From mboxrd@z Thu Jan 1 00:00:00 1970 From: Catonano Subject: Re: [PATCH] Add SELinux policy for guix-daemon. Date: Tue, 13 Feb 2018 16:30:44 +0100 Message-ID: References: Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="001a114d8b22a49ef5056519ad31" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:49853) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1elcXi-00023Q-8r for guix-devel@gnu.org; Tue, 13 Feb 2018 10:30:54 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1elcXf-0005gD-8W for guix-devel@gnu.org; Tue, 13 Feb 2018 10:30:50 -0500 Received: from mail-yw0-x231.google.com ([2607:f8b0:4002:c05::231]:42966) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1elcXe-0005fu-Uo for guix-devel@gnu.org; Tue, 13 Feb 2018 10:30:47 -0500 Received: by mail-yw0-x231.google.com with SMTP id e65so3974375ywh.9 for ; Tue, 13 Feb 2018 07:30:46 -0800 (PST) In-Reply-To: List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Ricardo Wurmus Cc: guix-devel --001a114d8b22a49ef5056519ad31 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable 2018-01-25 17:17 GMT+01:00 Ricardo Wurmus : > Hi Guix, > > attached is a patch that adds an SELinux policy for the guix-daemon. > The policy defines the guix_daemon_t domain and specifies what labels > may be accessed and how by processes running in that domain. > > These file labels are defined: > > * guix_daemon_conf_t > for Guix configuration files (in localstatedir and sysconfdir) > * guix_daemon_exec_t > for executables spawned by the daemon (which are allowed to run in the > guix_daemon_t domain) > * guix_daemon_socket_t > for the daemon socket file > * guix_profiles_t > for the contents of the profiles directory > > The =E2=80=9Cfilecon=E2=80=9D statements near the bottom of the file spec= ify which > labels are to be used for what file names. > > I tested this with =E2=80=9Cguix build --no-grafts --check hello=E2=80=9D= , =E2=80=9Cguix build > samtools=E2=80=9D, =E2=80=9Cguix gc -C 1k=E2=80=9D, and =E2=80=9Cguix pac= kage -p ~/foo -i hello=E2=80=9D; > no operations were blocked by SELinux. > > If you want to test this on Fedora, set SELinux to permissive, and make > sure to configure Guix properly (i.e. set localstatedir, prefix, and > sysconfdir). Then install the policy with =E2=80=9Csudo semodule -i > etc/guix-daemon.cil=E2=80=9D. Then relabel the filesystem (at least /gnu= , > $localstatedir, $sysconfdir, and $prefix) with something like this: > > sudo restorecon -R /gnu $localstatedir $sysconfdir $prefix > > This will take a very long time (a couple of hours). > > Restart the daemon. Check that it now runs in the guix_daemon_t > context: > > ps -Zax | grep /bin/guix-daemon > > This should return something like this > > system_u:system_r:guix_daemon.guix_daemon_t:s0 14886 ? Ss 0:00 > /root/.guix-profile/bin/guix-daemon --build-users-group=3Dguix-builder > > Check the audit log for violations: > > sudo tail -f /var/log/audit/audit.log | grep x-daemon > > And then use Guix: > > guix build --no-grafts --check hello > > The audit log shouldn=E2=80=99t show you any complaints. At this point y= ou > could probably switch to enforcing mode, but I haven=E2=80=99t tested thi= s > myself for no particular reason. > > Open issues: > > * guix_daemon_socket_t isn=E2=80=99t actually used. All of the socket > operations that I observed involve contexts that don=E2=80=99t have any= thing > to do with guix_daemon_socket_t. It doesn=E2=80=99t hurt to have this = unused > label, but I would have preferred to define socket rules for only this > label. Oh well. > > * =E2=80=9Cguix gc=E2=80=9D cannot access arbitrary links to profiles. B= y design, the > file label of the destination of a symlink is independent of the file > label of the link itself. Although all profiles under $localstatedir > are labelled, the links to these profiles inherit the label of the > directory they are in. For links in the user=E2=80=99s home directory = this > will be =E2=80=9Cuser_home_t=E2=80=9D (for which I=E2=80=99ve added a r= ule). But for links > from root=E2=80=99s home directory, or /tmp, or the HTTP server=E2=80= =99s working > directory =E2=80=A6 this won=E2=80=99t work. =E2=80=9Cguix gc=E2=80=9D= would be prevented from > reading and following these links. > > * I don=E2=80=99t know if the daemon=E2=80=99s TCP listen feature still w= orks. I didn=E2=80=99t > test it and assume that it would require extra rules, because SELinux > treats network sockets differently from files. > > * Is this all correct? I don=E2=80=99t know! I only just learned about = the > SELinux Common Intermediate Language (CIL), and the documentation is > very sparse, so I have no idea if I did something stupid. It seems > fine to me, but I must admit that I find it a bit uncomfortable to see > so many access types in the rules. > > * I allowed type transitions from init_t to guix_daemon_t via > guix_daemon_exec_t, but also from guix_store_content_t to > guix_daemon_t via guix_daemon_exec_t. Type transitions are necessary > to get from an allowed entry point to a domain. On Fedora =E2=80=9Cini= t_t=E2=80=9D is > the domain in which processes are that are spawned by the init > system. With the first type transition I permit these processes to > transition to the guix_daemon_t domain when the executables are > labeled as guix_daemon_exec_t (such as the daemon executable itself, > and all the helpers it spawns). > > This much is obvious. But the second type transition is less obvious. > It is needed to make sure that we can enter the guix_daemon_t domain > even when running the daemon from an executable in the store (which > will be running in the =E2=80=9Cguix_store_content_t=E2=80=9D domain). = Thinking of > this, I wonder if maybe that=E2=80=99s actually a mistake and shouldn= =E2=80=99t be > permitted. > > * A possible problem is that I assign all files with a name matching > =E2=80=9C/gnu/store/.+-(guix-.+|profile)/bin/guix-daemon=E2=80=9D the l= abel > =E2=80=9Cguix_daemon_exec_t=E2=80=9D; this means that *any* file with t= hat name in any > profile would be permitted to run in the guix_daemon_t domain. This > is not ideal. An attacker could build a package that provides this > executable and convince a user to install and run it, which lifts it > into the guix_daemon_t domain. At that point SELinux could not > prevent it from accessing files that are allowed for processes in that > domain (such as the actual daemon). > > This makes me wonder if we could do better by generating a much more > restrictive policy at installation time, so that only the *exact* file > name of the currently installed guix-daemon executable would be > labelled with guix_daemon_exec_t, instead of using a regular > expression like that. This means that root would have to > install/upgrade the policy at installation time whenever the Guix > package that provides the effectively running guix-daemon executable > is upgraded. Food for thought. > > Without further ado, here=E2=80=99s the patch: > > > > -- > Ricardo > > Ok, I followed all these steps While processing guix build --no-grafts --check hello I got some violations, an example follows SELinux impedisce a .guix-real un accesso write su sock_file /var/guix/daemon-socket/socket. =E2=8F=8E =E2=8F=8E ***** Plugin catchall(100. confidenza) suggerisce************************** If you believe that .guix-real should be allowed write access on the socket sock_file by default. Quindi si dovrebbe riportare il problema come bug. E' possibile generare un modulo di politica locale per consentire questo accesso. Fai allow this access for now by executing: # ausearch -c '.guix-real' --raw | audit2allow -M my-guixreal # semodule -X 300 -i my-guixreal.pp Informazioni addizionali: Contesto della sorgente unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Contesto target system_u:object_r:guix_daemon.guix_daemon_conf_t:s 0 Oggetti target /var/guix/daemon-socket/socket [ sock_file ] Sorgente .guix-real Percorso della sorgente .guix-real Porta Host localhost.localdomain Sorgente Pacchetti RPM Pacchetti RPM target RPM della policy selinux-policy-3.13.1-283.24.fc27.noarch Selinux abilitato True Tipo di politica targeted Modalit=C3=A0 Enforcing Permissive Host Name localhost.localdomain Piattaforma Linux localhost.localdomain 4.14.16-300.fc27.x86_64 #1 SMP Wed Jan 31 19:24:27 UTC 2018 x86_64 x86_64 Conteggio avvisi 1 Primo visto 2018-02-13 16:26:40 CET Ultimo visto 2018-02-13 16:26:40 CET ID locale 795369db-8842-4253-ac70-bfab33d85c47 Messaggi Raw Audit type=3DAVC msg=3Daudit(1518535600.232:493): avc: denied { write } for pid=3D2978 comm=3D".guix-real" name=3D"socket" dev=3D"dm-0" ino=3D2754019 scontext=3Dunconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=3Dsystem_u:object_r:guix_daemon.guix_daemon_conf_t:s0 tclass=3Dsock_file permissive=3D1 Hash: .guix-real,unconfined_t,guix_daemon.guix_daemon_conf_t,sock_file,writ= e There are some more, it' s just that fetching them in the Gnome GUI is not immediate But I can publish my /var/log/audit/audit.log file somewhere Oh wait, i could catch another one right now, here it is SELinux impedisce a .guix-real un accesso write su sock_file /var/guix/daemon-socket/socket. =E2=8F=8E =E2=8F=8E ***** Plugin catchall(100. confidenza) suggerisce************************** If you believe that .guix-real should be allowed write access on the socket sock_file by default. Quindi si dovrebbe riportare il problema come bug. E' possibile generare un modulo di politica locale per consentire questo accesso. Fai allow this access for now by executing: # ausearch -c '.guix-real' --raw | audit2allow -M my-guixreal # semodule -X 300 -i my-guixreal.pp Informazioni addizionali: Contesto della sorgente unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Contesto target system_u:object_r:guix_daemon.guix_daemon_conf_t:s 0 Oggetti target /var/guix/daemon-socket/socket [ sock_file ] Sorgente .guix-real Percorso della sorgente .guix-real Porta Host localhost.localdomain Sorgente Pacchetti RPM Pacchetti RPM target RPM della policy selinux-policy-3.13.1-283.24.fc27.noarch Selinux abilitato True Tipo di politica targeted Modalit=C3=A0 Enforcing Permissive Host Name localhost.localdomain Piattaforma Linux localhost.localdomain 4.14.16-300.fc27.x86_64 #1 SMP Wed Jan 31 19:24:27 UTC 2018 x86_64 x86_64 Conteggio avvisi 1 Primo visto 2018-02-13 16:26:40 CET Ultimo visto 2018-02-13 16:26:40 CET ID locale 795369db-8842-4253-ac70-bfab33d85c47 Messaggi Raw Audit type=3DAVC msg=3Daudit(1518535600.232:493): avc: denied { write } for pid=3D2978 comm=3D".guix-real" name=3D"socket" dev=3D"dm-0" ino=3D2754019 scontext=3Dunconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=3Dsystem_u:object_r:guix_daemon.guix_daemon_conf_t:s0 tclass=3Dsock_file permissive=3D1 Hash: .guix-real,unconfined_t,guix_daemon.guix_daemon_conf_t,sock_file,writ= e I' ll keep following this Thanks Ciao --001a114d8b22a49ef5056519ad31 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


2018-01-25 17:17 GMT+01:00 Ricardo Wurmus <ricardo.wurmus@m= dc-berlin.de>:
Hi Guix,

attached is a patch that adds an SELinux policy for the guix-daemon.
The policy defines the guix_daemon_t domain and specifies what labels
may be accessed and how by processes running in that domain.

These file labels are defined:

* guix_daemon_conf_t
=C2=A0 for Guix configuration files (in localstatedir and sysconfdir)
* guix_daemon_exec_t
=C2=A0 for executables spawned by the daemon (which are allowed to run in t= he
=C2=A0 guix_daemon_t domain)
* guix_daemon_socket_t
=C2=A0 for the daemon socket file
* guix_profiles_t
=C2=A0 for the contents of the profiles directory

The =E2=80=9Cfilecon=E2=80=9D statements near the bottom of the file specif= y which
labels are to be used for what file names.

I tested this with =E2=80=9Cguix build --no-grafts --check hello=E2=80=9D, = =E2=80=9Cguix build
samtools=E2=80=9D, =E2=80=9Cguix gc -C 1k=E2=80=9D, and =E2=80=9Cguix packa= ge -p ~/foo -i hello=E2=80=9D;
no operations were blocked by SELinux.

If you want to test this on Fedora, set SELinux to permissive, and make
sure to configure Guix properly (i.e. set localstatedir, prefix, and
sysconfdir).=C2=A0 Then install the policy with =E2=80=9Csudo semodule -i etc/guix-daemon.cil=E2=80=9D.=C2=A0 Then relabel the filesystem (at least /= gnu,
$localstatedir, $sysconfdir, and $prefix) with something like this:

=C2=A0 =C2=A0 sudo restorecon -R /gnu $localstatedir $sysconfdir $prefix
This will take a very long time (a couple of hours).

Restart the daemon.=C2=A0 Check that it now runs in the guix_daemon_t
context:

=C2=A0 =C2=A0 ps -Zax | grep /bin/guix-daemon

This should return something like this

=C2=A0 =C2=A0system_u:system_r:guix_daemon.guix_daemon_t:s0 14886 ? Ss= =C2=A0 =C2=A00:00 /root/.guix-profile/bin/guix-daemon --build-users-gr= oup=3Dguix-builder

Check the audit log for violations:

=C2=A0 =C2=A0sudo tail -f /var/log/audit/audit.log | grep x-daemon

And then use Guix:

=C2=A0 =C2=A0guix build --no-grafts --check hello

The audit log shouldn=E2=80=99t show you any complaints.=C2=A0 At this poin= t you
could probably switch to enforcing mode, but I haven=E2=80=99t tested this<= br> myself for no particular reason.

Open issues:

* guix_daemon_socket_t isn=E2=80=99t actually used.=C2=A0 All of the socket=
=C2=A0 operations that I observed involve contexts that don=E2=80=99t have = anything
=C2=A0 to do with guix_daemon_socket_t.=C2=A0 It doesn=E2=80=99t hurt to ha= ve this unused
=C2=A0 label, but I would have preferred to define socket rules for only th= is
=C2=A0 label.=C2=A0 Oh well.

* =E2=80=9Cguix gc=E2=80=9D cannot access arbitrary links to profiles.=C2= =A0 By design, the
=C2=A0 file label of the destination of a symlink is independent of the fil= e
=C2=A0 label of the link itself.=C2=A0 Although all profiles under $localst= atedir
=C2=A0 are labelled, the links to these profiles inherit the label of the =C2=A0 directory they are in.=C2=A0 For links in the user=E2=80=99s home di= rectory this
=C2=A0 will be =E2=80=9Cuser_home_t=E2=80=9D (for which I=E2=80=99ve added = a rule).=C2=A0 But for links
=C2=A0 from root=E2=80=99s home directory, or /tmp, or the HTTP server=E2= =80=99s working
=C2=A0 directory =E2=80=A6 this won=E2=80=99t work.=C2=A0 =E2=80=9Cguix gc= =E2=80=9D would be prevented from
=C2=A0 reading and following these links.

* I don=E2=80=99t know if the daemon=E2=80=99s TCP listen feature still wor= ks.=C2=A0 I didn=E2=80=99t
=C2=A0 test it and assume that it would require extra rules, because SELinu= x
=C2=A0 treats network sockets differently from files.

* Is this all correct?=C2=A0 I don=E2=80=99t know!=C2=A0 I only just learne= d about the
=C2=A0 SELinux Common Intermediate Language (CIL), and the documentation is=
=C2=A0 very sparse, so I have no idea if I did something stupid.=C2=A0 It s= eems
=C2=A0 fine to me, but I must admit that I find it a bit uncomfortable to s= ee
=C2=A0 so many access types in the rules.

* I allowed type transitions from init_t to guix_daemon_t via
=C2=A0 guix_daemon_exec_t, but also from guix_store_content_t to
=C2=A0 guix_daemon_t via guix_daemon_exec_t.=C2=A0 Type transitions are nec= essary
=C2=A0 to get from an allowed entry point to a domain.=C2=A0 On Fedora =E2= =80=9Cinit_t=E2=80=9D is
=C2=A0 the domain in which processes are that are spawned by the init
=C2=A0 system.=C2=A0 With the first type transition I permit these processe= s to
=C2=A0 transition to the guix_daemon_t domain when the executables are
=C2=A0 labeled as guix_daemon_exec_t (such as the daemon executable itself,=
=C2=A0 and all the helpers it spawns).

=C2=A0 This much is obvious.=C2=A0 But the second type transition is less o= bvious.
=C2=A0 It is needed to make sure that we can enter the guix_daemon_t domain=
=C2=A0 even when running the daemon from an executable in the store (which<= br> =C2=A0 will be running in the =E2=80=9Cguix_store_content_t=E2=80=9D domain= ).=C2=A0 Thinking of
=C2=A0 this, I wonder if maybe that=E2=80=99s actually a mistake and should= n=E2=80=99t be
=C2=A0 permitted.

* A possible problem is that I assign all files with a name matching
=C2=A0 =E2=80=9C/gnu/store/.+-(guix-.+|profile)/bin/guix-daemon=E2=80= =9D the label
=C2=A0 =E2=80=9Cguix_daemon_exec_t=E2=80=9D; this means that *any* file wit= h that name in any
=C2=A0 profile would be permitted to run in the guix_daemon_t domain.=C2=A0= This
=C2=A0 is not ideal.=C2=A0 An attacker could build a package that provides = this
=C2=A0 executable and convince a user to install and run it, which lifts it=
=C2=A0 into the guix_daemon_t domain.=C2=A0 At that point SELinux could not=
=C2=A0 prevent it from accessing files that are allowed for processes in th= at
=C2=A0 domain (such as the actual daemon).

=C2=A0 This makes me wonder if we could do better by generating a much more=
=C2=A0 restrictive policy at installation time, so that only the *exact* fi= le
=C2=A0 name of the currently installed guix-daemon executable would be
=C2=A0 labelled with guix_daemon_exec_t, instead of using a regular
=C2=A0 expression like that.=C2=A0 This means that root would have to
=C2=A0 install/upgrade the policy at installation time whenever the Guix =C2=A0 package that provides the effectively running guix-daemon executable=
=C2=A0 is upgraded.=C2=A0 Food for thought.

Without further ado, here=E2=80=99s the patch:



--
Ricardo



Ok, I follo= wed all these steps

While processin= g

guix build --no-grafts --check hello

I got some violations, an example follows

SELinux impedisce a .guix-real un accesso write su sock_f= ile /var/guix/daemon-socket/socket.
=E2=8F=8E
=E2=8F=8E
***** Plug= in catchall(100. confidenza) suggerisce**************************

If= you believe that .guix-real should be allowed write access on the socket s= ock_file by default.
Quindi si dovrebbe riportare il problema come bug.<= br>E' possibile generare un modulo di politica locale per consentire qu= esto accesso.
Fai
allow this access for now by executing:
# ausear= ch -c '.guix-real' --raw | audit2allow -M my-guixreal
# semodule= -X 300 -i my-guixreal.pp

Informazioni addizionali:
Contesto dell= a sorgente=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 unconfined_u:unconfined_r:un= confined_t:s0-s0:c0.c1
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 023
Contesto target= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 system_u:object_r:guix_daemon.guix_daemon_conf_t:s
=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0 0
Oggetti target=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 /var/guix/daemon-socket= /socket [ sock_file ]
Sorgente=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 .guix-real
Percorso della sorgente=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 .guix-real
Porta=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0 <Sconosciuto>
Host=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 localhost.localdomai= n
Sorgente Pacchetti RPM=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0
P= acchetti RPM target=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <= br>RPM della policy=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0 selinux-policy-3.13.1-283.24.fc27.noarch
Selinu= x abilitato=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 True
Tipo di politica=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 targeted
Modalit=C3=A0 Enforcing= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Permissi= ve
Host Name=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 localhost.loca= ldomain
Piattaforma=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Linux localhost.l= ocaldomain
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 4.14.16-300.fc27.x86_64 #1 SMP Wed = Jan 31 19:24:27
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 UTC 2018 x86_64 x86_64
Con= teggio avvisi=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0 1
Primo visto=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 2018-= 02-13 16:26:40 CET
Ultimo visto=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 2018-02-13 = 16:26:40 CET
ID locale=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 79= 5369db-8842-4253-ac70-bfab33d85c47

Messaggi Raw Audit
type=3DAVC = msg=3Daudit(1518535600.232:493): avc:=C2=A0 denied=C2=A0 { write } for=C2= =A0 pid=3D2978 comm=3D".guix-real" name=3D"socket" dev= =3D"dm-0" ino=3D2754019 scontext=3Dunconfined_u:unconfined_r:unco= nfined_t:s0-s0:c0.c1023 tcontext=3Dsystem_u:object_r:guix_daemon.guix_daemo= n_conf_t:s0 tclass=3Dsock_file permissive=3D1


Hash: .guix-real,u= nconfined_t,guix_daemon.guix_daemon_conf_t,sock_file,write



<= /div>
There are some more, it' s just that fe= tching them in the Gnome GUI is not immediate

But I can publish my /var/log/audit/audit.log file somewhere
=
Oh wait, i could catch another one rig= ht now, here it is




SELinux impedisce a .guix-real un acc= esso write su sock_file /var/guix/daemon-socket/socket.
=E2=8F=8E
=E2= =8F=8E
***** Plugin catchall(100. confidenza) suggerisce****************= **********

If you believe that .guix-real should be allowed write ac= cess on the socket sock_file by default.
Quindi si dovrebbe riportare il= problema come bug.
E' possibile generare un modulo di politica loca= le per consentire questo accesso.
Fai
allow this access for now by ex= ecuting:
# ausearch -c '.guix-real' --raw | audit2allow -M my-gu= ixreal
# semodule -X 300 -i my-guixreal.pp

Informazioni addiziona= li:
Contesto della sorgente=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 unconfin= ed_u:unconfined_r:unconfined_t:s0-s0:c0.c1
=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 02= 3
Contesto target=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 system_u:object_r:guix_daemon.guix_daemon_co= nf_t:s
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 0
Oggetti target=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 /v= ar/guix/daemon-socket/socket [ sock_file ]
Sorgente=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 .guix-real
Percorso della sorgente=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 .guix-real
Porta=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <Sconosciuto>
Host= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= localhost.localdomain
Sorgente Pacchetti RPM=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0
Pacchetti RPM target=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0
RPM della policy=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 selinux-policy-3.13.1-283.24.= fc27.noarch
Selinux abilitato=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 True
Tipo di politica=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 targeted
Mo= dalit=C3=A0 Enforcing=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0 Permissive
Host Name=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0 localhost.localdomain
Piattaforma=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0 Linux localhost.localdomain
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 4.14.16-300.fc= 27.x86_64 #1 SMP Wed Jan 31 19:24:27
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 UTC 2018= x86_64 x86_64
Conteggio avvisi=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 1
Primo visto=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0 2018-02-13 16:26:40 CET
Ultimo visto=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 2018-02-13 16:26:40 CET
ID locale=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0 795369db-8842-4253-ac70-bfab33d85c47

Messaggi Raw= Audit
type=3DAVC msg=3Daudit(1518535600.232:493): avc:=C2=A0 denied=C2= =A0 { write } for=C2=A0 pid=3D2978 comm=3D".guix-real" name=3D&qu= ot;socket" dev=3D"dm-0" ino=3D2754019 scontext=3Dunconfined_= u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=3Dsystem_u:object_r:gui= x_daemon.guix_daemon_conf_t:s0 tclass=3Dsock_file permissive=3D1

Hash: .guix-real,unconfined_t,guix_daemon.guix_daemon_conf_t,sock_file,wri= te


I' ll keep following thi= s

Thanks
Ciao
--001a114d8b22a49ef5056519ad31--