bug#47985: CentOS : SELinux is preventing /usr/lib/systemd/systemd from read access on the lnk_file current-guix

bug#47985: CentOS : SELinux is preventing /usr/lib/systemd/systemd from read access on the lnk_file current-guix

[josephenry via Bug reports for GNU Guix]

[-- Attachment #1: Type: text/plain, Size: 4509 bytes --]

Hi,

I am starting with Guix and I just installed it on a CentOS Linux 8 x86_64 (kernel 4.18.0-240.15.1.el8_3.x86_64)

It went well but the daemon service exited and I couldn't install a package :

$ sudo systemctl status guix-daemon.service
● guix-daemon.service - Build daemon for GNU Guix
Loaded: loaded (/etc/systemd/system/guix-daemon.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Sat 2021-04-24 01:44:16 CEST; 16min ago
Process: 92489 ExecStart=/var/guix/profiles/per-user/root/current-guix/bin/guix-daemon --build-users-group=guixbuild (code=exited, status=203/EXEC)
Main PID: 92489 (code=exited, status=203/EXEC)

Apr 24 01:44:16 localhost.localdomain systemd[1]: Started Build daemon for GNU Guix.
Apr 24 01:44:16 localhost.localdomain systemd[1]: guix-daemon.service: Main process exited, code=exited, status=203/EXEC
Apr 24 01:44:16 localhost.localdomain systemd[1]: guix-daemon.service: Failed with result 'exit-code'.

I found this similar bug report Fedora : https://bugzilla.redhat.com/show_bug.cgi?id=1433971

It seems to be related to the SELinux policy.

// ----------------------------------------------------------------------------

I run :

$ journalctl -t setroubleshoot
Apr 24 01:30:30 localhost.localdomain setroubleshoot[92081]: AnalyzeThread.run(): Set alarm timeout to 10
Apr 24 01:44:18 localhost.localdomain setroubleshoot[92492]: Deleting alert f25667a8-16fa-447b-8df1-8bd6a8cddc10, it is allowed in current policy
Apr 24 01:44:18 localhost.localdomain setroubleshoot[92492]: AnalyzeThread.run(): Cancel pending alarm
Apr 24 01:44:21 localhost.localdomain setroubleshoot[92492]: SELinux is preventing /usr/bin/bash from execute access on the file guix-daemon. For complete SELinux messages run: sealert -l f4db012c-2639-4a2a-80>
Apr 24 01:44:21 localhost.localdomain setroubleshoot[92492]: SELinux is preventing /usr/bin/bash from execute access on the file guix-daemon.

$ sudo sealert -l f4db012c-2639-4a2a-809a-023ba4accbfd
SELinux is preventing /usr/bin/bash from execute access on the file guix-daemon.

***** Plugin catchall (100. confidence) suggests **************************

If you believe that bash should be allowed execute access on the guix-daemon file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'sesinetd' --raw | audit2allow -M my-sesinetd
# semodule -X 300 -i my-sesinetd.pp

Additional Information:
Source Context system_u:system_r:init_t:s0
Target Context unconfined_u:object_r:user_tmp_t:s0
Target Objects guix-daemon [ file ]
Source sesinetd
Source Path /usr/bin/bash
Port <Unknown>
Host localhost.localdomain
Source RPM Packages systemd-239-41.el8_3.2.x86_64
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-3.14.3-54.el8_3.2.noarch
Local Policy RPM selinux-policy-targeted-3.14.3-54.el8_3.2.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name localhost.localdomain
Platform Linux localhost.localdomain
4.18.0-240.15.1.el8_3.x86_64 #1 SMP Mon Mar 1
17:16:16 UTC 2021 x86_64 x86_64
Alert Count 2
First Seen 2021-03-20 21:06:10 CET
Last Seen 2021-04-24 01:44:16 CEST
Local ID f4db012c-2639-4a2a-809a-023ba4accbfd

Raw Audit Messages
type=AVC msg=audit(1619221456.618:467): avc: denied { execute } for pid=92489 comm="(x-daemon)" name="guix-daemon" dev="dm-0" ino=2625286 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file permissive=0

type=SYSCALL msg=audit(1619221456.618:467): arch=x86_64 syscall=execve success=no exit=EACCES a0=5609e6745860 a1=5609e6600e20 a2=5609e66a8720 a3=2d646c6975622d2d items=0 ppid=1 pid=92489 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=(x-daemon) exe=/usr/lib/systemd/systemd subj=system_u:system_r:init_t:s0 key=(null)

Hash: sesinetd,init_t,user_tmp_t,file,execute

// ----------------------------------------------------------------------------

I tried executing the commands provided by SELinux to allow the access but it doesn't work and I don't really understand how it works.

Also on the [SELinux support page](https://guix.gnu.org/manual/en/html_node/SELinux-Support.html) in the Guix documentation, the etc/guix-daemon.cil file doesn't exist so I don't know how to run the command.

Has anyone gotten to run guix on a CentOS with SELinux enabled?

Any help would be greatly appreciated!

Thanks

Joseph

[-- Attachment #2: Type: text/html, Size: 8694 bytes --]

bug#47985: CentOS : SELinux is preventing /usr/lib/systemd/systemd from read access on the lnk_file current-guix

[Ludovic Courtès]

Hi,

josephenry <josephenry@protonmail.com> skribis:

> Also on the [SELinux support page](https://guix.gnu.org/manual/en/html_node/SELinux-Support.html) in the Guix documentation, the etc/guix-daemon.cil file doesn't exist so I don't know how to run the command.
>
> Has anyone gotten to run guix on a CentOS with SELinux enabled?

I’m not familiar with SELinux, but the .cil file is available in Guix
itself:

--8<---------------cut here---------------start------------->8---
$ wget -qO - https://ftp.gnu.org/gnu/guix/guix-binary-1.2.0.x86_64-linux.tar.xz | xz -d | tar tv | grep '\.cil'
-r--r--r-- root/root     13492 1970-01-01 01:00 ./gnu/store/6rn4l3h0p9x0m615pp1ynlv9v0743kl3-guix-1.2.0/share/selinux/guix-daemon.cil
--8<---------------cut here---------------end--------------->8---

Hope this helps!

Ludo’.

bug#47985: CentOS : SELinux is preventing /usr/lib/systemd/systemd from read access on the lnk_file current-guix

[josephenry]

Hi Ludo,

Thanks for your answer and sorry for the late response!

Actually I did :

```
sudo semodule -i /gnu/store/6rn4l3h0p9x0m615pp1ynlv9v0743kl3-guix-1.2.0/share/selinux/guix-daemon.cil
```

and then tried to use restorecon as stated in the doc :

```
sudo restorecon /gnu
```

but restarting guix didn't work, I am probably not doing it the right way...

What does that mean in the documentation :

Then relabel the file system with restorecon or by a different mechanism provided by your system.

Can someone provide some explanation about this?

Thanks

bug#47985: (No Subject)

[josephenry via Bug reports for GNU Guix]

[-- Attachment #1: Type: text/plain, Size: 559 bytes --]

Hi Ludo,

Thanks for your answer and sorry for the late response!

Actually I did :

``` sudo semodule -i /gnu/store/6rn4l3h0p9x0m615pp1ynlv9v0743kl3-guix-1.2.0/share/selinux/guix-daemon.cil ```

and then tried to use restorecon as stated in the doc :

``` sudo restorecon /gnu ```

but restarting guix didn't work, I am probably not doing it the right way...

What does that mean in the documentation :

Then relabel the file system with restorecon or by a different mechanism provided by your system. Can someone provide some explanation about this?

Thanks

[-- Attachment #2: Type: text/html, Size: 857 bytes --]

bug#47985: CentOS : SELinux is preventing /usr/lib/systemd/systemd from read access on the lnk_file current-guix

[Ricardo Wurmus]

Hi,

the cil file has been updated to work with a more recent base policy as
provided by current Fedora releases.  We also updated the documentation
to make the relabeling step a little clearer.

Does this solve your problem?

-- 
Ricardo