* SELinux log
@ 2019-06-04 21:28 Laura Lazzati
2019-06-05 9:39 ` Ricardo Wurmus
0 siblings, 1 reply; 33+ messages in thread
From: Laura Lazzati @ 2019-06-04 21:28 UTC (permalink / raw)
To: Guix-devel
Hi Guix!
Today I've been installing Guix on top of Fedora (relase30), and I
faced issues with guix-daemon, getting it did not have permissions for
running. It was a SELinux problem, since after disabling it and
restarting the daemon I could use guix normally.
Here is my audit.log file, in case someone is interested. AFAIK I
don't see anything terrible.
Regards :)
Laura
<------------------------------------start here
----------------------------------------------->
type=USER_START msg=audit(1559677185.958:270): pid=3429 uid=0
auid=1000 ses=3
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
msg='op=PAM:session_open
grantors=pam_keyinit,pam_limits,pam_keyinit,pam_limits,pam_systemd,pam_unix
acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/0
res=success'^]UID="root" AUID="laura"
type=USER_AUTH msg=audit(1559677185.980:271): pid=3435 uid=0 auid=1000
ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
msg='op=PAM:authentication grantors=pam_rootok acct="root"
exe="/usr/bin/su" hostname=localhost.localdomain addr=? terminal=pts/0
res=success'^]UID="root" AUID="laura"
type=USER_ACCT msg=audit(1559677185.980:272): pid=3435 uid=0 auid=1000
ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
msg='op=PAM:accounting grantors=pam_succeed_if acct="root"
exe="/usr/bin/su" hostname=localhost.localdomain addr=? terminal=pts/0
res=success'^]UID="root" AUID="laura"
type=CRED_ACQ msg=audit(1559677185.984:273): pid=3435 uid=0 auid=1000
ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
msg='op=PAM:setcred grantors=pam_rootok acct="root" exe="/usr/bin/su"
hostname=localhost.localdomain addr=? terminal=pts/0
res=success'^]UID="root" AUID="laura"
type=USER_START msg=audit(1559677186.010:274): pid=3435 uid=0
auid=1000 ses=3
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
msg='op=PAM:session_open
grantors=pam_keyinit,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_umask
acct="root" exe="/usr/bin/su" hostname=localhost.localdomain addr=?
terminal=pts/0 res=success'^]UID="root" AUID="laura"
type=SERVICE_STOP msg=audit(1559677213.721:275): pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
msg='unit=fprintd comm="systemd" exe="/usr/lib/systemd/systemd"
hostname=? addr=? terminal=? res=success'^]UID="root" AUID="unset"
type=ADD_GROUP msg=audit(1559677295.645:276): pid=3555 uid=0 auid=1000
ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
msg='op=add-group id=976 exe="/usr/sbin/groupadd"
hostname=localhost.localdomain addr=? terminal=pts/0
res=success'^]UID="root" AUID="laura" ID="guixbuild"
type=GRP_MGMT msg=audit(1559677296.166:277): pid=3555 uid=0 auid=1000
ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
msg='op=add-shadow-group id=976 exe="/usr/sbin/groupadd"
hostname=localhost.localdomain addr=? terminal=pts/0
res=success'^]UID="root" AUID="laura" ID="guixbuild"
type=ADD_USER msg=audit(1559677307.042:278): pid=3565 uid=0 auid=1000
ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
msg='op=add-user id=978 exe="/usr/sbin/useradd"
hostname=localhost.localdomain addr=? terminal=pts/0
res=success'^]UID="root" AUID="laura" ID="unknown(978)"
type=USER_MGMT msg=audit(1559677307.048:279): pid=3565 uid=0 auid=1000
ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
msg='op=add-user-to-group grp="guixbuild" acct="guixbuilder01"
exe="/usr/sbin/useradd" hostname=localhost.localdomain addr=?
terminal=pts/0 res=success'^]UID="root" AUID="laura"
type=USER_MGMT msg=audit(1559677307.060:280): pid=3565 uid=0 auid=1000
ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
msg='op=add-to-shadow-group grp="guixbuild" acct="guixbuilder01"
exe="/usr/sbin/useradd" hostname=localhost.localdomain addr=?
terminal=pts/0 res=success'^]UID="root" AUID="laura"
type=ADD_USER msg=audit(1559677309.363:281): pid=3577 uid=0 auid=1000
ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
msg='op=add-user id=977 exe="/usr/sbin/useradd"
hostname=localhost.localdomain addr=? terminal=pts/0
res=success'^]UID="root" AUID="laura" ID="unknown(977)"
<------------------------------------end here
----------------------------------------------->
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: SELinux log
2019-06-04 21:28 SELinux log Laura Lazzati
@ 2019-06-05 9:39 ` Ricardo Wurmus
2019-06-06 14:24 ` Laura Lazzati
0 siblings, 1 reply; 33+ messages in thread
From: Ricardo Wurmus @ 2019-06-05 9:39 UTC (permalink / raw)
To: laura.lazzati.15; +Cc: guix-devel
Hi Laura,
> Today I've been installing Guix on top of Fedora (relase30), and I
> faced issues with guix-daemon, getting it did not have permissions for
> running. It was a SELinux problem, since after disabling it and
> restarting the daemon I could use guix normally.
> Here is my audit.log file […]
Thanks. Did you install the SELinux policy for the daemon that is
included in the source code repository? (It is not included in the
files that “guix pull” installs.)
--
Ricardo
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: SELinux log
2019-06-05 9:39 ` Ricardo Wurmus
@ 2019-06-06 14:24 ` Laura Lazzati
2019-06-06 17:58 ` Ricardo Wurmus
0 siblings, 1 reply; 33+ messages in thread
From: Laura Lazzati @ 2019-06-06 14:24 UTC (permalink / raw)
To: Ricardo Wurmus; +Cc: Guix-devel
Hi!
> Thanks. Did you install the SELinux policy for the daemon that is
> included in the source code repository? (It is not included in the
> files that “guix pull” installs.)
My bad, I haven 't :/ Shall I put SELinux in enforcing mode and do so?
Regards :)
Laura
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: SELinux log
2019-06-06 14:24 ` Laura Lazzati
@ 2019-06-06 17:58 ` Ricardo Wurmus
2019-06-07 1:46 ` Laura Lazzati
0 siblings, 1 reply; 33+ messages in thread
From: Ricardo Wurmus @ 2019-06-06 17:58 UTC (permalink / raw)
To: Laura Lazzati; +Cc: Guix-devel
Hi Laura,
>> Thanks. Did you install the SELinux policy for the daemon that is
>> included in the source code repository? (It is not included in the
>> files that “guix pull” installs.)
> My bad, I haven 't :/ Shall I put SELinux in enforcing mode and do so?
Permissive mode is better. It will log violations but not prevent
them. This allows us to see the details in the logs without impacting
our use of Guix.
--
Ricardo
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: SELinux log
2019-06-06 17:58 ` Ricardo Wurmus
@ 2019-06-07 1:46 ` Laura Lazzati
2019-06-07 20:46 ` Ricardo Wurmus
0 siblings, 1 reply; 33+ messages in thread
From: Laura Lazzati @ 2019-06-07 1:46 UTC (permalink / raw)
To: Ricardo Wurmus; +Cc: Guix-devel
Hi!
Hope to shed some light.
I followed all the steps that I hadn't followed before in the
documentation manual about SELinux for guix daemon (ran semodule,
restorecon for all the filesystem and restarted the daemon).
I forgot to set SELinux in permissive mode, so I still got the issue
with the socket.
Then I realized about this, and changed the mode. My log shows that
SELinux would have prevented the daemon from running, like when I had
it in enforcing mode:
-----------------------------------------------start
here-------------------------------------------------------
type=SERVICE_START msg=audit(1559870054.070:258): pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
msg='unit=flatpak-system-helper comm="systemd"
exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
res=success'^]UID="root" AUID="unset"
type=SERVICE_STOP msg=audit(1559870056.300:259): pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
msg='unit=user@42 comm="systemd" exe="/usr/lib/systemd/systemd"
hostname=? addr=? terminal=? res=success'^]UID="root" AUID="unset"
type=SERVICE_STOP msg=audit(1559870056.340:260): pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
msg='unit=user-runtime-dir@42 comm="systemd"
exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
res=success'^]UID="root" AUID="unset"
type=AVC msg=audit(1559870056.930:261): avc: denied { read } for
pid=750 comm="guix-daemon" name="libnss_files.so.2" dev="dm-0"
ino=559459 scontext=system_u:system_r:init_t:s0
tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file
permissive=1
type=AVC msg=audit(1559870056.930:262): avc: denied { map } for
pid=750 comm="guix-daemon"
path="/gnu/store/h90vnqw0nwd0hhm1l5dgxsdrigddfmq4-glibc-2.28/lib/libnss_files-2.28.so"
dev="dm-0" ino=559457 scontext=system_u:system_r:init_t:s0
tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file permissive=1
type=AVC msg=audit(1559870056.930:263): avc: denied { execute } for
pid=750 comm="guix-daemon"
path="/gnu/store/h90vnqw0nwd0hhm1l5dgxsdrigddfmq4-glibc-2.28/lib/libnss_files-2.28.so"
dev="dm-0" ino=559457 scontext=system_u:system_r:init_t:s0
tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file permissive=1
type=AVC msg=audit(1559870056.937:264): avc: denied { create } for
pid=2170 comm="guix-daemon" name="reserved"
scontext=system_u:system_r:init_t:s0
tcontext=system_u:object_r:user_tmp_t:s0 tclass=file permissive=1
type=AVC msg=audit(1559870056.937:265): avc: denied { write } for
pid=2170 comm="guix-daemon" path="/var/guix/db/reserved" dev="dm-0"
ino=306296 scontext=system_u:system_r:init_t:s0
tcontext=system_u:object_r:user_tmp_t:s0 tclass=file permissive=1
type=AVC msg=audit(1559870056.940:266): avc: denied { write } for
pid=2170 comm="guix-daemon" name="db.sqlite" dev="dm-0" ino=306225
scontext=system_u:system_r:init_t:s0
tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file permissive=1
type=AVC msg=audit(1559870056.950:267): avc: denied { setattr } for
pid=2170 comm="guix-daemon" name="db.sqlite-wal" dev="dm-0" ino=306376
scontext=system_u:system_r:init_t:s0
tcontext=system_u:object_r:user_tmp_t:s0 tclass=file permissive=1
type=AVC msg=audit(1559870056.950:268): avc: denied { map } for
pid=2170 comm="guix-daemon" path="/var/guix/db/db.sqlite-shm"
dev="dm-0" ino=306377 scontext=system_u:system_r:init_t:s0
tcontext=system_u:object_r:user_tmp_t:s0 tclass=file permissive=1
type=AVC msg=audit(1559870058.000:269): avc: denied { link } for
pid=2170 comm="guix-daemon"
name="7f1alh9qj2h0wwy2220npgnmw6pbrkwx-mirrors" dev="dm-0" ino=551918
scontext=system_u:system_r:init_t:s0
tcontext=system_u:object_r:user_tmp_t:s0 tclass=file permissive=1
type=AVC msg=audit(1559870058.130:270): avc: denied { rename } for
pid=2170 comm="guix-daemon" name=".tmp-link-2170-1804289383"
dev="dm-0" ino=551930 scontext=system_u:system_r:init_t:s0
tcontext=system_u:object_r:user_tmp_t:s0 tclass=file permissive=1
type=AVC msg=audit(1559870060.410:271): avc: denied {
execute_no_trans } for pid=2173 comm="guix-daemon"
path="/gnu/store/ncknl03pkmamrxg7q9nxi1rn1qhvwbi9-guix-1.0.1/libexec/guix/substitute"
dev="dm-0" ino=679069 scontext=system_u:system_r:init_t:s0
tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file permissive=1
type=AVC msg=audit(1559870060.886:272): avc: denied { name_connect }
for pid=2173 comm=677569782073756273746974757465 dest=443
scontext=system_u:system_r:init_t:s0
tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket
permissive=1
type=SERVICE_STOP msg=audit(1559870062.620:273): pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
msg='unit=fprintd comm="systemd" exe="/usr/lib/systemd/systemd"
hostname=? addr=? terminal=? res=success'^]UID="root" AUID="unset"
type=SERVICE_STOP msg=audit(1559870070.140:274): pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
msg='unit=systemd-localed comm="systemd"
exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
res=success'^]UID="root" AUID="unset"
-----------------------------------------------end
here-------------------------------------------------------
Regards!
Laura
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: SELinux log
2019-06-07 1:46 ` Laura Lazzati
@ 2019-06-07 20:46 ` Ricardo Wurmus
2019-06-07 23:08 ` Laura Lazzati
0 siblings, 1 reply; 33+ messages in thread
From: Ricardo Wurmus @ 2019-06-07 20:46 UTC (permalink / raw)
To: Laura Lazzati; +Cc: Guix-devel
Hi Laura,
> My log shows that
> SELinux would have prevented the daemon from running, like when I had
> it in enforcing mode:
Thank you, the log is helpful (even though it looks like your mail
client reformatted it, which makes it very hard to read).
Searching for “denied” we see the following classes of errors:
1) accessing libnss (for NSCD communication)
2) modifying the database
3) linking temp files (I don’t know what this is about)
4) invoking the “substitute” helper
5) connecting to the substitute servers via HTTPS
While the policy template file etc/guix-daemon.cil.in misses a couple of
labels and transitions (e.g. for database and substitute servers), I
think something’s wrong with your file labels.
The log shows me that /gnu/store/h90vnqw0nwd0hhm1l5dgxsdrigddfmq4-glibc-2.28/lib/libnss_files-2.28.so
doesn’t have the SELinux context that I expect according to the policy
file.
The policy file template contains this rule:
(filecon "@storedir@/[^/]+/.+"
any (unconfined_u object_r guix_store_content_t (low low)))
Once configured as etc/guix-daemon.cil the rule should be
(filecon "/gnu/store/[^/]+/.+"
any (unconfined_u object_r guix_store_content_t (low low)))
I would expect that this matches
/gnu/store/h90vnqw0nwd0hhm1l5dgxsdrigddfmq4-glibc-2.28/lib/libnss_files-2.28.so.
The guix_store_content_t type is used for all files in the store. The
policy says that the daemon (which is labeled with the “guix_daemon_t”
type) can access these files using various syscalls:
--8<---------------cut here---------------start------------->8---
;; Access to store items
(allow guix_daemon_t
guix_store_content_t
(dir (reparent
create
getattr setattr
search rename
add_name remove_name
open write
rmdir)))
(allow guix_daemon_t
guix_store_content_t
(file (create
lock
setattr getattr
execute execute_no_trans
link unlink
map
rename
open read write)))
(allow guix_daemon_t
guix_store_content_t
(lnk_file (create
getattr setattr
link unlink
read
rename)))
--8<---------------cut here---------------end--------------->8---
According to your audit log file access using “map” (among others) was
denied, even though the policy explicitly allows it (see above):
> type=AVC msg=audit(1559870056.930:262): avc: denied { map } for
> pid=750 comm="guix-daemon"
> path="/gnu/store/h90vnqw0nwd0hhm1l5dgxsdrigddfmq4-glibc-2.28/lib/libnss_files-2.28.so"
> dev="dm-0" ino=559457 scontext=system_u:system_r:init_t:s0
> tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file permissive=1
“scontext” means “source context” (i.e. the context of the guix-daemon
process), “tcontext” means “target context” (i.e. the context of the
file). Here we see that both contexts are wrong, the one for the daemon
(“system_u:system_r:init_t:s0”) and the one for the target file
(“unconfined_u:object_r:user_tmp_t:s0”).
We want these to be “…:guix_daemon_t:…” and
“unconfined_u:object_r:guix_store_content_t:…”, respectively. (You can
check the context of a file with “ls -alZ”.)
Did you run “restorecon” on the store to recursively label all files?
Labeling files can take a long time (> 10 mins). When SELinux is
enabled and a policy is loaded it should automatically label new files
according to the policy, so perhaps these files were created while
SELinux was disabled?
I hope these comments are helpful in understanding the policy and
SELinux. If you are confused by any of this please ask and I’ll try to
explain the basic concepts you need to know to understand enough of
SELinux.
--
Ricardo
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: SELinux log
2019-06-07 20:46 ` Ricardo Wurmus
@ 2019-06-07 23:08 ` Laura Lazzati
2019-06-07 23:10 ` Laura Lazzati
0 siblings, 1 reply; 33+ messages in thread
From: Laura Lazzati @ 2019-06-07 23:08 UTC (permalink / raw)
To: Ricardo Wurmus; +Cc: Guix-devel
Hi!
> Thank you, the log is helpful (even though it looks like your mail
> client reformatted it, which makes it very hard to read).
Sorry for that :/
> Did you run “restorecon” on the store to recursively label all files?
I did, but I have just found that you are right, looking at the log
that it is not labeling properly (I am running the commands like they
are in the manual, with the proper path to the policy, and `restorecon
-r /`), weird, see:
--8<---------------cut here---------------start------------->8---
type=FS_RELABEL msg=audit(1559947443.686:26389): pid=2658 uid=0
auid=1000 ses=3
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
msg='op=mass relabel exe="/usr/sbin/setfiles"
hostname=localhost.localdomain addr=? terminal=pts/1
res=failed'UID="root" AUID="laura"
type=MAC_POLICY_LOAD msg=audit(1559947618.423:26390): auid=1000 ses=3
lsm=selinux res=1AUID="laura"
addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
type=USER_AVC msg=audit(1559947745.466:39283): pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
msg='avc: received policyload notice (seqno=3)
exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=?
terminal=?'UID="root" AUID="unset" SAUID="root"
type=USER_AVC msg=audit(1559947745.467:39284): pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
msg='avc: received policyload notice (seqno=4)
exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=?
terminal=?'UID="root" AUID="unset" SAUID="root"
type=AVC msg=audit(1559947746.785:39285): avc: denied { relabelto }
for pid=2688 comm="restorecon" name="guix" dev="dm-0" ino=311508
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:guix_daemon.guix_daemon_conf_t:s0
tclass=dir permissive=0
type=AVC msg=audit(1559947746.787:39286): avc: denied { relabelto }
for pid=2688 comm="restorecon" name="acl" dev="dm-0" ino=306189
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:guix_daemon.guix_daemon_conf_t:s0
tclass=file permissive=0
--8<---------------cut here---------------end--------------->8---
And taking a look at /gnu I get:
d?????????? ? ? ? ? ? gnu
:S
Regards :)
Laura
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: SELinux log
2019-06-07 23:08 ` Laura Lazzati
@ 2019-06-07 23:10 ` Laura Lazzati
2019-06-07 23:12 ` Laura Lazzati
0 siblings, 1 reply; 33+ messages in thread
From: Laura Lazzati @ 2019-06-07 23:10 UTC (permalink / raw)
To: Ricardo Wurmus; +Cc: Guix-devel
Sorry, my mail client apparently hates me, it is somewhat formatting
my mails after sending them ¬¬
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: SELinux log
2019-06-07 23:10 ` Laura Lazzati
@ 2019-06-07 23:12 ` Laura Lazzati
2019-06-08 7:03 ` Ricardo Wurmus
0 siblings, 1 reply; 33+ messages in thread
From: Laura Lazzati @ 2019-06-07 23:12 UTC (permalink / raw)
To: Ricardo Wurmus; +Cc: Guix-devel
[-- Attachment #1: Type: text/plain, Size: 1634 bytes --]
--8<---------------cut here---------------start------------->8---
type=FS_RELABEL msg=audit(1559947443.686:26389): pid=2658 uid=0 auid=1000
ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
msg='op=mass relabel exe="/usr/sbin/setfiles"
hostname=localhost.localdomain addr=? terminal=pts/1 res=failed'UID="root"
AUID="laura"
type=MAC_POLICY_LOAD msg=audit(1559947618.423:26390): auid=1000 ses=3
lsm=selinux res=1AUID="laura"
type=USER_AVC msg=audit(1559947745.466:39283): pid=1 uid=0 auid=4294967295
ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received
policyload notice (seqno=3) exe="/usr/lib/systemd/systemd" sauid=0
hostname=? addr=? terminal=?'UID="root" AUID="unset" SAUID="root"
type=USER_AVC msg=audit(1559947745.467:39284): pid=1 uid=0 auid=4294967295
ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received
policyload notice (seqno=4) exe="/usr/lib/systemd/systemd" sauid=0
hostname=? addr=? terminal=?'UID="root" AUID="unset" SAUID="root"
type=AVC msg=audit(1559947746.785:39285): avc: denied { relabelto } for
pid=2688 comm="restorecon" name="guix" dev="dm-0" ino=311508
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:guix_daemon.guix_daemon_conf_t:s0 tclass=dir
permissive=0
type=AVC msg=audit(1559947746.787:39286): avc: denied { relabelto } for
pid=2688 comm="restorecon" name="acl" dev="dm-0" ino=306189
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:guix_daemon.guix_daemon_conf_t:s0
tclass=file permissive=0
--8<---------------cut here---------------end--------------->8---
[-- Attachment #2: Type: text/html, Size: 1982 bytes --]
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: SELinux log
2019-06-07 23:12 ` Laura Lazzati
@ 2019-06-08 7:03 ` Ricardo Wurmus
2019-06-08 14:36 ` Laura Lazzati
0 siblings, 1 reply; 33+ messages in thread
From: Ricardo Wurmus @ 2019-06-08 7:03 UTC (permalink / raw)
To: Laura Lazzati; +Cc: Guix-devel
Hi Laura,
> --8<---------------cut here---------------start------------->8---
> type=FS_RELABEL msg=audit(1559947443.686:26389): pid=2658 uid=0 auid=1000
> ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> msg='op=mass relabel exe="/usr/sbin/setfiles"
> hostname=localhost.localdomain addr=? terminal=pts/1 res=failed'UID="root"
> AUID="laura"
> type=MAC_POLICY_LOAD msg=audit(1559947618.423:26390): auid=1000 ses=3
> lsm=selinux res=1AUID="laura"
>
> type=USER_AVC msg=audit(1559947745.466:39283): pid=1 uid=0 auid=4294967295
> ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received
> policyload notice (seqno=3) exe="/usr/lib/systemd/systemd" sauid=0
> hostname=? addr=? terminal=?'UID="root" AUID="unset" SAUID="root"
> type=USER_AVC msg=audit(1559947745.467:39284): pid=1 uid=0 auid=4294967295
> ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received
> policyload notice (seqno=4) exe="/usr/lib/systemd/systemd" sauid=0
> hostname=? addr=? terminal=?'UID="root" AUID="unset" SAUID="root"
> type=AVC msg=audit(1559947746.785:39285): avc: denied { relabelto } for
> pid=2688 comm="restorecon" name="guix" dev="dm-0" ino=311508
> scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tcontext=unconfined_u:object_r:guix_daemon.guix_daemon_conf_t:s0 tclass=dir
> permissive=0
> type=AVC msg=audit(1559947746.787:39286): avc: denied { relabelto } for
> pid=2688 comm="restorecon" name="acl" dev="dm-0" ino=306189
> scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tcontext=unconfined_u:object_r:guix_daemon.guix_daemon_conf_t:s0
> tclass=file permissive=0
> --8<---------------cut here---------------end--------------->8---
Uhm, that’s weird, but you’re not in permissive mode, are you? What
does “getenforce” say?
To relabel your whole file system according to installed policies run
this:
touch /.autorelabel
reboot
as root. Upon rebooting all your files will be relabeled. Before doing
this better double check that the guix-daemon policy has in fact been
installed, because labeling takes a very long time.
--
Ricardo
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: SELinux log
2019-06-08 7:03 ` Ricardo Wurmus
@ 2019-06-08 14:36 ` Laura Lazzati
2019-06-08 14:50 ` Ricardo Wurmus
0 siblings, 1 reply; 33+ messages in thread
From: Laura Lazzati @ 2019-06-08 14:36 UTC (permalink / raw)
To: Ricardo Wurmus; +Cc: Guix-devel
[-- Attachment #1: Type: text/plain, Size: 469 bytes --]
Hi!
Uhm, that’s weird, but you’re not in permissive mode, are you? What
> does “getenforce” say?
>
I tired it in both modes and the same result in the log file.
>
> To relabel your whole file system according to installed policies run
> this:
>
> touch /.autorelabel
> reboot
>
I will see if my Fedora on the VM is not broken and try it. Otherwise fresh
install... and do this.
will answer back with my results.
Regards :)
Laura
[-- Attachment #2: Type: text/html, Size: 909 bytes --]
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: SELinux log
2019-06-08 14:36 ` Laura Lazzati
@ 2019-06-08 14:50 ` Ricardo Wurmus
2019-06-08 14:57 ` Laura Lazzati
0 siblings, 1 reply; 33+ messages in thread
From: Ricardo Wurmus @ 2019-06-08 14:50 UTC (permalink / raw)
To: Laura Lazzati; +Cc: Guix-devel
Laura Lazzati <laura.lazzati.15@gmail.com> writes:
>> Uhm, that’s weird, but you’re not in permissive mode, are you? What
>> does “getenforce” say?
>>
> I tired it in both modes and the same result in the log file.
Well, when in permissive mode it should probably say “permissive=1” in
the logs, but otherwise it should be the same.
>> To relabel your whole file system according to installed policies run
>> this:
>>
>> touch /.autorelabel
>> reboot
>>
> I will see if my Fedora on the VM is not broken and try it. Otherwise fresh
> install... and do this.
> will answer back with my results.
Reinstallation should not be necessary for this. It’s unlikely that
SELinux is broken. Just make sure that everything is properly labeled.
The reboot should take a pretty long time while every file on the disk
is labeled.
--
Ricardo
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: SELinux log
2019-06-08 14:50 ` Ricardo Wurmus
@ 2019-06-08 14:57 ` Laura Lazzati
2019-06-08 16:56 ` Ricardo Wurmus
0 siblings, 1 reply; 33+ messages in thread
From: Laura Lazzati @ 2019-06-08 14:57 UTC (permalink / raw)
To: Ricardo Wurmus; +Cc: Guix-devel
[-- Attachment #1: Type: text/plain, Size: 524 bytes --]
Hi!
Reinstallation should not be necessary for this. It’s unlikely that
> SELinux is broken. Just make sure that everything is properly labeled.
> The reboot should take a pretty long time while every file on the disk
> is labeled.
>
uhm then I am doing sth wrong, or did not understand very well when I
should run the last two commands.
I ran `semodule -i etc/guix-daemon.cil`, then created the file, rebooted,
and nothing happened. I am running again `restorecon -r /`.
Which one should be the order?
[-- Attachment #2: Type: text/html, Size: 888 bytes --]
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: SELinux log
2019-06-08 14:57 ` Laura Lazzati
@ 2019-06-08 16:56 ` Ricardo Wurmus
2019-06-09 16:29 ` Laura Lazzati
0 siblings, 1 reply; 33+ messages in thread
From: Ricardo Wurmus @ 2019-06-08 16:56 UTC (permalink / raw)
To: Laura Lazzati; +Cc: Guix-devel
Hey Laura,
> I ran `semodule -i etc/guix-daemon.cil`, then created the file, rebooted,
> and nothing happened.
Hmm, the order is fine. I don’t know what might be wrong.
> I am running again `restorecon -r /`.
This should also be fine, though “restorecon -r /gnu” would probably be
enough. Confirm that contexts have been set properly with “ls -laZ
/gnu”.
If this doesn’t work I don’t know how to proceed.
Good luck! :)
--
Ricardo
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: SELinux log
2019-06-08 16:56 ` Ricardo Wurmus
@ 2019-06-09 16:29 ` Laura Lazzati
2019-06-10 2:08 ` Laura Lazzati
0 siblings, 1 reply; 33+ messages in thread
From: Laura Lazzati @ 2019-06-09 16:29 UTC (permalink / raw)
To: Ricardo Wurmus; +Cc: Guix-devel
[-- Attachment #1: Type: text/plain, Size: 415 bytes --]
Hi!
>
> If this doesn’t work I don’t know how to proceed.
>
Me neither. I will delete my VM and have a fresh install, to see if I did
sth wrong in between, following the same steps. At least we know that in
Fedora/RHEL we deactivate SELinux and Guix works fine up to now :/
>
> Good luck! :)
>
Yes, I wish I did sth wrongly and it works on my new VM. Will answer back
here!
Regards :)
Laura
[-- Attachment #2: Type: text/html, Size: 811 bytes --]
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: SELinux log
2019-06-09 16:29 ` Laura Lazzati
@ 2019-06-10 2:08 ` Laura Lazzati
2019-06-10 8:12 ` Ricardo Wurmus
0 siblings, 1 reply; 33+ messages in thread
From: Laura Lazzati @ 2019-06-10 2:08 UTC (permalink / raw)
To: Ricardo Wurmus; +Cc: Guix-devel
[-- Attachment #1: Type: text/plain, Size: 1010 bytes --]
Hi!
More info after having my fresh install.
First, I ran semode, and checked with -Z option my /gnu dir successfully.
After that, I created the file and rebooted. While rebooting this time I
got the message telling me that the system was being relabeled. Then, I ran
restorecon and set SELinux to Permissive mode. Tried it doing a guix search
hello.
My audit log showed:
type=AVC msg=audit(1560131803.485:381): avc: denied { search } for
pid=8177 comm="bash" name="guix" dev="dm-0" ino=679365
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:guix_daemon.guix_daemon_conf_t:s0 tclass=dir
permissive=0
After that I SELinux to Enforcing to see what message I got i the CLI, and
it was a Permission Denied, and now I am getting that guix is not
installed, double checking with `which guix` :S
I am trying installing guix again with the script, and it reaches the point
where I get:
mv: cannot stat '/var/guix': Permission denied
Any ideas?
Regards!
Laura
[-- Attachment #2: Type: text/html, Size: 1429 bytes --]
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: SELinux log
2019-06-10 2:08 ` Laura Lazzati
@ 2019-06-10 8:12 ` Ricardo Wurmus
2019-06-11 10:48 ` Laura Lazzati
0 siblings, 1 reply; 33+ messages in thread
From: Ricardo Wurmus @ 2019-06-10 8:12 UTC (permalink / raw)
To: Laura Lazzati; +Cc: Guix-devel
Hi Laura,
> My audit log showed:
>
> type=AVC msg=audit(1560131803.485:381): avc: denied { search } for
> pid=8177 comm="bash" name="guix" dev="dm-0" ino=679365
> scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tcontext=unconfined_u:object_r:guix_daemon.guix_daemon_conf_t:s0 tclass=dir
> permissive=0
This looks better.
This says that “guix” is not labeled correctly. The message isn’t very
clear, but it looks like bash spawned “guix”, which has no particular
SELinux context (unconfined). When it tries to access /var/guix (which
*does* have the correct label) it is denied access, because only the
guix-daemon type has been granted access to files of type
“guix_daemon_conf_t”.
So we need to figure out what file that “guix” command corresponds to,
so that we can add a rule to the policy to apply the correct label.
--
Ricardo
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: SELinux log
2019-06-10 8:12 ` Ricardo Wurmus
@ 2019-06-11 10:48 ` Laura Lazzati
2019-06-11 12:23 ` Ricardo Wurmus
0 siblings, 1 reply; 33+ messages in thread
From: Laura Lazzati @ 2019-06-11 10:48 UTC (permalink / raw)
To: Ricardo Wurmus; +Cc: Guix-devel
[-- Attachment #1: Type: text/plain, Size: 212 bytes --]
Hi!
So we need to figure out what file that “guix” command corresponds to,
> so that we can add a rule to the policy to apply the correct label.
>
I see. But how can we do this?
Regards :)
Laura
[-- Attachment #2: Type: text/html, Size: 472 bytes --]
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: SELinux log
2019-06-11 10:48 ` Laura Lazzati
@ 2019-06-11 12:23 ` Ricardo Wurmus
2019-06-12 1:58 ` Laura Lazzati
0 siblings, 1 reply; 33+ messages in thread
From: Ricardo Wurmus @ 2019-06-11 12:23 UTC (permalink / raw)
To: Laura Lazzati; +Cc: Guix-devel
Hi Laura,
> So we need to figure out what file that “guix” command corresponds to,
>> so that we can add a rule to the policy to apply the correct label.
>>
> I see. But how can we do this?
We then need to think about the kinds of file operations that the “guix”
command should be permitted to perform. We know already that it should
be allowed to access files of type “guix_daemon_conf_t”.
What do you think: should we define a new type for the Guix command? If
so, we need to declare it near the top:
;; Declare own types
(type guix_daemon_t)
…
We would add two new types: one is a file type “guix_client_exec_t”,
which will be given to the “guix” executables. The file type should
allow the *process* spawned by the executable to operate in the
“guix_client_t” domain.
So, we’ll do this:
(type guix_client_exec_t)
(roletype object_r guix_client_exec_t)
(type guix_client_t)
(roletype object_r guix_client_t)
Since this type should not just be a file type but a *process* domain (=
a type for processes), we need to declare it as such, so this line
(typeattributeset domain (guix_daemon_t guix_daemon_exec_t))
would become that line:
(typeattributeset domain (guix_daemon_t guix_daemon_exec_t guix_client_t))
Now we need to permit a domain transition: a file with type
guix_client_exec_t (when executed) should cause the resulting process to
transition to the guix_client_t domain. I’m not sure about this, but I
think we want this transition declaration:
(typetransition guix_store_content_t guix_client_exec_t
process guix_client_t)
This means: when a process in guix_store_content_t spawns a
guix_client_exec_t process, let it run in the guix_client_t context.
And *now* we can add rules of access for processes running in the
guix_client_t domain, such as these read-only directory access
permissions:
(allow guix_client_t
guix_daemon_conf_t
(dir (search
getattr
open read)))
and perhaps these read-only file access permissions:
(allow guix_client_t
guix_daemon_conf_t
(file (map
getattr
open read)))
Lastly, we need to add a file rule, so that the guix executables all get
the right type. The first step is to see what “guix” is:
readlink -f $(which guix)
It’s probably a store item with a particular name that isn’t captured by
an explicit rule in etc/guix-daemon.cil yet. We then add a rule to give
the “guix” file the proper label, something like the following, but with
a glob pattern matching the actual “guix” file:
(filecon "@storedir@/…/bin/guix"
file (system_u object_r guix_client_exec_t (low low)))
Every time we change the policy we need to run semanage to unload the
loaded policy and load the new one from file, then run restorecon to
relabel (a subset of the) files in /gnu.
A little tedious, but it should be manageable. Would you like to give
it a try?
--
Ricardo
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: SELinux log
2019-06-11 12:23 ` Ricardo Wurmus
@ 2019-06-12 1:58 ` Laura Lazzati
2019-06-12 6:42 ` Ricardo Wurmus
0 siblings, 1 reply; 33+ messages in thread
From: Laura Lazzati @ 2019-06-12 1:58 UTC (permalink / raw)
To: Ricardo Wurmus; +Cc: Guix-devel
[-- Attachment #1: Type: text/plain, Size: 628 bytes --]
Hi!
I added the lines to a copy of guix-daemon.cil which I got from cloning
guix and placed it in root's home.
Since everything was messy (/gnu had d?????????? as permissions as well as
all the fields listed with `ls -l`, and could not solve it, even trying to
delete it ), I restored my VM to the point prior to adding the policy and
loading the module.
There i ran semodule, using the new file, created the .autorelabel file
and rebooted. It labeled everything, but I still can't run guix, and /gnu
dir again ended with these weird permisions:
d?????????? ? ? ? ? ? gnu
Any ideas?
Regards :/
Laura
[-- Attachment #2: Type: text/html, Size: 989 bytes --]
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: SELinux log
2019-06-12 1:58 ` Laura Lazzati
@ 2019-06-12 6:42 ` Ricardo Wurmus
2019-06-12 13:27 ` Laura Lazzati
0 siblings, 1 reply; 33+ messages in thread
From: Ricardo Wurmus @ 2019-06-12 6:42 UTC (permalink / raw)
To: Laura Lazzati; +Cc: Guix-devel
Laura Lazzati <laura.lazzati.15@gmail.com> writes:
> I added the lines to a copy of guix-daemon.cil which I got from cloning
> guix and placed it in root's home.
Which lines? All of the changes I described were not necessarily ready
for inclusion. They were all untested.
> Since everything was messy (/gnu had d?????????? as permissions as well as
> all the fields listed with `ls -l`, and could not solve it, even trying to
> delete it ), I restored my VM to the point prior to adding the policy and
> loading the module.
> There i ran semodule, using the new file, created the .autorelabel file
> and rebooted. It labeled everything, but I still can't run guix, and /gnu
> dir again ended with these weird permisions:
> d?????????? ? ? ? ? ? gnu
This probably just means that there is no context permissions for “ls”
to access /gnu. Another “allow” rule may be required to permit
read-only access on /gnu to any process.
--
Ricardo
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: SELinux log
2019-06-12 6:42 ` Ricardo Wurmus
@ 2019-06-12 13:27 ` Laura Lazzati
2019-06-12 13:34 ` Ricardo Wurmus
0 siblings, 1 reply; 33+ messages in thread
From: Laura Lazzati @ 2019-06-12 13:27 UTC (permalink / raw)
To: Ricardo Wurmus; +Cc: Guix-devel
[-- Attachment #1: Type: text/plain, Size: 645 bytes --]
Hi!
Which lines? All of the changes I described were not necessarily ready
> for inclusion. They were all untested.
>
No, I meant I did it locally on my computer. I didn't even touched the
original file. BTW, when they are finished how can I share that file
without pushing it?
> This probably just means that there is no context permissions for “ls”
> to access /gnu. Another “allow” rule may be required to permit
> read-only access on /gnu to any process.
>
Oh, I see, but I still have the issue of not finding Guix. I will try to
create rules and share them here.
Regards :)
Laura
>
> --
> Ricardo
>
>
[-- Attachment #2: Type: text/html, Size: 1203 bytes --]
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: SELinux log
2019-06-12 13:27 ` Laura Lazzati
@ 2019-06-12 13:34 ` Ricardo Wurmus
2019-06-12 14:25 ` Laura Lazzati
0 siblings, 1 reply; 33+ messages in thread
From: Ricardo Wurmus @ 2019-06-12 13:34 UTC (permalink / raw)
To: Laura Lazzati; +Cc: Guix-devel
Hi Laura,
> Which lines? All of the changes I described were not necessarily ready
>> for inclusion. They were all untested.
>>
> No, I meant I did it locally on my computer. I didn't even touched the
> original file.
Yes, I know. The lines I proposed were untested, though, and some of
them required adjustment, so I was curious to know what exact changes
you performed locally and where.
> BTW, when they are finished how can I share that file
> without pushing it?
You can share a git formatted patch as an email attachment.
>> This probably just means that there is no context permissions for “ls”
>> to access /gnu. Another “allow” rule may be required to permit
>> read-only access on /gnu to any process.
>>
> Oh, I see, but I still have the issue of not finding Guix. I will try to
> create rules and share them here.
When you run “which guix” what does it say? What does “readlink -f
$(which guix)” say?
--
Ricardo
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: SELinux log
2019-06-12 13:34 ` Ricardo Wurmus
@ 2019-06-12 14:25 ` Laura Lazzati
2019-06-12 20:12 ` Ricardo Wurmus
0 siblings, 1 reply; 33+ messages in thread
From: Laura Lazzati @ 2019-06-12 14:25 UTC (permalink / raw)
To: Ricardo Wurmus; +Cc: Guix-devel
[-- Attachment #1: Type: text/plain, Size: 1049 bytes --]
Yes, I know. The lines I proposed were untested, though, and some of
> them required adjustment, so I was curious to know what exact changes
> you performed locally and where.
After writing the previous email I have realized I could have done it in a
separate file, right? Like I said, I cloned the repo copied the the
etc/guix-daemon.cil, under /root, added the types/ rules and replaced the
typeattributeset in the "sections" of the file.
>
> > BTW, when they are finished how can I share that file
> > without pushing it?
>
> You can share a git formatted patch as an email attachment.
>
Ok, I will do it then.
>
> When you run “which guix” what does it say? What does “readlink -f
> $(which guix)” say?
>
I first get the result of evaluating `which guix` saying it is not found,
and then thar readlink has no operand, see:
/usr/bin/which: no guix in
(/home/laura/.local/bin:/home/laura/bin:/usr/share/Modules/bin:/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin)
readlink: missing operand
Regards :)
[-- Attachment #2: Type: text/html, Size: 1673 bytes --]
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: SELinux log
2019-06-12 14:25 ` Laura Lazzati
@ 2019-06-12 20:12 ` Ricardo Wurmus
2019-06-12 21:01 ` Laura Lazzati
0 siblings, 1 reply; 33+ messages in thread
From: Ricardo Wurmus @ 2019-06-12 20:12 UTC (permalink / raw)
To: Laura Lazzati; +Cc: Guix-devel
Laura Lazzati <laura.lazzati.15@gmail.com> writes:
>> When you run “which guix” what does it say? What does “readlink -f
>> $(which guix)” say?
>>
> I first get the result of evaluating `which guix` saying it is not found,
> and then thar readlink has no operand, see:
>
> /usr/bin/which: no guix in
> (/home/laura/.local/bin:/home/laura/bin:/usr/share/Modules/bin:/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin)
> readlink: missing operand
That’s confusing. Didn’t you say that you ran “guix search” before?
--
Ricardo
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: SELinux log
2019-06-12 20:12 ` Ricardo Wurmus
@ 2019-06-12 21:01 ` Laura Lazzati
2019-06-13 6:49 ` Ricardo Wurmus
0 siblings, 1 reply; 33+ messages in thread
From: Laura Lazzati @ 2019-06-12 21:01 UTC (permalink / raw)
To: Ricardo Wurmus; +Cc: Guix-devel
[-- Attachment #1: Type: text/plain, Size: 583 bytes --]
That’s confusing. Didn’t you say that you ran “guix search” before?
I've figured out the reason. In both cases -when I create the .autorelabel
file and reboot (so the permissive mode goes away, since I am changing it
through the CLI) and when I don't but run `restorecon -r /` and set it to
enforcing mode manually - guix is not found anymore. In permissive mode
guix is found and I can use it without issues. I even don't get anything
logged in the audit.log file. Any ideas? I only added/changed the lines of
the file that you sent me here.
Regards :)
Laura
[-- Attachment #2: Type: text/html, Size: 728 bytes --]
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: SELinux log
2019-06-12 21:01 ` Laura Lazzati
@ 2019-06-13 6:49 ` Ricardo Wurmus
2019-06-13 17:53 ` Laura Lazzati
0 siblings, 1 reply; 33+ messages in thread
From: Ricardo Wurmus @ 2019-06-13 6:49 UTC (permalink / raw)
To: Laura Lazzati; +Cc: Guix-devel
Laura Lazzati <laura.lazzati.15@gmail.com> writes:
>> That’s confusing. Didn’t you say that you ran “guix search” before?
>
> I've figured out the reason. In both cases -when I create the .autorelabel
> file and reboot (so the permissive mode goes away, since I am changing it
> through the CLI) and when I don't but run `restorecon -r /` and set it to
> enforcing mode manually - guix is not found anymore. In permissive mode
> guix is found and I can use it without issues.
Throughout this experiment you should be using permissive mode. There
is no point in using enforcing mode until the policy is fixed.
What is the file name of “guix” when running in permissive mode? We
need to know this to adjust the policy.
> I only added/changed the lines of
> the file that you sent me here.
It would be easier if I could see a diff.
--
Ricardo
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: SELinux log
2019-06-13 6:49 ` Ricardo Wurmus
@ 2019-06-13 17:53 ` Laura Lazzati
2019-06-13 18:52 ` Ricardo Wurmus
0 siblings, 1 reply; 33+ messages in thread
From: Laura Lazzati @ 2019-06-13 17:53 UTC (permalink / raw)
To: Ricardo Wurmus; +Cc: Guix-devel
[-- Attachment #1.1: Type: text/plain, Size: 455 bytes --]
> What is the file name of “guix” when running in permissive mode? We
> need to know this to adjust the policy.
>
After running `which guix` I get:
/usr/local/bin/guix
I tried to add another label for it but it didn't work. I was going to ask
you for a good tutorial for writing the policies but I have just found
https://github.com/SELinuxProject/cil/wiki, I will read it the next days :)
I am attaching the diff file.
Regards!
Laura
[-- Attachment #1.2: Type: text/html, Size: 853 bytes --]
[-- Attachment #2: diffGuixDaemon.txt --]
[-- Type: text/plain, Size: 1084 bytes --]
diff -b guix-daemon.cil /home/laura/guix/etc/guix-daemon.cil.in
1c1
< ;; -*- lisp -*-
---
> ; -*- lisp -*-
45,48d44
< (type guix_client_exec_t)
< (roletype object_r guix_client_exec_t)
< (type guix_client_t)
< (roletype object_r guix_client_t)
51c47
< (typeattributeset domain (guix_daemon_t guix_daemon_exec_t guix_client_t))
---
> (typeattributeset domain (guix_daemon_t guix_daemon_exec_t))
267,279d262
< ;;Client operations
< (allow guix_client_t
< guix_daemon_conf_t
< (dir (search
< getattr
< open read)))
< (allow guix_client_t
< guix_daemon_conf_t
< (file (map
< getattr
< open read)))
<
<
302,306c285
< any (system_u object_r guix_daemon_socket_t (low low)))
< (filecon "@storedir@/.../bin/guix"
< file (system_u object_r guix_client_exec_t (low low)))
< (filecon "/usr/local/bin/guix"
< file (system_u object_r guix_client_exec_t (low low))))
---
> any (system_u object_r guix_daemon_socket_t (low low))))
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: SELinux log
2019-06-13 17:53 ` Laura Lazzati
@ 2019-06-13 18:52 ` Ricardo Wurmus
2019-06-14 17:24 ` Laura Lazzati
0 siblings, 1 reply; 33+ messages in thread
From: Ricardo Wurmus @ 2019-06-13 18:52 UTC (permalink / raw)
To: Laura Lazzati; +Cc: Guix-devel
Laura Lazzati <laura.lazzati.15@gmail.com> writes:
>> What is the file name of “guix” when running in permissive mode? We
>> need to know this to adjust the policy.
>>
> After running `which guix` I get:
> /usr/local/bin/guix
> I tried to add another label for it but it didn't work. I was going to ask
> you for a good tutorial for writing the policies but I have just found
> https://github.com/SELinuxProject/cil/wiki, I will read it the next days :)
>
> I am attaching the diff file.
Thanks! (Please use “diff -u” in the future; it’s clearer when you’re
used to git diffs.)
I see this:
< (filecon "@storedir@/.../bin/guix"
< file (system_u object_r guix_client_exec_t (low low)))
And that’s not right because "@storedir@/.../bin/guix" is not a correct
file name pattern. That’s why I wrote that these names need to be
checked and can’t be used as is.
Is /usr/local/bin/guix a link? What about what “guix pull” installs?
These will be used by people, so our policy needs to cover them.
--
Ricardo
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: SELinux log
2019-06-13 18:52 ` Ricardo Wurmus
@ 2019-06-14 17:24 ` Laura Lazzati
2019-06-16 22:15 ` Laura Lazzati
0 siblings, 1 reply; 33+ messages in thread
From: Laura Lazzati @ 2019-06-14 17:24 UTC (permalink / raw)
To: Ricardo Wurmus; +Cc: Guix-devel
[-- Attachment #1: Type: text/plain, Size: 385 bytes --]
Hi!
Thanks for guiding me in solving this issue :)
I am editing the file to see if I can finish the task, will answer back
with my new results.
Thanks! (Please use “diff -u” in the future; it’s clearer when you’re
> used to git diffs.)
>
Will take this into account!
What about what “guix pull” installs?
>
Yes, I thought about this.
Regards :)
Laura
[-- Attachment #2: Type: text/html, Size: 834 bytes --]
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: SELinux log
2019-06-14 17:24 ` Laura Lazzati
@ 2019-06-16 22:15 ` Laura Lazzati
2019-06-17 1:44 ` Ricardo Wurmus
0 siblings, 1 reply; 33+ messages in thread
From: Laura Lazzati @ 2019-06-16 22:15 UTC (permalink / raw)
To: Ricardo Wurmus; +Cc: Guix-devel
[-- Attachment #1.1: Type: text/plain, Size: 216 bytes --]
Hi!
I am somewhat stuck :/
I cannot figure out why this doesn't work.
I have even tried adding the full path but when I test it I still see that
Guix is not found using enforcing mode.
Any ideas?
Regards :)
Laura
[-- Attachment #1.2: Type: text/html, Size: 532 bytes --]
[-- Attachment #2: guix-daemon-diff.txt --]
[-- Type: text/plain, Size: 1966 bytes --]
@@ -1,4 +1,4 @@
-;; -*- lisp -*-
+; -*- lisp -*-
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2018 Ricardo Wurmus <rekado@elephly.net>
;;;
@@ -42,13 +42,9 @@
(roletype object_r guix_store_content_t)
(type guix_profiles_t)
(roletype object_r guix_profiles_t)
- (type guix_client_exec_t)
- (roletype object_r guix_client_exec_t)
- (type guix_client_t)
- (roletype object_r guix_client_t)
;; These types are domains, thereby allowing process rules
- (typeattributeset domain (guix_daemon_t guix_daemon_exec_t guix_client_t))
+ (typeattributeset domain (guix_daemon_t guix_daemon_exec_t))
(level low (s0))
@@ -58,8 +54,6 @@
process guix_daemon_t)
(typetransition guix_store_content_t guix_daemon_exec_t
process guix_daemon_t)
- (typetransition guix_store_content_t guix_client_exec_t
- process guix_client_t)
;; Permit communication with NSCD
(allow guix_daemon_t
@@ -266,19 +260,6 @@
self
(udp_socket (ioctl create)))
- ;;Client operations
- (allow guix_client_t
- guix_daemon_conf_t
- (dir (search
- getattr
- open read)))
- (allow guix_client_t
- guix_daemon_conf_t
- (file (map
- getattr
- open read)))
-
-
;; Label file system
(filecon "@guix_sysconfdir@/guix(/.*)?"
any (system_u object_r guix_daemon_conf_t (low low)))
@@ -301,6 +282,4 @@
(filecon "@storedir@/.+-(guix-.+|profile)/libexec/guix/(.*)?"
any (system_u object_r guix_daemon_exec_t (low low)))
(filecon "@guix_localstatedir@/guix/daemon-socket/socket"
- any (system_u object_r guix_daemon_socket_t (low low)))
- (filecon "/var/guix/profiles/per-user/root/current-guix/bin/guix"
- file (system_u object_r guix_client_exec_t (low low))))
+ any (system_u object_r guix_daemon_socket_t (low low))))
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: SELinux log
2019-06-16 22:15 ` Laura Lazzati
@ 2019-06-17 1:44 ` Ricardo Wurmus
2019-06-17 3:32 ` Laura Lazzati
0 siblings, 1 reply; 33+ messages in thread
From: Ricardo Wurmus @ 2019-06-17 1:44 UTC (permalink / raw)
To: Laura Lazzati; +Cc: Guix-devel
Hi Laura,
> I have even tried adding the full path but when I test it I still see that
> Guix is not found using enforcing mode.
> Any ideas?
Two things:
* when you edit the .cil.in file you need to run the configure script
again to generate an updated .cil file. You can’t load the changed
.cil.in file directly.
* I’m repeating myself here: do *not* use enforcing mode. Do use
permissive mode only.
--
Ricardo
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: SELinux log
2019-06-17 1:44 ` Ricardo Wurmus
@ 2019-06-17 3:32 ` Laura Lazzati
0 siblings, 0 replies; 33+ messages in thread
From: Laura Lazzati @ 2019-06-17 3:32 UTC (permalink / raw)
To: Ricardo Wurmus; +Cc: Guix-devel
[-- Attachment #1: Type: text/plain, Size: 945 bytes --]
Hi!
* I’m repeating myself here: do *not* use enforcing mode. Do use
> permissive mode only.
>
Oh, sorry for this, it was the "easy" way of checking that it didn't work.
I have byobu running now with a tail -f of the audit log.
My question was more like "I am hardcoding the path to guix -at least
before doing a guix pull -, I cannot understand why that doesn't work, even
if I did it just for trying if it solved partially why guix was not found.
On the other hand, I get:
type=AVC msg=audit(1560741907.590:426): avc: denied { search } for
pid=31810 comm="which" name="gnu" dev="dm-0" ino=931548
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:guix_daemon.guix_store_content_t:s0
tclass=dir permissive=1
Should I add something allowing commands under /usr/bin to operate over
guix? Or am I mixing things too much?
Regards :)
Laura
--
> Ricardo
>
>
[-- Attachment #2: Type: text/html, Size: 1474 bytes --]
^ permalink raw reply [flat|nested] 33+ messages in thread
end of thread, other threads:[~2019-06-17 3:33 UTC | newest]
Thread overview: 33+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-06-04 21:28 SELinux log Laura Lazzati
2019-06-05 9:39 ` Ricardo Wurmus
2019-06-06 14:24 ` Laura Lazzati
2019-06-06 17:58 ` Ricardo Wurmus
2019-06-07 1:46 ` Laura Lazzati
2019-06-07 20:46 ` Ricardo Wurmus
2019-06-07 23:08 ` Laura Lazzati
2019-06-07 23:10 ` Laura Lazzati
2019-06-07 23:12 ` Laura Lazzati
2019-06-08 7:03 ` Ricardo Wurmus
2019-06-08 14:36 ` Laura Lazzati
2019-06-08 14:50 ` Ricardo Wurmus
2019-06-08 14:57 ` Laura Lazzati
2019-06-08 16:56 ` Ricardo Wurmus
2019-06-09 16:29 ` Laura Lazzati
2019-06-10 2:08 ` Laura Lazzati
2019-06-10 8:12 ` Ricardo Wurmus
2019-06-11 10:48 ` Laura Lazzati
2019-06-11 12:23 ` Ricardo Wurmus
2019-06-12 1:58 ` Laura Lazzati
2019-06-12 6:42 ` Ricardo Wurmus
2019-06-12 13:27 ` Laura Lazzati
2019-06-12 13:34 ` Ricardo Wurmus
2019-06-12 14:25 ` Laura Lazzati
2019-06-12 20:12 ` Ricardo Wurmus
2019-06-12 21:01 ` Laura Lazzati
2019-06-13 6:49 ` Ricardo Wurmus
2019-06-13 17:53 ` Laura Lazzati
2019-06-13 18:52 ` Ricardo Wurmus
2019-06-14 17:24 ` Laura Lazzati
2019-06-16 22:15 ` Laura Lazzati
2019-06-17 1:44 ` Ricardo Wurmus
2019-06-17 3:32 ` Laura Lazzati
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).