From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id ILBHKeHLrV+ycQAA0tVLHw (envelope-from ) for ; Thu, 12 Nov 2020 23:57:21 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id +DEGJeHLrV+DeAAAB5/wlQ (envelope-from ) for ; Thu, 12 Nov 2020 23:57:21 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id D0F5F9402A2 for ; Thu, 12 Nov 2020 23:57:20 +0000 (UTC) Received: from localhost ([::1]:51468 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kdMSt-0001ZQ-Lq for larch@yhetil.org; Thu, 12 Nov 2020 18:57:19 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:60716) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kdMSc-0001Z0-QS for guix-patches@gnu.org; Thu, 12 Nov 2020 18:57:04 -0500 Received: from debbugs.gnu.org ([209.51.188.43]:34527) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1kdMSc-0002i8-H0 for guix-patches@gnu.org; Thu, 12 Nov 2020 18:57:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1kdMSc-0003lF-AS for guix-patches@gnu.org; Thu, 12 Nov 2020 18:57:02 -0500 X-Loop: help-debbugs@gnu.org Subject: [bug#44549] [PATCH] etc: updates for the guix-daemon SELinux policy Resent-From: Daniel Brooks Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 12 Nov 2020 23:57:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 44549 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Marius Bakke Cc: 44549@debbugs.gnu.org Received: via spool by 44549-submit@debbugs.gnu.org id=B44549.160522537714409 (code B ref 44549); Thu, 12 Nov 2020 23:57:02 +0000 Received: (at 44549) by debbugs.gnu.org; 12 Nov 2020 23:56:17 +0000 Received: from localhost ([127.0.0.1]:46073 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kdMRs-0003kL-KG for submit@debbugs.gnu.org; Thu, 12 Nov 2020 18:56:16 -0500 Received: from smtp-out-4.mxes.net ([198.205.123.69]:15630) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kdMRp-0003ju-LQ for 44549@debbugs.gnu.org; Thu, 12 Nov 2020 18:56:15 -0500 Received: from Customer-MUA (mua.mxes.net [10.0.0.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id A897F75996; Thu, 12 Nov 2020 18:56:07 -0500 (EST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mxes.net; s=mta; t=1605225368; bh=YZzeKksK6H8DgiWBMGUoQ92Rl651kcl/Vko9IuccXHg=; h=From:To:Subject:References:Date:In-Reply-To:Message-ID: MIME-Version:Content-Type; b=ta9Rfz8Z9FkeRzYbawLpmXQsP5J3nY+ZZ3dQOd6/Ln+ktP2tlO16e2ExNAllEb/gt ez95WiJ55UoLykckeuhsrm3F8McQBQFxTjuEHv60UNSGdhBRL/k3lp5QpU3ZEmZIaa zaWIUvTDR4Npg5McNlpV+mkNJYptRp5NUMDntfnw= From: Daniel Brooks References: <87sg9h8s5j.fsf@db48x.net> <87361ecm7f.fsf@gnu.org> <87v9ea6yhl.fsf@db48x.net> <87tutub4l9.fsf@gnu.org> Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwBAMAAAClLOS0AAAABGdBTUEAALGOfPtRkwAAABJQ TFRFpKfbdou67PD6JjJgAwUWXGSeIcyLHgAAAkZJREFUOI1VU8Fy6yAMxLi+Q13fCZ3cnQL3dqTc 7RD+/1feStDXVnXHDuvVSivZTMba2GPdw3gyCGcMAFxTyrTd9dwGoxHiZX9PmRFUHYAQlGGtXY+F Uk0SJOxgJiUEnH1qkitT9D+pQub7qGAmUbR6bu3CvI96Yv6QqkBBMrsyfZccr1/RDXGDTLf4P7ZY glVxe2V+/ACXWO1gvDO9/gDRpFFVmPluvLcmBjd5H6d8DEte+Pbk4rcY/Fa5tLKLOtCZsuQKYhpa LOkYDT7hESya7/WIET3lfQBqX0pwFtbI832Is0ayMUR9B+12xjgPCQ089cfwkCkX6L5TPmRelJTh zMS0Sz1PyjLAMCUWjcmgQLWQMds+e3aaauZDf9dU9A2/8kPVF2odCUoMKHkfjJR+mbgC+DRiycw5 3XSqGe6HmhN/AWjHypkAXOAFW5EiuA1ge2GiZuMb0s1fSEXcATeLUfbyEY2L8yPOmdSsdghQXx3K pz2eoeXuYvMCINVFDrCdNfVUp4eJ6cSEbjbgFjBEvonGGTrgv9cHjAc8aVgSAPoxaONbzfwhDIhR at7IIS7fAGiDSwIA9alhhTBzfA7YM2FY6eMwayrIGK8FDFmshmUA43WqhFtpvoqG9HHaJ7fqtgTz 8EWVkgZgtsylFliHDgk0MB7KAEC45C/rgnGvanNLXyzOeTzcT2nw/N44gfrtYXRQLoz9Q3TgmJRx 2Mx/Q51qzpm+l3m8z2SWBqC5+PZXAtNYlGFf/gKfHfjFkDT4x7od7R+w3Ls+ZdQBuQAAAABJRU5E rkJggg== Date: Thu, 12 Nov 2020 15:56:06 -0800 In-Reply-To: <87tutub4l9.fsf@gnu.org> (Marius Bakke's message of "Thu, 12 Nov 2020 23:19:46 +0100") Message-ID: <87eeky6sfd.fsf@db48x.net> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Sent-To: X-Spam-Score: -0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-Spam-Score: -1.7 (-) X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" X-Scanner: ns3122888.ip-94-23-21.eu Authentication-Results: aspmx1.migadu.com; dkim=fail (headers rsa verify failed) header.d=mxes.net header.s=mta header.b=ta9Rfz8Z; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Spam-Score: -0.01 X-TUID: 3J2+BHzRys5H Marius Bakke writes: >>> + (allow init_t >>> + guix_store_content_t >>> + (lnk_file (read))) >> >> This one is a little unusual; is your service file symlinked or something? > > Hmm. Could it be because /etc/systemd/system/guix-daemon.service refers > to /var/guix/profiles/per-user/root/current-guix/bin/guix-daemon? That was it. Not sure how I left that one out, in fact. >>> + (allow guix_daemon_t >>> + guix_daemon_socket_t >>> + (sock_file (unlink))) >> >> That shouldn't be a problem, though we don't have any other rules for >> guix_daemon_socket_t. Possibly that is because my socket file is labeled >> guix_daemon_conf_t, for unknown reasons. Perhaps it was not labeled >> correctly when created, and hasn't been relabeled since. > > It could also be an artifact from my ancient experiments with Guix and > SELinux on this system. Perhaps we should test on a "clean" system to > verify, I can do that next week. Ok, I figured this one out. When the socket file is created it is labeled at guix_daemon_conf_t, but the filecon rules will cause that to be relabeled to guix_daemon_socket_t at some point in the future. When the guix-daemon process stops it tries to delete the socket file, but can't. I'll go ahead and include the rule. > Can you "squash" the relevant changes from my patch and send a new patch > when you are done? Will do. > > As a side note, I've seen a couple other audit messages from > guix-daemon, although though they don't seem to cause a problem in > practice. > > type=AVC msg=audit(1605189801.627:8637388): avc: denied { read } for > pid=2312896 comm="guix-daemon" path="socket:[74336318]" dev="sockfs" > ino=74336318 scontext=system_u:system_r:guix_daemon.guix_daemon_t:s0 > tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket > permissive=0 > type=AVC msg=audit(1605189801.627:8637388): avc: denied { read } for > pid=2312896 comm="guix-daemon" path="socket:[74336318]" dev="sockfs" > ino=74336318 scontext=system_u:system_r:guix_daemon.guix_daemon_t:s0 > tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket > permissive=0 > type=AVC msg=audit(1605189801.627:8637388): avc: denied { siginh } for > pid=2312896 comm="guix-daemon" scontext=system_u:system_r:init_t:s0 > tcontext=system_u:system_r:guix_daemon.guix_daemon_t:s0 tclass=process > permissive=0 The first two are already covered by the new policy, and the third is inconsequential. The kernel checks on our behalf to see if our child processes are allowed to inherit our signal state. That's usually disallowed, so that rule is marked 'dontaudit' so that it doesn't spam the logs; you probably had that disabled. I'm not going to add a rule allowing that one; It would just cause accidents. db48x