From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <guix-patches-bounces+larch=yhetil.org@gnu.org>
Received: from mp0 ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms11 with LMTPS
	id MDs+GrKnrl9TeAAA0tVLHw
	(envelope-from <guix-patches-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Fri, 13 Nov 2020 15:35:14 +0000
Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp0 with LMTPS
	id ONEhFrKnrl+qVgAA1q6Kng
	(envelope-from <guix-patches-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Fri, 13 Nov 2020 15:35:14 +0000
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id 8AC3394021E
	for <larch@yhetil.org>; Fri, 13 Nov 2020 15:35:13 +0000 (UTC)
Received: from localhost ([::1]:48176 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-patches-bounces+larch=yhetil.org@gnu.org>)
	id 1kdb6W-0005CB-IT
	for larch@yhetil.org; Fri, 13 Nov 2020 10:35:12 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10]:59316)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1kdb6M-0005Bm-Cg
 for guix-patches@gnu.org; Fri, 13 Nov 2020 10:35:02 -0500
Received: from debbugs.gnu.org ([209.51.188.43]:37569)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1kdb6L-00016a-Uy
 for guix-patches@gnu.org; Fri, 13 Nov 2020 10:35:01 -0500
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1kdb6L-0004Q1-TU
 for guix-patches@gnu.org; Fri, 13 Nov 2020 10:35:01 -0500
X-Loop: help-debbugs@gnu.org
Subject: [bug#44549] [PATCH] etc: updates for the guix-daemon SELinux policy
Resent-From: Daniel Brooks <db48x@db48x.net>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: guix-patches@gnu.org
Resent-Date: Fri, 13 Nov 2020 15:35:01 +0000
Resent-Message-ID: <handler.44549.B44549.160528165316927@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 44549
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: Marius Bakke <marius@gnu.org>
Cc: 44549@debbugs.gnu.org
Received: via spool by 44549-submit@debbugs.gnu.org id=B44549.160528165316927
 (code B ref 44549); Fri, 13 Nov 2020 15:35:01 +0000
Received: (at 44549) by debbugs.gnu.org; 13 Nov 2020 15:34:13 +0000
Received: from localhost ([127.0.0.1]:49115 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1kdb5Z-0004Ox-Ak
 for submit@debbugs.gnu.org; Fri, 13 Nov 2020 10:34:13 -0500
Received: from smtp-out-4.mxes.net ([198.205.123.69]:48669)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <db48x@db48x.net>) id 1kdb5X-0004Ol-4Y
 for 44549@debbugs.gnu.org; Fri, 13 Nov 2020 10:34:11 -0500
Received: from Customer-MUA (mua.mxes.net [10.0.0.1])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by smtp.mxes.net (Postfix) with ESMTPSA id 33DB6759BC;
 Fri, 13 Nov 2020 10:34:04 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mxes.net; s=mta;
 t=1605281645; bh=36se8UjVeKagc1i3CvTg2sp8Q5XUzFMrUzDOsGDCQM0=;
 h=From:To:Subject:References:Date:In-Reply-To:Message-ID:
 MIME-Version:Content-Type;
 b=Sg1LKa7HT+FUCuMHjkBJ+zQoFT0B6ruAffxSgggnvh+pyXtpXV3QfF3VTkp386n/u
 l2Z8THozXLGmTw7x0Z5FlZhob2V1VuBVQs4c78ubOiXwXbL3dM3px4TUX09PAnK4YJ
 KBEpupgX4ctv/KzwYskUiFEfDo9/3+f6RxHb3r6I=
From: Daniel Brooks <db48x@db48x.net>
References: <87sg9h8s5j.fsf@db48x.net> <87361ecm7f.fsf@gnu.org>
 <87v9ea6yhl.fsf@db48x.net> <87tutub4l9.fsf@gnu.org>
 <87eeky6sfd.fsf@db48x.net> <87r1oxb96j.fsf@gnu.org>
Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwBAMAAAClLOS0AAAABGdBTUEAALGOfPtRkwAAABJQ
 TFRFpKfbdou67PD6JjJgAwUWXGSeIcyLHgAAAkZJREFUOI1VU8Fy6yAMxLi+Q13fCZ3cnQL3dqTc
 7RD+/1feStDXVnXHDuvVSivZTMba2GPdw3gyCGcMAFxTyrTd9dwGoxHiZX9PmRFUHYAQlGGtXY+F
 Uk0SJOxgJiUEnH1qkitT9D+pQub7qGAmUbR6bu3CvI96Yv6QqkBBMrsyfZccr1/RDXGDTLf4P7ZY
 glVxe2V+/ACXWO1gvDO9/gDRpFFVmPluvLcmBjd5H6d8DEte+Pbk4rcY/Fa5tLKLOtCZsuQKYhpa
 LOkYDT7hESya7/WIET3lfQBqX0pwFtbI832Is0ayMUR9B+12xjgPCQ089cfwkCkX6L5TPmRelJTh
 zMS0Sz1PyjLAMCUWjcmgQLWQMds+e3aaauZDf9dU9A2/8kPVF2odCUoMKHkfjJR+mbgC+DRiycw5
 3XSqGe6HmhN/AWjHypkAXOAFW5EiuA1ge2GiZuMb0s1fSEXcATeLUfbyEY2L8yPOmdSsdghQXx3K
 pz2eoeXuYvMCINVFDrCdNfVUp4eJ6cSEbjbgFjBEvonGGTrgv9cHjAc8aVgSAPoxaONbzfwhDIhR
 at7IIS7fAGiDSwIA9alhhTBzfA7YM2FY6eMwayrIGK8FDFmshmUA43WqhFtpvoqG9HHaJ7fqtgTz
 8EWVkgZgtsylFliHDgk0MB7KAEC45C/rgnGvanNLXyzOeTzcT2nw/N44gfrtYXRQLoz9Q3TgmJRx
 2Mx/Q51qzpm+l3m8z2SWBqC5+PZXAtNYlGFf/gKfHfjFkDT4x7od7R+w3Ls+ZdQBuQAAAABJRU5E
 rkJggg==
Date: Fri, 13 Nov 2020 07:34:04 -0800
In-Reply-To: <87r1oxb96j.fsf@gnu.org> (Marius Bakke's message of "Fri, 13 Nov
 2020 15:52:52 +0100")
Message-ID: <87v9e95l03.fsf@db48x.net>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Sent-To: <NDQ1NDlAZGViYnVncy5nbnUub3Jn>
X-Spam-Score: -0.7 (/)
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-Spam-Score: -1.7 (-)
X-BeenThere: guix-patches@gnu.org
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-patches>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=subscribe>
Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org
Sender: "Guix-patches" <guix-patches-bounces+larch=yhetil.org@gnu.org>
X-Scanner: ns3122888.ip-94-23-21.eu
Authentication-Results: aspmx1.migadu.com;
	dkim=fail (headers rsa verify failed) header.d=mxes.net header.s=mta header.b=Sg1LKa7H;
	dmarc=none;
	spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org
X-Spam-Score: -0.01
X-TUID: wg92puRll9o8

Marius Bakke <marius@gnu.org> writes:

> Interestingly, after updating the system (both RHEL8 and Guix) and
> rebooting, I got new SELinux troubles!
>
> I had to add these additional rules to make guix-daemon start again:
>
> diff --git a/etc/guix-daemon.cil.in b/etc/guix-daemon.cil.in
> index 47fd12a214..3e254a2187 100644
> --- a/etc/guix-daemon.cil.in
> +++ b/etc/guix-daemon.cil.in
> @@ -86,12 +86,15 @@
>    (allow init_t
>           guix_daemon_t
>           (process (transition)))
> +  (allow init_t
> +         self
> +         (process (execmem)))

At some point we should track down why that one is necessary, perhaps
Guile has a JIT compiler or something?

>    (allow init_t
>           guix_store_content_t
> -         (file (open read execute)))
> +         (file (open read execute execute_no_trans map)))

This one looks pretty suspicious. I think it would allow any file
labeled guix_store_content_t to run in the init_t domain? We wouldn't
want that.

db48x