.localdomain systemd[1]: guix-daemon.service: Failed with result 'exit-code'.

I found this similar bug report Fedora : https://bugzilla.redhat.com/show_bug.cgi?id=1433971

It seems to be related to the SELinux policy.

// ----------------------------------------------------------------------------

I run :

$ journalctl -t setroubleshoot

Apr 24 01:30:30 localhost.localdomain setroubleshoot[92081]: AnalyzeThread.run(): Set alarm timeout to 10

Apr 24 01:44:18 localhost.localdomain setroubleshoot[92492]: Deleting alert f25667a8-16fa-447b-8df1-8bd6a8cddc10, it is allowed in current policy

Apr 24 01:44:18 localhost.localdomain setroubleshoot[92492]: AnalyzeThread.run(): Cancel pending alarm

Apr 24 01:44:21 localhost.localdomain setroubleshoot[92492]: SELinux is preventing /usr/bin/bash from execute access on the file guix-daemon. For complete SELinux messages run: sealert -l f4db012c-2639-4a2a-80>

Apr 24 01:44:21 localhost.localdomain setroubleshoot[92492]: SELinux is preventing /usr/bin/bash from execute access on the file guix-daemon.

$ sudo sealert -l f4db012c-2639-4a2a-809a-023ba4accbfd

SELinux is preventing /usr/bin/bash from execute access on the file guix-daemon.

***** Plugin catchall (100. confidence) suggests **************************

If you believe that bash should be allowed execute access on the guix-daemon file by default.

Then you should report this as a bug.

You can generate a local policy module to allow this access.

Do

allow this access for now by executing:

# ausearch -c 'sesinetd' --raw | audit2allow -M my-sesinetd

# semodule -X 300 -i my-sesinetd.pp

Additional Information:

Source Context system_u:system_r:init_t:s0

Target Context unconfined_u:object_r:user_tmp_t:s0

Target Objects guix-daemon [ file ]

Source sesinetd

Source Path /usr/bin/bash

Port <Unknown>

Host localhost.localdomain

Source RPM Packages systemd-239-41.el8_3.2.x86_64

Target RPM Packages

SELinux Policy RPM selinux-policy-targeted-3.14.3-54.el8_3.2.noarch

Local Policy RPM selinux-policy-targeted-3.14.3-54.el8_3.2.noarch

Selinux Enabled True

Policy Type targeted

Enforcing Mode Enforcing

Host Name localhost.localdomain

Platform Linux localhost.localdomain

4.18.0-240.15.1.el8_3.x86_64 #1 SMP Mon Mar 1

17:16:16 UTC 2021 x86_64 x86_64

Alert Count 2

First Seen 2021-03-20 21:06:10 CET

Last Seen 2021-04-24 01:44:16 CEST

Local ID f4db012c-2639-4a2a-809a-023ba4accbfd

Raw Audit Messages

type=AVC msg=audit(1619221456.618:467): avc: denied { execute } for pid=92489 comm="(x-daemon)" name="guix-daemon" dev="dm-0" ino=2625286 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file permissive=0

type=SYSCALL msg=audit(1619221456.618:467): arch=x86_64 syscall=execve success=no exit=EACCES a0=5609e6745860 a1=5609e6600e20 a2=5609e66a8720 a3=2d646c6975622d2d items=0 ppid=1 pid=92489 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=(x-daemon) exe=/usr/lib/systemd/systemd subj=system_u:system_r:init_t:s0 key=(null)

Hash: sesinetd,init_t,user_tmp_t,file,execute

// ----------------------------------------------------------------------------

I tried executing the commands provided by SELinux to allow the access but it doesn't work and I don't really understand how it works.

Also on the [SELinux support page](https://guix.gnu.org/manual/en/html_node/SELinux-Support.html)in the Guix documentation, the etc/guix-daemon.cil file doesn't exist so I don't know how to run the command.

Has anyone gotten to run guix on a CentOS with SELinux enabled?

Any help would be greatly appreciated!

Thanks

Joseph

Hi,

josephenry <josephenry@protonmail.com> skribis:

I’m not familiar with SELinux, but the .cil file is available in Guix

itself:

Hope this helps!

Ludo’.

Hi Ludo,

Thanks for your answer and sorry for the late response!

Actually I did :

``` sudo semodule -i /gnu/store/6rn4l3h0p9x0m615pp1ynlv9v0743kl3-guix-1.2.0/share/selinux/guix-daemon.cil ```

and then tried to use restorecon as stated in the doc :

``` sudo restorecon /gnu ```

but restarting guix didn't work, I am probably not doing it the right way...

What does that mean in the documentation :

Then relabel the file system with restorecon or by a different mechanism provided by your system. Can someone provide some explanation about this?

Thanks

Hi Ludo,

Thanks for your answer and sorry for the late response!

Actually I did :

```

sudo semodule -i /gnu/store/6rn4l3h0p9x0m615pp1ynlv9v0743kl3-guix-1.2.0/share/selinux/guix-daemon.cil

```

and then tried to use restorecon as stated in the doc :

```

sudo restorecon /gnu

```

but restarting guix didn't work, I am probably not doing it the right way...

What does that mean in the documentation :

Then relabel the file system with restorecon or by a different mechanism provided by your system.

Can someone provide some explanation about this?

Thanks

Hi,

the cil file has been updated to work with a more recent base policy as

provided by current Fedora releases. We also updated the documentation

to make the relabeling step a little clearer.

Does this solve your problem?

--

Ricardo