From mboxrd@z Thu Jan  1 00:00:00 1970
From: Gerry Agbobada <gagbobada@gmail.com>
Subject: Guix SELinux issues
Date: Sun, 5 May 2019 23:07:06 +0200
Message-ID: <CAHhDRB-ZQ810fk6o7873zrr_YZVew8P_Es4okqccKcr4YWdCZQ@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([209.51.188.92]:49989)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <gagbobada@gmail.com>) id 1hNOLy-000487-8z
	for guix-devel@gnu.org; Sun, 05 May 2019 17:07:23 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <gagbobada@gmail.com>) id 1hNOLw-0000sN-Nv
	for guix-devel@gnu.org; Sun, 05 May 2019 17:07:22 -0400
Received: from mail-ot1-x341.google.com ([2607:f8b0:4864:20::341]:38253)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <gagbobada@gmail.com>) id 1hNOLw-0000fg-FM
	for guix-devel@gnu.org; Sun, 05 May 2019 17:07:20 -0400
Received: by mail-ot1-x341.google.com with SMTP id b1so9799960otp.5
	for <guix-devel@gnu.org>; Sun, 05 May 2019 14:07:18 -0700 (PDT)
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: guix-devel@gnu.org

Hello everyone,

I tried today to install Guix on my Fedora 30 machine with the binary
sh script installer.

The policy for guix-daemon wasn't installed by default with this
script (as far as I understand), so rekado on freenode told me about
the .cil file I could fill with the correct placeholder values.

Here is a short report of my adventures, I am not 100% sure it's going
to be reproducible, since I am not that good with SELinux in general.

It is a little lengthy because I tried to include relevant logs when I
could. Short version is :
"selinux is hard and has almost no support channels. guix-daemon.cil
apparently just needs lnk_file permissions somewhere to be usable out
of the box"

* Intro
Whenever I say "activate/deactivate" SELinux, I mean =3D# setenforce (1|0)=
=3D

* guix_store_content_t is not a file_type

** Issue
When I deactivate selinux to start the daemon, and later reactivate it
then the files can't be read by the guix-daemon. I assumed (thanks to the
SELinux helper applet), that I needed to restorecon the whole store, but
when I tried I had errors because the types in .cil policy
are not file_type attributes.

So the restorecon on /gnu/store is actually the first operation for which I=
 have
some logs (I forgot to keep the logs when I just ran the daemon with
the .cil file)

** SEApplet summary of the issue

In french, but it basically states that
guix_daemon.guix_store_content_t is not a valid **file_type**

#+BEGIN_SRC text
 SELinux interdit =C3=A0 restorecon d'utiliser l'acc=C3=A8s relabelto sur l=
e
fichier 1hzipga4xhria8q0n75dlclv4bgjghb6npidcswkf71qp9w58vd1.

 *****  Le greffon associate (99.5 de confiance) sugg=C3=A8re   ***********=
*********

 Si vous souhaitez modifier l'=C3=A9tiquette de
1hzipga4xhria8q0n75dlclv4bgjghb6npidcswkf71qp9w58vd1 en
guix_daemon.guix_store_content_t,  ce qui est interdit car pas un type
de fichier valide.
 Alors vous devez choisir une =C3=A9tiquette de fichier valide.
 Faire
 select a valid file type.  List valid file labels by executing:
 # seinfo -afile_type -x
#+END_SRC

** State of seinfo after running the initial semodule -i guix-daemon.cil

#+BEGIN_SRC text
# seinfo -t -x | grep guix
   type guix_daemon.guix_daemon_conf_t;
   type guix_daemon.guix_daemon_exec_t, domain, pcmcia_typeattr_1;
   type guix_daemon.guix_daemon_socket_t;
   type guix_daemon.guix_daemon_t, domain, pcmcia_typeattr_1;
   type guix_daemon.guix_profiles_t;
   type guix_daemon.guix_store_content_t;
# seinfo -afile_type -x | grep guix
   [No output]
#+END_SRC

** Added a few lines to cil policy file to be able to restorecon and relabe=
l

The patch is at the end of the mail, look for ---

   After this and =3Dsemodule -i=3D, I am able to restorecon on the files a=
nd have
a correct state there.

*  Error on startup

** Issue
When SELinux is active, =3Dsystemctl start guix-daemon=3D fails because SEL=
inux
forbids (x-daemon) to use read access on lnk_file.

I don't know what this 'x-daemon' stuff is, it is not in my path, and
there is no man
page.

#+BEGIN_SRC text
SELinux interdit =C3=A0 (x-daemon) d'utiliser l'acc=C3=A8s read sur le lnk_=
file
guix-daemon.

Greffon : catchall
 SELinux a refus=C3=A9 l'acc=C3=A8s demand=C3=A9 par (x-daemon). Il n'est p=
as pr=C3=A9vu que cet
 acc=C3=A8s soit requis par (x-daemon) et cet acc=C3=A8s peut signaler une =
tentative
 d'intrusion. Il est =C3=A9galement possible que cette version ou cette con=
figuration
 sp=C3=A9cifique de l'application provoque cette demande d'acc=C3=A8s suppl=
=C3=A9mentaire.

Si vous pensez que (x-daemon) devrait =C3=AAtre autoris=C3=A9 =C3=A0 acc=C3=
=A9der read sur
guix-daemon lnk_file par d=C3=A9faut.
Vous devriez rapporter ceci en tant qu'anomalie.
Vous pouvez g=C3=A9n=C3=A9rer un module de strat=C3=A9gie local pour autori=
ser cet acc=C3=A8s.
Autoriser cet acc=C3=A8s pour le moment en ex=C3=A9cutant :
# ausearch -c "(x-daemon)" --raw | audit2allow -M my-xdaemon
# semodule -X 300 -i my-xdaemon.pp
#+END_SRC

** Bug in the suggested solution

   There is a compilation error when I try the suggested fix
#+BEGIN_SRC text
> sudo ausearch -c "(x-daemon)" --raw | sudo audit2allow -M my-xdaemon
compilation failed:
libsepol.hierarchy_add_type_callback: guix_daemon doesn't exist,
guix_daemon.guix_store_content_t is an orphan
libsepol.hierarchy_add_bounds: 1 errors found while adding hierarchies
#+END_SRC

* Workarounds

The obvious one is killing SELinux. And since I'm doing this, I won't
be able to help much more on the
subject.

Another one which seemed to work : since I saw the issue was
apparently because of symlinks (lnk_file),
I tried to run the command in the ExecStart of the service with sudo
in a terminal (so
sudo /var/guix/profiles/per-user/root/current-guix/bin/guix-daemon
--build-users-group=3Dguixbuild )
and everything seemed to work (I could guix pull, guix install
glibc-locales and I saw the connections being
accepted in the daemon terminal too).

* Patch

c0c82d8f was the commit I used from guix-daemon.cli.in
---
diff --git a/guix-daemon.cil.in b/guix-daemon.cil
index 7b882fe..7a7d374 100644
--- a/guix-daemon.cil.in
+++ b/guix-daemon.cil
@@ -34,14 +34,19 @@
   (roletype object_r guix_daemon_t)
   (type guix_daemon_conf_t)
   (roletype object_r guix_daemon_conf_t)
+  (typeattributeset file_type guix_daemon_conf_t)
   (type guix_daemon_exec_t)
   (roletype object_r guix_daemon_exec_t)
+  (typeattributeset file_type guix_daemon_exec_t)
   (type guix_daemon_socket_t)
   (roletype object_r guix_daemon_socket_t)
+  (typeattributeset file_type guix_daemon_socket_t)
   (type guix_store_content_t)
   (roletype object_r guix_store_content_t)
+  (typeattributeset file_type guix_store_content_t)
   (type guix_profiles_t)
   (roletype object_r guix_profiles_t)
+  (typeattributeset file_type guix_profiles_t)

   ;; These types are domains, thereby allowing process rules
   (typeattributeset domain (guix_daemon_t guix_daemon_exec_t))
@@ -261,25 +266,25 @@
          (udp_socket (ioctl create)))

   ;; Label file system
-  (filecon "@guix_sysconfdir@/guix(/.*)?"
+  (filecon "/etc/guix(/.*)?"
            any (system_u object_r guix_daemon_conf_t (low low)))
-  (filecon "@guix_localstatedir@/guix(/.*)?"
+  (filecon "/var/guix(/.*)?"
            any (system_u object_r guix_daemon_conf_t (low low)))
-  (filecon "@guix_localstatedir@/guix/profiles(/.*)?"
+  (filecon "/var/guix/profiles(/.*)?"
            any (system_u object_r guix_profiles_t (low low)))
   (filecon "/gnu"
            dir (unconfined_u object_r guix_store_content_t (low low)))
-  (filecon "@storedir@(/.+)?"
+  (filecon "/gnu/store(/.+)?"
            any (unconfined_u object_r guix_store_content_t (low low)))
-  (filecon "@storedir@/[^/]+/.+"
+  (filecon "/gnu/store/[^/]+/.+"
            any (unconfined_u object_r guix_store_content_t (low low)))
-  (filecon "@prefix@/bin/guix-daemon"
+  (filecon "/usr/bin/guix-daemon"
            file (system_u object_r guix_daemon_exec_t (low low)))
-  (filecon "@storedir@/.+-(guix-.+|profile)/bin/guix-daemon"
+  (filecon "/gnu/store/.+-(guix-.+|profile)/bin/guix-daemon"
            file (system_u object_r guix_daemon_exec_t (low low)))
-  (filecon "@storedir@/.+-(guix-.+|profile)/libexec/guix-authenticate"
+  (filecon "/gnu/store/.+-(guix-.+|profile)/libexec/guix-authenticate"
            file (system_u object_r guix_daemon_exec_t (low low)))
-  (filecon "@storedir@/.+-(guix-.+|profile)/libexec/guix/(.*)?"
+  (filecon "/gnu/store/.+-(guix-.+|profile)/libexec/guix/(.*)?"
            any (system_u object_r guix_daemon_exec_t (low low)))
-  (filecon "@guix_localstatedir@/guix/daemon-socket/socket"
-           any (system_u object_r guix_daemon_socket_t (low low))))
\ No newline at end of file
+  (filecon "/var/guix/daemon-socket/socket"
+           any (system_u object_r guix_daemon_socket_t (low low))))

Best regards,
Gerry (@gagbo)