From mboxrd@z Thu Jan 1 00:00:00 1970 From: Laura Lazzati Subject: Re: SELinux log Date: Mon, 17 Jun 2019 00:32:24 -0300 Message-ID: References: <87r284cer2.fsf@elephly.net> <87muisc8x8.fsf@elephly.net> <87ef41dfkc.fsf@elephly.net> <87tvcw9upi.fsf@elephly.net> <87h88v9udy.fsf@elephly.net> <87y3277wri.fsf@elephly.net> <87v9xa8sx6.fsf@elephly.net> <87a7em9dyh.fsf@elephly.net> <87r27xqpw1.fsf@elephly.net> <87imt5ouib.fsf@elephly.net> Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="00000000000035182a058b7ca74a" Return-path: Received: from eggs.gnu.org ([2001:470:142:3::10]:42740) by lists.gnu.org with esmtp (Exim 4.86_2) (envelope-from ) id 1hciOK-0005Hu-LL for guix-devel@gnu.org; Sun, 16 Jun 2019 23:33:09 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1hciOJ-0003r2-3S for guix-devel@gnu.org; Sun, 16 Jun 2019 23:33:08 -0400 Received: from mail-wr1-x435.google.com ([2a00:1450:4864:20::435]:42586) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1hciOH-0003nT-Gw for guix-devel@gnu.org; Sun, 16 Jun 2019 23:33:07 -0400 Received: by mail-wr1-x435.google.com with SMTP id x17so8213798wrl.9 for ; Sun, 16 Jun 2019 20:33:02 -0700 (PDT) In-Reply-To: <87imt5ouib.fsf@elephly.net> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Ricardo Wurmus Cc: Guix-devel --00000000000035182a058b7ca74a Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi! * I=E2=80=99m repeating myself here: do *not* use enforcing mode. Do use > permissive mode only. > Oh, sorry for this, it was the "easy" way of checking that it didn't work. I have byobu running now with a tail -f of the audit log. My question was more like "I am hardcoding the path to guix -at least before doing a guix pull -, I cannot understand why that doesn't work, even if I did it just for trying if it solved partially why guix was not found. On the other hand, I get: type=3DAVC msg=3Daudit(1560741907.590:426): avc: denied { search } for pid=3D31810 comm=3D"which" name=3D"gnu" dev=3D"dm-0" ino=3D931548 scontext=3Dunconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=3Dunconfined_u:object_r:guix_daemon.guix_store_content_t:s0 tclass=3Ddir permissive=3D1 Should I add something allowing commands under /usr/bin to operate over guix? Or am I mixing things too much? Regards :) Laura --=20 > Ricardo > > --00000000000035182a058b7ca74a Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi!


* I=E2=80=99m repeating myself= here: do *not* use enforcing mode.=C2=A0 Do use
=C2=A0 permissive mode only.
Oh, sorry for this, it wa= s the "easy" way of checking that it didn't work. I have byob= u running=C2=A0 now with a tail -f of the audit log.=C2=A0
My que= stion was more like "I am hardcoding the path to guix -at least before= doing a guix pull -, I cannot understand why that doesn't work, even i= f I did it just for trying if it solved partially why guix was not found. O= n the other hand, I get:

type=3DAVC msg=3Daudit(156074190= 7.590:426): avc: =C2=A0denied =C2=A0{ search } for =C2=A0pid=3D31810 comm= =3D"which" name=3D"gnu" dev=3D"dm-0" ino=3D93= 1548 scontext=3Dunconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcont= ext=3Dunconfined_u:object_r:guix_daemon.guix_store_content_t:s0 tclass=3Ddi= r permissive=3D1

Should I add something allowing c= ommands under /usr/bin to operate over guix? Or am I mixing things too much= ?


Regards :)
Laura


--
Ricardo

--00000000000035182a058b7ca74a--