From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id YL4xABqerl8aIQAA0tVLHw (envelope-from ) for ; Fri, 13 Nov 2020 14:54:18 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id MEadNxmerl/YRgAAbx9fmQ (envelope-from ) for ; Fri, 13 Nov 2020 14:54:17 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 673939404C6 for ; Fri, 13 Nov 2020 14:54:17 +0000 (UTC) Received: from localhost ([::1]:48568 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kdaSu-0007jg-1u for larch@yhetil.org; Fri, 13 Nov 2020 09:54:16 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:46704) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kdaSg-0007jF-6u for guix-patches@gnu.org; Fri, 13 Nov 2020 09:54:03 -0500 Received: from debbugs.gnu.org ([209.51.188.43]:35802) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1kdaSf-0003BO-Tt for guix-patches@gnu.org; Fri, 13 Nov 2020 09:54:01 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1kdaSf-0002zA-SU for guix-patches@gnu.org; Fri, 13 Nov 2020 09:54:01 -0500 X-Loop: help-debbugs@gnu.org Subject: [bug#44549] [PATCH] etc: updates for the guix-daemon SELinux policy Resent-From: Marius Bakke Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Fri, 13 Nov 2020 14:54:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 44549 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Daniel Brooks Cc: 44549@debbugs.gnu.org Received: via spool by 44549-submit@debbugs.gnu.org id=B44549.160527918411391 (code B ref 44549); Fri, 13 Nov 2020 14:54:01 +0000 Received: (at 44549) by debbugs.gnu.org; 13 Nov 2020 14:53:04 +0000 Received: from localhost ([127.0.0.1]:47348 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kdaRj-0002xe-Ir for submit@debbugs.gnu.org; Fri, 13 Nov 2020 09:53:03 -0500 Received: from eggs.gnu.org ([209.51.188.92]:46338) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kdaRh-0002wl-F9 for 44549@debbugs.gnu.org; Fri, 13 Nov 2020 09:53:01 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]:60576) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kdaRb-0002ph-Sp; Fri, 13 Nov 2020 09:52:55 -0500 Received: from host-37-191-236-253.lynet.no ([37.191.236.253]:56368 helo=localhost) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1kdaRa-0000em-Pu; Fri, 13 Nov 2020 09:52:55 -0500 From: Marius Bakke In-Reply-To: <87eeky6sfd.fsf@db48x.net> References: <87sg9h8s5j.fsf@db48x.net> <87361ecm7f.fsf@gnu.org> <87v9ea6yhl.fsf@db48x.net> <87tutub4l9.fsf@gnu.org> <87eeky6sfd.fsf@db48x.net> Date: Fri, 13 Nov 2020 15:52:52 +0100 Message-ID: <87r1oxb96j.fsf@gnu.org> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="==-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-Spam-Score: -3.3 (---) X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" X-Scanner: ns3122888.ip-94-23-21.eu Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Spam-Score: -3.61 X-TUID: m59Ly2dcY0zr --==-=-= Content-Type: multipart/mixed; boundary="=-=-=" --=-=-= Content-Type: text/plain Daniel Brooks writes: >>>> + (allow guix_daemon_t >>>> + guix_daemon_socket_t >>>> + (sock_file (unlink))) >>> >>> That shouldn't be a problem, though we don't have any other rules for >>> guix_daemon_socket_t. Possibly that is because my socket file is labeled >>> guix_daemon_conf_t, for unknown reasons. Perhaps it was not labeled >>> correctly when created, and hasn't been relabeled since. >> >> It could also be an artifact from my ancient experiments with Guix and >> SELinux on this system. Perhaps we should test on a "clean" system to >> verify, I can do that next week. > > Ok, I figured this one out. When the socket file is created it is > labeled at guix_daemon_conf_t, but the filecon rules will cause that to > be relabeled to guix_daemon_socket_t at some point in the future. When > the guix-daemon process stops it tries to delete the socket file, but > can't. I'll go ahead and include the rule. OK. >> As a side note, I've seen a couple other audit messages from >> guix-daemon, although though they don't seem to cause a problem in >> practice. >> >> type=AVC msg=audit(1605189801.627:8637388): avc: denied { read } for >> pid=2312896 comm="guix-daemon" path="socket:[74336318]" dev="sockfs" >> ino=74336318 scontext=system_u:system_r:guix_daemon.guix_daemon_t:s0 >> tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket >> permissive=0 >> type=AVC msg=audit(1605189801.627:8637388): avc: denied { read } for >> pid=2312896 comm="guix-daemon" path="socket:[74336318]" dev="sockfs" >> ino=74336318 scontext=system_u:system_r:guix_daemon.guix_daemon_t:s0 >> tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket >> permissive=0 >> type=AVC msg=audit(1605189801.627:8637388): avc: denied { siginh } for >> pid=2312896 comm="guix-daemon" scontext=system_u:system_r:init_t:s0 >> tcontext=system_u:system_r:guix_daemon.guix_daemon_t:s0 tclass=process >> permissive=0 > > The first two are already covered by the new policy, and the third is > inconsequential. The kernel checks on our behalf to see if our child > processes are allowed to inherit our signal state. That's usually > disallowed, so that rule is marked 'dontaudit' so that it doesn't spam > the logs; you probably had that disabled. I'm not going to add a rule > allowing that one; It would just cause accidents. Thanks for investigating. Interestingly, after updating the system (both RHEL8 and Guix) and rebooting, I got new SELinux troubles! I had to add these additional rules to make guix-daemon start again: --=-=-= Content-Type: text/x-patch Content-Disposition: inline; filename=diff Content-Transfer-Encoding: quoted-printable diff --git a/etc/guix-daemon.cil.in b/etc/guix-daemon.cil.in index 47fd12a214..3e254a2187 100644 =2D-- a/etc/guix-daemon.cil.in +++ b/etc/guix-daemon.cil.in @@ -86,12 +86,15 @@ (allow init_t guix_daemon_t (process (transition))) + (allow init_t + self + (process (execmem))) (allow init_t guix_store_content_t (lnk_file (read))) (allow init_t guix_store_content_t =2D (file (open read execute))) + (file (open read execute execute_no_trans map))) =20 ;; guix-daemon needs to know the names of users (allow guix_daemon_t --=-=-= Content-Type: text/plain Do these look sane to you? I can squash them into the commit if so. --=-=-=-- --==-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQFDBAEBCgAtFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAl+uncQPHG1hcml1c0Bn bnUub3JnAAoJEKKgbfKjOlT6LsoIAKp33a9Rq5wI/POwb1n3XS7C9iFSSGsKlKOv EeF8gNdqiIvnh/1BNpNFlWmUQv3z7+B3+Ulp8DeoS7lla6NX4O+UGFU9qtf0Y2HX P+nNbGVRkQ5ptQiphjdJ5NqWvaezMRfmXEESjYElNIh1eC+eEP7RfoFZ8a86R3XG PvxnceZSqQy3cnw2ovpSmo2IjYCqXNMUi15vvQIeGoWVOdb+USxYFPXJKZQLV2PV hJExs1YmqYQrSH2r16BOQO9fRij81j3ZWHzv0Mht2oNShvr3PgiyWllPkHE7QqwK GrNtm3X4xdLQC0xvwcb8LW22a/LxStBFK8R99w01mWItBFpZ0aE= =YIeS -----END PGP SIGNATURE----- --==-=-=--