From: Ricardo Wurmus <rekado@elephly.net>
To: Laura Lazzati <laura.lazzati.15@gmail.com>
Cc: Guix-devel <guix-devel@gnu.org>
Subject: Re: SELinux log
Date: Fri, 07 Jun 2019 22:46:38 +0200 [thread overview]
Message-ID: <87ef4586oh.fsf@elephly.net> (raw)
In-Reply-To: <CAPNLzUNRchOyMV=t1guAUcPr+Wg6Ho1pTXeNEYYxhJVod8atYw@mail.gmail.com>
Hi Laura,
> My log shows that
> SELinux would have prevented the daemon from running, like when I had
> it in enforcing mode:
Thank you, the log is helpful (even though it looks like your mail
client reformatted it, which makes it very hard to read).
Searching for “denied” we see the following classes of errors:
1) accessing libnss (for NSCD communication)
2) modifying the database
3) linking temp files (I don’t know what this is about)
4) invoking the “substitute” helper
5) connecting to the substitute servers via HTTPS
While the policy template file etc/guix-daemon.cil.in misses a couple of
labels and transitions (e.g. for database and substitute servers), I
think something’s wrong with your file labels.
The log shows me that /gnu/store/h90vnqw0nwd0hhm1l5dgxsdrigddfmq4-glibc-2.28/lib/libnss_files-2.28.so
doesn’t have the SELinux context that I expect according to the policy
file.
The policy file template contains this rule:
(filecon "@storedir@/[^/]+/.+"
any (unconfined_u object_r guix_store_content_t (low low)))
Once configured as etc/guix-daemon.cil the rule should be
(filecon "/gnu/store/[^/]+/.+"
any (unconfined_u object_r guix_store_content_t (low low)))
I would expect that this matches
/gnu/store/h90vnqw0nwd0hhm1l5dgxsdrigddfmq4-glibc-2.28/lib/libnss_files-2.28.so.
The guix_store_content_t type is used for all files in the store. The
policy says that the daemon (which is labeled with the “guix_daemon_t”
type) can access these files using various syscalls:
--8<---------------cut here---------------start------------->8---
;; Access to store items
(allow guix_daemon_t
guix_store_content_t
(dir (reparent
create
getattr setattr
search rename
add_name remove_name
open write
rmdir)))
(allow guix_daemon_t
guix_store_content_t
(file (create
lock
setattr getattr
execute execute_no_trans
link unlink
map
rename
open read write)))
(allow guix_daemon_t
guix_store_content_t
(lnk_file (create
getattr setattr
link unlink
read
rename)))
--8<---------------cut here---------------end--------------->8---
According to your audit log file access using “map” (among others) was
denied, even though the policy explicitly allows it (see above):
> type=AVC msg=audit(1559870056.930:262): avc: denied { map } for
> pid=750 comm="guix-daemon"
> path="/gnu/store/h90vnqw0nwd0hhm1l5dgxsdrigddfmq4-glibc-2.28/lib/libnss_files-2.28.so"
> dev="dm-0" ino=559457 scontext=system_u:system_r:init_t:s0
> tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file permissive=1
“scontext” means “source context” (i.e. the context of the guix-daemon
process), “tcontext” means “target context” (i.e. the context of the
file). Here we see that both contexts are wrong, the one for the daemon
(“system_u:system_r:init_t:s0”) and the one for the target file
(“unconfined_u:object_r:user_tmp_t:s0”).
We want these to be “…:guix_daemon_t:…” and
“unconfined_u:object_r:guix_store_content_t:…”, respectively. (You can
check the context of a file with “ls -alZ”.)
Did you run “restorecon” on the store to recursively label all files?
Labeling files can take a long time (> 10 mins). When SELinux is
enabled and a policy is loaded it should automatically label new files
according to the policy, so perhaps these files were created while
SELinux was disabled?
I hope these comments are helpful in understanding the policy and
SELinux. If you are confused by any of this please ask and I’ll try to
explain the basic concepts you need to know to understand enough of
SELinux.
--
Ricardo
next prev parent reply other threads:[~2019-06-07 20:47 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-04 21:28 SELinux log Laura Lazzati
2019-06-05 9:39 ` Ricardo Wurmus
2019-06-06 14:24 ` Laura Lazzati
2019-06-06 17:58 ` Ricardo Wurmus
2019-06-07 1:46 ` Laura Lazzati
2019-06-07 20:46 ` Ricardo Wurmus [this message]
2019-06-07 23:08 ` Laura Lazzati
2019-06-07 23:10 ` Laura Lazzati
2019-06-07 23:12 ` Laura Lazzati
2019-06-08 7:03 ` Ricardo Wurmus
2019-06-08 14:36 ` Laura Lazzati
2019-06-08 14:50 ` Ricardo Wurmus
2019-06-08 14:57 ` Laura Lazzati
2019-06-08 16:56 ` Ricardo Wurmus
2019-06-09 16:29 ` Laura Lazzati
2019-06-10 2:08 ` Laura Lazzati
2019-06-10 8:12 ` Ricardo Wurmus
2019-06-11 10:48 ` Laura Lazzati
2019-06-11 12:23 ` Ricardo Wurmus
2019-06-12 1:58 ` Laura Lazzati
2019-06-12 6:42 ` Ricardo Wurmus
2019-06-12 13:27 ` Laura Lazzati
2019-06-12 13:34 ` Ricardo Wurmus
2019-06-12 14:25 ` Laura Lazzati
2019-06-12 20:12 ` Ricardo Wurmus
2019-06-12 21:01 ` Laura Lazzati
2019-06-13 6:49 ` Ricardo Wurmus
2019-06-13 17:53 ` Laura Lazzati
2019-06-13 18:52 ` Ricardo Wurmus
2019-06-14 17:24 ` Laura Lazzati
2019-06-16 22:15 ` Laura Lazzati
2019-06-17 1:44 ` Ricardo Wurmus
2019-06-17 3:32 ` Laura Lazzati
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87ef4586oh.fsf@elephly.net \
--to=rekado@elephly.net \
--cc=guix-devel@gnu.org \
--cc=laura.lazzati.15@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.