From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id 0J59It+lrV9wYgAA0tVLHw (envelope-from ) for ; Thu, 12 Nov 2020 21:15:11 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id 4JJfHt+lrV86OAAA1q6Kng (envelope-from ) for ; Thu, 12 Nov 2020 21:15:11 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id E73629406F7 for ; Thu, 12 Nov 2020 21:15:10 +0000 (UTC) Received: from localhost ([::1]:50462 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kdJvx-0007g8-Rn for larch@yhetil.org; Thu, 12 Nov 2020 16:15:09 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:54470) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kdJvq-0007fS-5P for guix-patches@gnu.org; Thu, 12 Nov 2020 16:15:02 -0500 Received: from debbugs.gnu.org ([209.51.188.43]:34228) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1kdJvp-0007se-RO for guix-patches@gnu.org; Thu, 12 Nov 2020 16:15:01 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1kdJvp-0008Br-N7 for guix-patches@gnu.org; Thu, 12 Nov 2020 16:15:01 -0500 X-Loop: help-debbugs@gnu.org Subject: [bug#44549] [PATCH] etc: updates for the guix-daemon SELinux policy Resent-From: Marius Bakke Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 12 Nov 2020 21:15:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 44549 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Daniel Brooks , 44549@debbugs.gnu.org Received: via spool by 44549-submit@debbugs.gnu.org id=B44549.160521564731404 (code B ref 44549); Thu, 12 Nov 2020 21:15:01 +0000 Received: (at 44549) by debbugs.gnu.org; 12 Nov 2020 21:14:07 +0000 Received: from localhost ([127.0.0.1]:45774 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kdJux-0008AS-B7 for submit@debbugs.gnu.org; Thu, 12 Nov 2020 16:14:07 -0500 Received: from eggs.gnu.org ([209.51.188.92]:54148) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kdJuu-00089q-Tg for 44549@debbugs.gnu.org; Thu, 12 Nov 2020 16:14:06 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]:60766) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kdJup-0007mm-ME; Thu, 12 Nov 2020 16:13:59 -0500 Received: from host-37-191-236-253.lynet.no ([37.191.236.253]:39534 helo=localhost) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1kdJup-00045x-2R; Thu, 12 Nov 2020 16:13:59 -0500 From: Marius Bakke In-Reply-To: <87sg9h8s5j.fsf@db48x.net> References: <87sg9h8s5j.fsf@db48x.net> Date: Thu, 12 Nov 2020 22:13:56 +0100 Message-ID: <87361ecm7f.fsf@gnu.org> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="==-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-Spam-Score: -3.3 (---) X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" X-Scanner: ns3122888.ip-94-23-21.eu Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Spam-Score: -3.61 X-TUID: m4joDEKA9sms --==-=-= Content-Type: multipart/mixed; boundary="=-=-=" --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Hello Daniel, Thanks a lot for this. Daniel Brooks writes: >>>From 7dd9ed6da01c5bf125c95592f4978b579198731a Mon Sep 17 00:00:00 2001 > From: Daniel Brooks > Date: Mon, 9 Nov 2020 07:03:42 -0800 > Subject: [PATCH] etc: updates for the guix-daemon SELinux policy > > * etc/guix-daemon.cil.in: I can't promise that this is a complete list of > everything that guix-daemon needs, but it's probably most of them. It can > search for, install, upgrade, and remove packages, create virtual machine= s, > update itself, and so on. I haven't tried creating containers yet, which = might > reveal more things to add. This commit message is somewhat unorthodox. :-) Perhaps it can be shortened to: * etc/guix-daemon.cil.in (guix_daemon): Specify more permissions for guix-daemon to account for daemon updates and newer SELinux. [...] > diff --git a/etc/guix-daemon.cil.in b/etc/guix-daemon.cil.in > index e0c9113498..666e5677a3 100644 > --- a/etc/guix-daemon.cil.in > +++ b/etc/guix-daemon.cil.in > @@ -21,6 +21,18 @@ > ;; Intermediate Language (CIL). It refers to types that must be defined= in > ;; the system's base policy. >=20=20 > +;; If you, like me, need advice about fixing an SELinux policy, I recomm= end > +;; reading https://danwalsh.livejournal.com/55324.html > + > +;; In particular, you can run semanage permissive -a guix_daemon.guix_da= emon_t > +;; to allow guix-daemon to do whatever it wants. SELinux will still chec= k its > +;; permissions, and when it doesn't have permission it will still send an > +;; audit message to your system logs. This lets you know what permission= s it > +;; ought to have. Use ausearch --raw to find the permissions violations,= then > +;; pipe that to audit2allow to generate an updated policy. You'll still = need > +;; to translate that policy into CIL in order to update this file, but t= hat's > +;; fairly straight-forward. Annoying, but easy. I'm not sure about the second paragraph. It's mainly a rehash of the blog post, no? And there are many other ways to go about troubleshooting SELinux (I did not use ausearch at all). Anyway! I tried it on RHEL8, and had to do a few more tweaks to get it working: --=-=-= Content-Type: text/x-patch Content-Disposition: inline; filename=diff diff --git a/etc/guix-daemon.cil.in b/etc/guix-daemon.cil.in index 666e5677a3..b5909f1b18 100644 --- a/etc/guix-daemon.cil.in +++ b/etc/guix-daemon.cil.in @@ -84,6 +84,9 @@ (allow init_t guix_daemon_t (process (transition))) + (allow init_t + guix_store_content_t + (lnk_file (read))) (allow init_t guix_store_content_t (file (open read execute))) @@ -166,6 +169,9 @@ (allow guix_daemon_t root_t (dir (mounton))) + (allow guix_daemon_t + guix_daemon_socket_t + (sock_file (unlink))) (allow guix_daemon_t fs_t (filesystem (getattr))) @@ -348,7 +354,12 @@ getopt setopt))) (allow guix_daemon_t self - (tcp_socket (accept listen bind connect create setopt getopt getattr ioctl))) + (netlink_route_socket (read write))) + (allow guix_daemon_t + self + (tcp_socket (accept + listen bind connect create read write + setopt getopt getattr ioctl))) (allow guix_daemon_t unreserved_port_t (tcp_socket (name_bind name_connect accept listen))) --=-=-= Content-Type: text/plain Can you test these additional changes on Fedora? With this, I no longer have to go through 'guix pack' and 'podman' to run Guix packages on my RHEL workstation! :-) Also, is it OK to add you to the list of contributors at the top of the file with this name and address? Thanks! It's really great to get this in before 1.2.0. --=-=-=-- --==-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQFDBAEBCgAtFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAl+tpZQPHG1hcml1c0Bn bnUub3JnAAoJEKKgbfKjOlT6cUYH/RcCeYftR07ihnJ/PbTP+qESpzxhoR4lqRZC 1ygHeXM2tvuwgMcP3cglxcs2TYNMn+Ovu9KcHAvebMWs1FtZrIHRr8VfZ0Cxo1BK 8MEqvB97v7QguIQ+EFB3Gv9rzzU0CkRzJdOOHKaljiy80Hv6+Kk+IIpWbw1w9r7p iHkvBkmf7clw8n8uU2mFeWveBd9Hkly7xojdjUv76/lDi52qoSoEZO9kDlh4eTd6 V/9PREmVBpNudzmO4LlIMM/3bjeNZqbzLG4bCT8cnfGoS9NHJcD/ZD6ur91rQFmQ aQT1FDA0XbGOgKK3tiFizyjGQB6pgLHRwzdiiZzqQAOV/WeKuj0= =I3w+ -----END PGP SIGNATURE----- --==-=-=--