From: Marius Bakke <marius@gnu.org>
To: Daniel Brooks <db48x@db48x.net>, 44549@debbugs.gnu.org
Subject: [bug#44549] [PATCH] etc: updates for the guix-daemon SELinux policy
Date: Thu, 12 Nov 2020 22:13:56 +0100 [thread overview]
Message-ID: <87361ecm7f.fsf@gnu.org> (raw)
In-Reply-To: <87sg9h8s5j.fsf@db48x.net>
[-- Attachment #1.1: Type: text/plain, Size: 2238 bytes --]
Hello Daniel,
Thanks a lot for this.
Daniel Brooks <db48x@db48x.net> writes:
>>From 7dd9ed6da01c5bf125c95592f4978b579198731a Mon Sep 17 00:00:00 2001
> From: Daniel Brooks <db48x@db48x.net>
> Date: Mon, 9 Nov 2020 07:03:42 -0800
> Subject: [PATCH] etc: updates for the guix-daemon SELinux policy
>
> * etc/guix-daemon.cil.in: I can't promise that this is a complete list of
> everything that guix-daemon needs, but it's probably most of them. It can
> search for, install, upgrade, and remove packages, create virtual machines,
> update itself, and so on. I haven't tried creating containers yet, which might
> reveal more things to add.
This commit message is somewhat unorthodox. :-)
Perhaps it can be shortened to:
* etc/guix-daemon.cil.in (guix_daemon): Specify more permissions for
guix-daemon to account for daemon updates and newer SELinux.
[...]
> diff --git a/etc/guix-daemon.cil.in b/etc/guix-daemon.cil.in
> index e0c9113498..666e5677a3 100644
> --- a/etc/guix-daemon.cil.in
> +++ b/etc/guix-daemon.cil.in
> @@ -21,6 +21,18 @@
> ;; Intermediate Language (CIL). It refers to types that must be defined in
> ;; the system's base policy.
>
> +;; If you, like me, need advice about fixing an SELinux policy, I recommend
> +;; reading https://danwalsh.livejournal.com/55324.html
> +
> +;; In particular, you can run semanage permissive -a guix_daemon.guix_daemon_t
> +;; to allow guix-daemon to do whatever it wants. SELinux will still check its
> +;; permissions, and when it doesn't have permission it will still send an
> +;; audit message to your system logs. This lets you know what permissions it
> +;; ought to have. Use ausearch --raw to find the permissions violations, then
> +;; pipe that to audit2allow to generate an updated policy. You'll still need
> +;; to translate that policy into CIL in order to update this file, but that's
> +;; fairly straight-forward. Annoying, but easy.
I'm not sure about the second paragraph. It's mainly a rehash of the
blog post, no? And there are many other ways to go about
troubleshooting SELinux (I did not use ausearch at all).
Anyway! I tried it on RHEL8, and had to do a few more tweaks to get it
working:
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1.2: diff --]
[-- Type: text/x-patch, Size: 1201 bytes --]
diff --git a/etc/guix-daemon.cil.in b/etc/guix-daemon.cil.in
index 666e5677a3..b5909f1b18 100644
--- a/etc/guix-daemon.cil.in
+++ b/etc/guix-daemon.cil.in
@@ -84,6 +84,9 @@
(allow init_t
guix_daemon_t
(process (transition)))
+ (allow init_t
+ guix_store_content_t
+ (lnk_file (read)))
(allow init_t
guix_store_content_t
(file (open read execute)))
@@ -166,6 +169,9 @@
(allow guix_daemon_t
root_t
(dir (mounton)))
+ (allow guix_daemon_t
+ guix_daemon_socket_t
+ (sock_file (unlink)))
(allow guix_daemon_t
fs_t
(filesystem (getattr)))
@@ -348,7 +354,12 @@
getopt setopt)))
(allow guix_daemon_t
self
- (tcp_socket (accept listen bind connect create setopt getopt getattr ioctl)))
+ (netlink_route_socket (read write)))
+ (allow guix_daemon_t
+ self
+ (tcp_socket (accept
+ listen bind connect create read write
+ setopt getopt getattr ioctl)))
(allow guix_daemon_t
unreserved_port_t
(tcp_socket (name_bind name_connect accept listen)))
[-- Attachment #1.3: Type: text/plain, Size: 331 bytes --]
Can you test these additional changes on Fedora?
With this, I no longer have to go through 'guix pack' and 'podman' to
run Guix packages on my RHEL workstation! :-)
Also, is it OK to add you to the list of contributors at the top of the
file with this name and address?
Thanks! It's really great to get this in before 1.2.0.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 507 bytes --]
next prev parent reply other threads:[~2020-11-12 21:15 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-10 9:42 [bug#44549] [PATCH] etc: updates for the guix-daemon SELinux policy Daniel Brooks
2020-11-12 21:13 ` Marius Bakke [this message]
2020-11-12 21:45 ` Daniel Brooks
2020-11-12 22:19 ` Marius Bakke
2020-11-12 23:56 ` Daniel Brooks
2020-11-13 14:52 ` Marius Bakke
2020-11-13 15:34 ` Daniel Brooks
2020-11-13 15:59 ` Marius Bakke
2020-11-13 0:01 ` [bug#44549] [PATCH v2] " Daniel Brooks
2020-11-13 0:07 ` [bug#44549] [PATCH v3] " Daniel Brooks
2020-11-14 14:57 ` [bug#44549] [PATCH v4] " Daniel Brooks
2020-11-15 22:19 ` bug#44549: " Marius Bakke
2020-11-14 16:49 ` [bug#44549] [PATCH v4] doc: add a note about relabling after upgrades to the guix deamon Daniel Brooks
2020-11-15 22:18 ` Marius Bakke
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87361ecm7f.fsf@gnu.org \
--to=marius@gnu.org \
--cc=44549@debbugs.gnu.org \
--cc=db48x@db48x.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).