From mboxrd@z Thu Jan 1 00:00:00 1970 From: Ricardo Wurmus Subject: Re: SELinux log Date: Fri, 07 Jun 2019 22:46:38 +0200 Message-ID: <87ef4586oh.fsf@elephly.net> References: <87sgsocqx5.fsf@elephly.net> <87k1dyk33n.fsf@elephly.net> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:470:142:3::10]:58477) by lists.gnu.org with esmtp (Exim 4.86_2) (envelope-from ) id 1hZLlV-0003GL-7A for guix-devel@gnu.org; Fri, 07 Jun 2019 16:47:10 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1hZLlT-00057F-Rk for guix-devel@gnu.org; Fri, 07 Jun 2019 16:47:09 -0400 Received: from sender4-of-o53.zoho.com ([136.143.188.53]:21309) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1hZLlP-0004ne-Q5 for guix-devel@gnu.org; Fri, 07 Jun 2019 16:47:06 -0400 In-reply-to: List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Laura Lazzati Cc: Guix-devel Hi Laura, > My log shows that > SELinux would have prevented the daemon from running, like when I had > it in enforcing mode: Thank you, the log is helpful (even though it looks like your mail client reformatted it, which makes it very hard to read). Searching for =E2=80=9Cdenied=E2=80=9D we see the following classes of erro= rs: 1) accessing libnss (for NSCD communication) 2) modifying the database 3) linking temp files (I don=E2=80=99t know what this is about) 4) invoking the =E2=80=9Csubstitute=E2=80=9D helper 5) connecting to the substitute servers via HTTPS While the policy template file etc/guix-daemon.cil.in misses a couple of labels and transitions (e.g. for database and substitute servers), I think something=E2=80=99s wrong with your file labels. The log shows me that /gnu/store/h90vnqw0nwd0hhm1l5dgxsdrigddfmq4-glibc-2.2= 8/lib/libnss_files-2.28.so doesn=E2=80=99t have the SELinux context that I expect according to the pol= icy file. The policy file template contains this rule: (filecon "@storedir@/[^/]+/.+" any (unconfined_u object_r guix_store_content_t (low low))) Once configured as etc/guix-daemon.cil the rule should be (filecon "/gnu/store/[^/]+/.+" any (unconfined_u object_r guix_store_content_t (low low))) I would expect that this matches /gnu/store/h90vnqw0nwd0hhm1l5dgxsdrigddfmq4-glibc-2.28/lib/libnss_files-2.2= 8.so. The guix_store_content_t type is used for all files in the store. The policy says that the daemon (which is labeled with the =E2=80=9Cguix_daemon= _t=E2=80=9D type) can access these files using various syscalls: --8<---------------cut here---------------start------------->8--- ;; Access to store items (allow guix_daemon_t guix_store_content_t (dir (reparent create getattr setattr search rename add_name remove_name open write rmdir))) (allow guix_daemon_t guix_store_content_t (file (create lock setattr getattr execute execute_no_trans link unlink map rename open read write))) (allow guix_daemon_t guix_store_content_t (lnk_file (create getattr setattr link unlink read rename))) --8<---------------cut here---------------end--------------->8--- According to your audit log file access using =E2=80=9Cmap=E2=80=9D (among = others) was denied, even though the policy explicitly allows it (see above): > type=3DAVC msg=3Daudit(1559870056.930:262): avc: denied { map } for > pid=3D750 comm=3D"guix-daemon" > path=3D"/gnu/store/h90vnqw0nwd0hhm1l5dgxsdrigddfmq4-glibc-2.28/lib/libnss= _files-2.28.so" > dev=3D"dm-0" ino=3D559457 scontext=3Dsystem_u:system_r:init_t:s0 > tcontext=3Dunconfined_u:object_r:user_tmp_t:s0 tclass=3Dfile permissive= =3D1 =E2=80=9Cscontext=E2=80=9D means =E2=80=9Csource context=E2=80=9D (i.e. the= context of the guix-daemon process), =E2=80=9Ctcontext=E2=80=9D means =E2=80=9Ctarget context=E2=80=9D= (i.e. the context of the file). Here we see that both contexts are wrong, the one for the daemon (=E2=80=9Csystem_u:system_r:init_t:s0=E2=80=9D) and the one for the target = file (=E2=80=9Cunconfined_u:object_r:user_tmp_t:s0=E2=80=9D). We want these to be =E2=80=9C=E2=80=A6:guix_daemon_t:=E2=80=A6=E2=80=9D and =E2=80=9Cunconfined_u:object_r:guix_store_content_t:=E2=80=A6=E2=80=9D, res= pectively. (You can check the context of a file with =E2=80=9Cls -alZ=E2=80=9D.) Did you run =E2=80=9Crestorecon=E2=80=9D on the store to recursively label = all files? Labeling files can take a long time (> 10 mins). When SELinux is enabled and a policy is loaded it should automatically label new files according to the policy, so perhaps these files were created while SELinux was disabled? I hope these comments are helpful in understanding the policy and SELinux. If you are confused by any of this please ask and I=E2=80=99ll tr= y to explain the basic concepts you need to know to understand enough of SELinux. -- Ricardo