From: Marius Bakke <marius@gnu.org>
To: Daniel Brooks <db48x@db48x.net>
Cc: 44549@debbugs.gnu.org
Subject: [bug#44549] [PATCH] etc: updates for the guix-daemon SELinux policy
Date: Fri, 13 Nov 2020 15:52:52 +0100 [thread overview]
Message-ID: <87r1oxb96j.fsf@gnu.org> (raw)
In-Reply-To: <87eeky6sfd.fsf@db48x.net>
[-- Attachment #1.1: Type: text/plain, Size: 2554 bytes --]
Daniel Brooks <db48x@db48x.net> writes:
>>>> + (allow guix_daemon_t
>>>> + guix_daemon_socket_t
>>>> + (sock_file (unlink)))
>>>
>>> That shouldn't be a problem, though we don't have any other rules for
>>> guix_daemon_socket_t. Possibly that is because my socket file is labeled
>>> guix_daemon_conf_t, for unknown reasons. Perhaps it was not labeled
>>> correctly when created, and hasn't been relabeled since.
>>
>> It could also be an artifact from my ancient experiments with Guix and
>> SELinux on this system. Perhaps we should test on a "clean" system to
>> verify, I can do that next week.
>
> Ok, I figured this one out. When the socket file is created it is
> labeled at guix_daemon_conf_t, but the filecon rules will cause that to
> be relabeled to guix_daemon_socket_t at some point in the future. When
> the guix-daemon process stops it tries to delete the socket file, but
> can't. I'll go ahead and include the rule.
OK.
>> As a side note, I've seen a couple other audit messages from
>> guix-daemon, although though they don't seem to cause a problem in
>> practice.
>>
>> type=AVC msg=audit(1605189801.627:8637388): avc: denied { read } for
>> pid=2312896 comm="guix-daemon" path="socket:[74336318]" dev="sockfs"
>> ino=74336318 scontext=system_u:system_r:guix_daemon.guix_daemon_t:s0
>> tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket
>> permissive=0
>> type=AVC msg=audit(1605189801.627:8637388): avc: denied { read } for
>> pid=2312896 comm="guix-daemon" path="socket:[74336318]" dev="sockfs"
>> ino=74336318 scontext=system_u:system_r:guix_daemon.guix_daemon_t:s0
>> tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket
>> permissive=0
>> type=AVC msg=audit(1605189801.627:8637388): avc: denied { siginh } for
>> pid=2312896 comm="guix-daemon" scontext=system_u:system_r:init_t:s0
>> tcontext=system_u:system_r:guix_daemon.guix_daemon_t:s0 tclass=process
>> permissive=0
>
> The first two are already covered by the new policy, and the third is
> inconsequential. The kernel checks on our behalf to see if our child
> processes are allowed to inherit our signal state. That's usually
> disallowed, so that rule is marked 'dontaudit' so that it doesn't spam
> the logs; you probably had that disabled. I'm not going to add a rule
> allowing that one; It would just cause accidents.
Thanks for investigating.
Interestingly, after updating the system (both RHEL8 and Guix) and
rebooting, I got new SELinux troubles!
I had to add these additional rules to make guix-daemon start again:
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1.2: diff --]
[-- Type: text/x-patch, Size: 633 bytes --]
diff --git a/etc/guix-daemon.cil.in b/etc/guix-daemon.cil.in
index 47fd12a214..3e254a2187 100644
--- a/etc/guix-daemon.cil.in
+++ b/etc/guix-daemon.cil.in
@@ -86,12 +86,15 @@
(allow init_t
guix_daemon_t
(process (transition)))
+ (allow init_t
+ self
+ (process (execmem)))
(allow init_t
guix_store_content_t
(lnk_file (read)))
(allow init_t
guix_store_content_t
- (file (open read execute)))
+ (file (open read execute execute_no_trans map)))
;; guix-daemon needs to know the names of users
(allow guix_daemon_t
[-- Attachment #1.3: Type: text/plain, Size: 70 bytes --]
Do these look sane to you? I can squash them into the commit if so.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 507 bytes --]
next prev parent reply other threads:[~2020-11-13 14:54 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-10 9:42 [bug#44549] [PATCH] etc: updates for the guix-daemon SELinux policy Daniel Brooks
2020-11-12 21:13 ` Marius Bakke
2020-11-12 21:45 ` Daniel Brooks
2020-11-12 22:19 ` Marius Bakke
2020-11-12 23:56 ` Daniel Brooks
2020-11-13 14:52 ` Marius Bakke [this message]
2020-11-13 15:34 ` Daniel Brooks
2020-11-13 15:59 ` Marius Bakke
2020-11-13 0:01 ` [bug#44549] [PATCH v2] " Daniel Brooks
2020-11-13 0:07 ` [bug#44549] [PATCH v3] " Daniel Brooks
2020-11-14 14:57 ` [bug#44549] [PATCH v4] " Daniel Brooks
2020-11-15 22:19 ` bug#44549: " Marius Bakke
2020-11-14 16:49 ` [bug#44549] [PATCH v4] doc: add a note about relabling after upgrades to the guix deamon Daniel Brooks
2020-11-15 22:18 ` Marius Bakke
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87r1oxb96j.fsf@gnu.org \
--to=marius@gnu.org \
--cc=44549@debbugs.gnu.org \
--cc=db48x@db48x.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).