From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id 2PTzKvmtrl+3MwAA0tVLHw (envelope-from ) for ; Fri, 13 Nov 2020 16:02:01 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id EMGjJvmtrl9qeAAAB5/wlQ (envelope-from ) for ; Fri, 13 Nov 2020 16:02:01 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 44B9A940366 for ; Fri, 13 Nov 2020 16:02:01 +0000 (UTC) Received: from localhost ([::1]:47710 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kdbWS-0001oA-5j for larch@yhetil.org; Fri, 13 Nov 2020 11:02:00 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:38502) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kdbVc-0001Sg-1l for guix-patches@gnu.org; Fri, 13 Nov 2020 11:01:10 -0500 Received: from debbugs.gnu.org ([209.51.188.43]:37613) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1kdbVW-0002KT-98 for guix-patches@gnu.org; Fri, 13 Nov 2020 11:01:04 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1kdbVW-00055H-7i for guix-patches@gnu.org; Fri, 13 Nov 2020 11:01:02 -0500 X-Loop: help-debbugs@gnu.org Subject: [bug#44549] [PATCH] etc: updates for the guix-daemon SELinux policy Resent-From: Marius Bakke Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Fri, 13 Nov 2020 16:01:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 44549 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Daniel Brooks Cc: 44549@debbugs.gnu.org Received: via spool by 44549-submit@debbugs.gnu.org id=B44549.160528320619395 (code B ref 44549); Fri, 13 Nov 2020 16:01:02 +0000 Received: (at 44549) by debbugs.gnu.org; 13 Nov 2020 16:00:06 +0000 Received: from localhost ([127.0.0.1]:49156 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kdbUb-00052l-Qo for submit@debbugs.gnu.org; Fri, 13 Nov 2020 11:00:06 -0500 Received: from eggs.gnu.org ([209.51.188.92]:38148) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kdbUZ-00051k-TL for 44549@debbugs.gnu.org; Fri, 13 Nov 2020 11:00:04 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]:33604) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kdbUS-0001o3-MW; Fri, 13 Nov 2020 10:59:56 -0500 Received: from host-37-191-236-253.lynet.no ([37.191.236.253]:57070 helo=localhost) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1kdbUR-0006pj-A7; Fri, 13 Nov 2020 10:59:56 -0500 From: Marius Bakke In-Reply-To: <87v9e95l03.fsf@db48x.net> References: <87sg9h8s5j.fsf@db48x.net> <87361ecm7f.fsf@gnu.org> <87v9ea6yhl.fsf@db48x.net> <87tutub4l9.fsf@gnu.org> <87eeky6sfd.fsf@db48x.net> <87r1oxb96j.fsf@gnu.org> <87v9e95l03.fsf@db48x.net> Date: Fri, 13 Nov 2020 16:59:52 +0100 Message-ID: <87ima9b62v.fsf@gnu.org> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-Spam-Score: -3.3 (---) X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" X-Scanner: ns3122888.ip-94-23-21.eu Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Spam-Score: -3.61 X-TUID: M0KEsYR0UJvv --=-=-= Content-Type: text/plain Daniel Brooks writes: > Marius Bakke writes: > >> Interestingly, after updating the system (both RHEL8 and Guix) and >> rebooting, I got new SELinux troubles! >> >> I had to add these additional rules to make guix-daemon start again: >> >> diff --git a/etc/guix-daemon.cil.in b/etc/guix-daemon.cil.in >> index 47fd12a214..3e254a2187 100644 >> --- a/etc/guix-daemon.cil.in >> +++ b/etc/guix-daemon.cil.in >> @@ -86,12 +86,15 @@ >> (allow init_t >> guix_daemon_t >> (process (transition))) >> + (allow init_t >> + self >> + (process (execmem))) > > At some point we should track down why that one is necessary, perhaps > Guile has a JIT compiler or something? Ding ding ding. https://wingolog.org/archives/2019/05/24/lightening-run-time-code-generation >> (allow init_t >> guix_store_content_t >> - (file (open read execute))) >> + (file (open read execute execute_no_trans map))) > > This one looks pretty suspicious. I think it would allow any file > labeled guix_store_content_t to run in the init_t domain? We wouldn't > want that. Right. The guix_store_content_t file in question was 'guile', which I suppose is a kind of special case. Can you think of any workarounds for this? Are you testing with the latest version of guix-daemon? --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQFDBAEBCgAtFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAl+urXkPHG1hcml1c0Bn bnUub3JnAAoJEKKgbfKjOlT6GBAH/2l8/6lRmpFu1KlRIT4hLppslJuDL1i9uQVR Sat+LpUqlkkGHjK82EkYs4M+ghJgEfn3yq5VT1H16rv9qJjWzPUgxjVRrzP/PwpW L1Z6TiT4OtCYzo4gaoJq4mhqR3h6RJg70c+rqd6DB8Vh3+TX/EwDgx5+Lk3wzwb/ K9J9Ef1LCXhh1+ZyVyBDs42URyjjklZH0VyDjnum/+n1uceyxEBfo896+Zcufyl2 wrPgZaoWj8UdlulnBX4LPKUsdf97iHfn7bAg0DgIz5JnIRMU/43rMSu49NNIJpq5 E9XBVeIJ+i3GMz1NwY68BFUyNrlISst6TpA/JGghSUzMYRvWcd4= =9CUY -----END PGP SIGNATURE----- --=-=-=--