From unknown Mon Aug 18 15:38:57 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#44549] [PATCH] etc: updates for the guix-daemon SELinux policy Resent-From: Daniel Brooks Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Tue, 10 Nov 2020 09:43:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 44549 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 44549@debbugs.gnu.org X-Debbugs-Original-To: Guix Patches List Received: via spool by submit@debbugs.gnu.org id=B.160500134927646 (code B ref -1); Tue, 10 Nov 2020 09:43:02 +0000 Received: (at submit) by debbugs.gnu.org; 10 Nov 2020 09:42:29 +0000 Received: from localhost ([127.0.0.1]:36409 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kcQAW-0007Bq-Oy for submit@debbugs.gnu.org; Tue, 10 Nov 2020 04:42:29 -0500 Received: from lists.gnu.org ([209.51.188.17]:39434) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kcQAU-0007Bi-Mc for submit@debbugs.gnu.org; Tue, 10 Nov 2020 04:42:27 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:53668) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kcQAS-0000xW-UJ for guix-patches@gnu.org; Tue, 10 Nov 2020 04:42:26 -0500 Received: from smtp-out-4.mxes.net ([2605:d100:2f:10::315]:61712) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kcQAO-0006Kr-0D for guix-patches@gnu.org; Tue, 10 Nov 2020 04:42:24 -0500 Received: from Customer-MUA (mua.mxes.net [10.0.0.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id B898875996 for ; Tue, 10 Nov 2020 04:42:17 -0500 (EST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mxes.net; s=mta; t=1605001338; bh=443DUDxM6JbfUyRVhfrdLUYNQCUYqvU3oKk2eSioblY=; h=From:To:Subject:Date:Message-ID:MIME-Version:Content-Type; b=ZcCa80l/cVEZwlmtOXhPAj2o7mwympqoGZK/00UIZO5xB8uUFSW8GffXAS8lVYfkJ icJXIJO4RrUG9GRQn/zHMmtrZWSsvSgP5HU2Dp1l8wS2sKMkNrRW2EebLu/pETcP3R T4LN/HjbScxPqdrmQ3MRprk4RhRuEGshQrbBake8= From: Daniel Brooks Date: Tue, 10 Nov 2020 01:42:16 -0800 Message-ID: <87sg9h8s5j.fsf@db48x.net> MIME-Version: 1.0 Content-Type: text/x-patch Content-Disposition: inline; filename=0001-etc-updates-for-the-guix-daemon-SELinux-policy.patch Content-Description: [PATCH] etc: updates for the guix-daemon SELinux policy X-Sent-To: Received-SPF: none client-ip=2605:d100:2f:10::315; envelope-from=db48x@db48x.net; helo=smtp-out-4.mxes.net X-detected-operating-system: by eggs.gnu.org: No matching host in p0f cache. That's all we know. X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_HELO_PASS=-0.001, SPF_NONE=0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) >From 7dd9ed6da01c5bf125c95592f4978b579198731a Mon Sep 17 00:00:00 2001 From: Daniel Brooks Date: Mon, 9 Nov 2020 07:03:42 -0800 Subject: [PATCH] etc: updates for the guix-daemon SELinux policy * etc/guix-daemon.cil.in: I can't promise that this is a complete list of everything that guix-daemon needs, but it's probably most of them. It can search for, install, upgrade, and remove packages, create virtual machines, update itself, and so on. I haven't tried creating containers yet, which might reveal more things to add. --- etc/guix-daemon.cil.in | 170 ++++++++++++++++++++++++++++++++++++----- 1 file changed, 152 insertions(+), 18 deletions(-) diff --git a/etc/guix-daemon.cil.in b/etc/guix-daemon.cil.in index e0c9113498..666e5677a3 100644 --- a/etc/guix-daemon.cil.in +++ b/etc/guix-daemon.cil.in @@ -21,6 +21,18 @@ ;; Intermediate Language (CIL). It refers to types that must be defined in ;; the system's base policy. +;; If you, like me, need advice about fixing an SELinux policy, I recommend +;; reading https://danwalsh.livejournal.com/55324.html + +;; In particular, you can run semanage permissive -a guix_daemon.guix_daemon_t +;; to allow guix-daemon to do whatever it wants. SELinux will still check its +;; permissions, and when it doesn't have permission it will still send an +;; audit message to your system logs. This lets you know what permissions it +;; ought to have. Use ausearch --raw to find the permissions violations, then +;; pipe that to audit2allow to generate an updated policy. You'll still need +;; to translate that policy into CIL in order to update this file, but that's +;; fairly straight-forward. Annoying, but easy. + (block guix_daemon ;; Require existing types (typeattributeset cil_gen_require init_t) @@ -34,14 +46,19 @@ (roletype object_r guix_daemon_t) (type guix_daemon_conf_t) (roletype object_r guix_daemon_conf_t) + (typeattributeset file_type guix_daemon_conf_t) (type guix_daemon_exec_t) (roletype object_r guix_daemon_exec_t) + (typeattributeset file_type guix_daemon_exec_t) (type guix_daemon_socket_t) (roletype object_r guix_daemon_socket_t) + (typeattributeset file_type guix_daemon_socket_t) (type guix_store_content_t) (roletype object_r guix_store_content_t) + (typeattributeset file_type guix_store_content_t) (type guix_profiles_t) (roletype object_r guix_profiles_t) + (typeattributeset file_type guix_profiles_t) ;; These types are domains, thereby allowing process rules (typeattributeset domain (guix_daemon_t guix_daemon_exec_t)) @@ -55,6 +72,27 @@ (typetransition guix_store_content_t guix_daemon_exec_t process guix_daemon_t) + (roletype system_r guix_daemon_t) + + ;; allow init_t to read and execute guix files + (allow init_t + guix_profiles_t + (lnk_file (read))) + (allow init_t + guix_daemon_exec_t + (file (execute))) + (allow init_t + guix_daemon_t + (process (transition))) + (allow init_t + guix_store_content_t + (file (open read execute))) + + ;; guix-daemon needs to know the names of users + (allow guix_daemon_t + passwd_file_t + (file (getattr open read))) + ;; Permit communication with NSCD (allow guix_daemon_t nscd_var_run_t @@ -71,25 +109,44 @@ (allow guix_daemon_t nscd_t (unix_stream_socket (connectto))) + (allow guix_daemon_t nscd_t + (nscd (getgrp gethost getpwd getserv shmemgrp shmemhost shmempwd shmemserv))) + + ;; permit downloading packages via HTTP(s) + (allow guix_daemon_t http_port_t + (tcp_socket (name_connect))) + (allow guix_daemon_t ftp_port_t + (tcp_socket (name_connect))) + (allow guix_daemon_t ephemeral_port_t + (tcp_socket (name_connect))) ;; Permit logging and temp file access (allow guix_daemon_t tmp_t - (lnk_file (setattr unlink))) + (lnk_file (create rename setattr unlink))) + (allow guix_daemon_t + tmp_t + (file (link rename create execute execute_no_trans write unlink setattr map relabelto))) + (allow guix_daemon_t + tmp_t + (fifo_file (open read write create getattr ioctl setattr unlink))) (allow guix_daemon_t tmp_t - (dir (create - rmdir + (dir (create rename + rmdir relabelto add_name remove_name open read write getattr setattr search))) + (allow guix_daemon_t + tmp_t + (sock_file (create getattr setattr unlink write))) (allow guix_daemon_t var_log_t (file (create getattr open write))) (allow guix_daemon_t var_log_t - (dir (getattr write add_name))) + (dir (getattr create write add_name))) (allow guix_daemon_t var_run_t (lnk_file (read))) @@ -100,10 +157,10 @@ ;; Spawning processes, execute helpers (allow guix_daemon_t self - (process (fork))) + (process (fork execmem setrlimit setpgid setsched))) (allow guix_daemon_t guix_daemon_exec_t - (file (execute execute_no_trans read open))) + (file (execute execute_no_trans read open entrypoint map))) ;; TODO: unknown (allow guix_daemon_t @@ -119,38 +176,51 @@ ;; Build isolation (allow guix_daemon_t guix_store_content_t - (file (mounton))) + (file (ioctl mounton))) (allow guix_store_content_t fs_t (filesystem (associate))) (allow guix_daemon_t guix_store_content_t - (dir (mounton))) + (dir (read mounton))) (allow guix_daemon_t guix_daemon_t (capability (net_admin fsetid fowner chown setuid setgid dac_override dac_read_search - sys_chroot))) + sys_chroot + sys_admin))) (allow guix_daemon_t fs_t (filesystem (unmount))) + (allow guix_daemon_t + devpts_t + (dir (search))) (allow guix_daemon_t devpts_t (filesystem (mount))) (allow guix_daemon_t devpts_t - (chr_file (setattr getattr))) + (chr_file (ioctl open read write setattr getattr))) (allow guix_daemon_t tmpfs_t - (filesystem (mount))) + (filesystem (getattr mount))) + (allow guix_daemon_t + tmpfs_t + (file (create open read unlink write))) (allow guix_daemon_t tmpfs_t - (dir (getattr))) + (dir (getattr add_name remove_name write))) (allow guix_daemon_t proc_t - (filesystem (mount))) + (file (getattr open read))) + (allow guix_daemon_t + proc_t + (dir (read))) + (allow guix_daemon_t + proc_t + (filesystem (associate mount))) (allow guix_daemon_t null_device_t (chr_file (getattr open read write))) @@ -179,7 +249,7 @@ search rename add_name remove_name open write - rmdir))) + rmdir relabelfrom))) (allow guix_daemon_t guix_store_content_t (file (create @@ -189,7 +259,7 @@ link unlink map rename - open read write))) + open read write relabelfrom))) (allow guix_daemon_t guix_store_content_t (lnk_file (create @@ -197,17 +267,23 @@ link unlink read rename))) + (allow guix_daemon_t + guix_store_content_t + (fifo_file (create getattr open read unlink write))) + (allow guix_daemon_t + guix_store_content_t + (sock_file (create getattr unlink write))) ;; Access to configuration files and directories (allow guix_daemon_t guix_daemon_conf_t - (dir (search + (dir (search create setattr getattr add_name remove_name open read write))) (allow guix_daemon_t guix_daemon_conf_t - (file (create + (file (create rename lock map getattr setattr @@ -216,11 +292,17 @@ (allow guix_daemon_t guix_daemon_conf_t (lnk_file (create getattr rename unlink))) + (allow guix_daemon_t net_conf_t + (file (getattr open read))) + (allow guix_daemon_t net_conf_t + (lnk_file (read))) + (allow guix_daemon_t NetworkManager_var_run_t + (dir (search))) ;; Access to profiles (allow guix_daemon_t guix_profiles_t - (dir (getattr setattr read open))) + (dir (search getattr setattr read write open create add_name))) (allow guix_daemon_t guix_profiles_t (lnk_file (read getattr))) @@ -233,6 +315,17 @@ (allow guix_daemon_t user_home_t (dir (search))) + (allow guix_daemon_t + cache_home_t + (dir (search))) + + ;; self upgrades + (allow guix_daemon_t + self + (dir (add_name write))) + (allow guix_daemon_t + self + (netlink_route_socket (bind create getattr nlmsg_read))) ;; Socket operations (allow guix_daemon_t @@ -253,12 +346,53 @@ read write connect bind accept getopt setopt))) + (allow guix_daemon_t + self + (tcp_socket (accept listen bind connect create setopt getopt getattr ioctl))) + (allow guix_daemon_t + unreserved_port_t + (tcp_socket (name_bind name_connect accept listen))) + (allow guix_daemon_t + self + (udp_socket (connect getattr bind getopt setopt))) (allow guix_daemon_t self (fifo_file (write read))) (allow guix_daemon_t self (udp_socket (ioctl create))) + (allow guix_daemon_t + self + (unix_stream_socket (connectto))) + + (allow guix_daemon_t + node_t + (tcp_socket (node_bind))) + (allow guix_daemon_t + node_t + (udp_socket (node_bind))) + (allow guix_daemon_t + port_t + (tcp_socket (name_connect))) + (allow guix_daemon_t + rtp_media_port_t + (udp_socket (name_bind))) + (allow guix_daemon_t + vnc_port_t + (tcp_socket (name_bind))) + + ;; I guess sometimes it needs random numbers + (allow guix_daemon_t + random_device_t + (chr_file (read))) + + ;; guix system vm + (allow guix_daemon_t + kvm_device_t + (chr_file (ioctl open read write))) + (allow guix_daemon_t + kernel_t + (system (ipc_info))) ;; Label file system (filecon "@guix_sysconfdir@/guix(/.*)?" -- 2.26.2 From unknown Mon Aug 18 15:38:57 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#44549] [PATCH] etc: updates for the guix-daemon SELinux policy Resent-From: Marius Bakke Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 12 Nov 2020 21:15:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 44549 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Daniel Brooks , 44549@debbugs.gnu.org Received: via spool by 44549-submit@debbugs.gnu.org id=B44549.160521564731404 (code B ref 44549); Thu, 12 Nov 2020 21:15:01 +0000 Received: (at 44549) by debbugs.gnu.org; 12 Nov 2020 21:14:07 +0000 Received: from localhost ([127.0.0.1]:45774 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kdJux-0008AS-B7 for submit@debbugs.gnu.org; Thu, 12 Nov 2020 16:14:07 -0500 Received: from eggs.gnu.org ([209.51.188.92]:54148) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kdJuu-00089q-Tg for 44549@debbugs.gnu.org; Thu, 12 Nov 2020 16:14:06 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]:60766) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kdJup-0007mm-ME; Thu, 12 Nov 2020 16:13:59 -0500 Received: from host-37-191-236-253.lynet.no ([37.191.236.253]:39534 helo=localhost) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1kdJup-00045x-2R; Thu, 12 Nov 2020 16:13:59 -0500 From: Marius Bakke In-Reply-To: <87sg9h8s5j.fsf@db48x.net> References: <87sg9h8s5j.fsf@db48x.net> Date: Thu, 12 Nov 2020 22:13:56 +0100 Message-ID: <87361ecm7f.fsf@gnu.org> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="==-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) --==-=-= Content-Type: multipart/mixed; boundary="=-=-=" --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Hello Daniel, Thanks a lot for this. Daniel Brooks writes: >>>From 7dd9ed6da01c5bf125c95592f4978b579198731a Mon Sep 17 00:00:00 2001 > From: Daniel Brooks > Date: Mon, 9 Nov 2020 07:03:42 -0800 > Subject: [PATCH] etc: updates for the guix-daemon SELinux policy > > * etc/guix-daemon.cil.in: I can't promise that this is a complete list of > everything that guix-daemon needs, but it's probably most of them. It can > search for, install, upgrade, and remove packages, create virtual machine= s, > update itself, and so on. I haven't tried creating containers yet, which = might > reveal more things to add. This commit message is somewhat unorthodox. :-) Perhaps it can be shortened to: * etc/guix-daemon.cil.in (guix_daemon): Specify more permissions for guix-daemon to account for daemon updates and newer SELinux. [...] > diff --git a/etc/guix-daemon.cil.in b/etc/guix-daemon.cil.in > index e0c9113498..666e5677a3 100644 > --- a/etc/guix-daemon.cil.in > +++ b/etc/guix-daemon.cil.in > @@ -21,6 +21,18 @@ > ;; Intermediate Language (CIL). It refers to types that must be defined= in > ;; the system's base policy. >=20=20 > +;; If you, like me, need advice about fixing an SELinux policy, I recomm= end > +;; reading https://danwalsh.livejournal.com/55324.html > + > +;; In particular, you can run semanage permissive -a guix_daemon.guix_da= emon_t > +;; to allow guix-daemon to do whatever it wants. SELinux will still chec= k its > +;; permissions, and when it doesn't have permission it will still send an > +;; audit message to your system logs. This lets you know what permission= s it > +;; ought to have. Use ausearch --raw to find the permissions violations,= then > +;; pipe that to audit2allow to generate an updated policy. You'll still = need > +;; to translate that policy into CIL in order to update this file, but t= hat's > +;; fairly straight-forward. Annoying, but easy. I'm not sure about the second paragraph. It's mainly a rehash of the blog post, no? And there are many other ways to go about troubleshooting SELinux (I did not use ausearch at all). Anyway! I tried it on RHEL8, and had to do a few more tweaks to get it working: --=-=-= Content-Type: text/x-patch Content-Disposition: inline; filename=diff diff --git a/etc/guix-daemon.cil.in b/etc/guix-daemon.cil.in index 666e5677a3..b5909f1b18 100644 --- a/etc/guix-daemon.cil.in +++ b/etc/guix-daemon.cil.in @@ -84,6 +84,9 @@ (allow init_t guix_daemon_t (process (transition))) + (allow init_t + guix_store_content_t + (lnk_file (read))) (allow init_t guix_store_content_t (file (open read execute))) @@ -166,6 +169,9 @@ (allow guix_daemon_t root_t (dir (mounton))) + (allow guix_daemon_t + guix_daemon_socket_t + (sock_file (unlink))) (allow guix_daemon_t fs_t (filesystem (getattr))) @@ -348,7 +354,12 @@ getopt setopt))) (allow guix_daemon_t self - (tcp_socket (accept listen bind connect create setopt getopt getattr ioctl))) + (netlink_route_socket (read write))) + (allow guix_daemon_t + self + (tcp_socket (accept + listen bind connect create read write + setopt getopt getattr ioctl))) (allow guix_daemon_t unreserved_port_t (tcp_socket (name_bind name_connect accept listen))) --=-=-= Content-Type: text/plain Can you test these additional changes on Fedora? With this, I no longer have to go through 'guix pack' and 'podman' to run Guix packages on my RHEL workstation! :-) Also, is it OK to add you to the list of contributors at the top of the file with this name and address? Thanks! It's really great to get this in before 1.2.0. --=-=-=-- --==-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQFDBAEBCgAtFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAl+tpZQPHG1hcml1c0Bn bnUub3JnAAoJEKKgbfKjOlT6cUYH/RcCeYftR07ihnJ/PbTP+qESpzxhoR4lqRZC 1ygHeXM2tvuwgMcP3cglxcs2TYNMn+Ovu9KcHAvebMWs1FtZrIHRr8VfZ0Cxo1BK 8MEqvB97v7QguIQ+EFB3Gv9rzzU0CkRzJdOOHKaljiy80Hv6+Kk+IIpWbw1w9r7p iHkvBkmf7clw8n8uU2mFeWveBd9Hkly7xojdjUv76/lDi52qoSoEZO9kDlh4eTd6 V/9PREmVBpNudzmO4LlIMM/3bjeNZqbzLG4bCT8cnfGoS9NHJcD/ZD6ur91rQFmQ aQT1FDA0XbGOgKK3tiFizyjGQB6pgLHRwzdiiZzqQAOV/WeKuj0= =I3w+ -----END PGP SIGNATURE----- --==-=-=-- From unknown Mon Aug 18 15:38:57 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#44549] [PATCH] etc: updates for the guix-daemon SELinux policy Resent-From: Daniel Brooks Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 12 Nov 2020 21:46:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 44549 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Marius Bakke Cc: 44549@debbugs.gnu.org Received: via spool by 44549-submit@debbugs.gnu.org id=B44549.16052175191944 (code B ref 44549); Thu, 12 Nov 2020 21:46:01 +0000 Received: (at 44549) by debbugs.gnu.org; 12 Nov 2020 21:45:19 +0000 Received: from localhost ([127.0.0.1]:45825 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kdKP9-0000VF-Af for submit@debbugs.gnu.org; Thu, 12 Nov 2020 16:45:19 -0500 Received: from smtp-out-4.mxes.net ([198.205.123.69]:42430) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kdKP7-0000V0-B6 for 44549@debbugs.gnu.org; Thu, 12 Nov 2020 16:45:18 -0500 Received: from Customer-MUA (mua.mxes.net [10.0.0.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id 625C475A8D; Thu, 12 Nov 2020 16:45:11 -0500 (EST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mxes.net; s=mta; t=1605217511; bh=Jz5nDoDo/6jHTzNjsUwI5ZP/QqPD7Tu1o+vlrxJocUA=; h=From:To:Subject:References:Date:In-Reply-To:Message-ID: MIME-Version:Content-Type; b=JL8eaWy8XGx2i4Nz7PSTyrnunjgzvOghUUZjq36E13qyISG12kCyr+5Is2tOLHKzb fAGkaYWVAu8kiSJTFaQe21naytdAF+LAi7MEbXQlGqwVh9rbyZKbAURiEeWaSmuZG2 wCpLGtiV1NGW6atd38e3BpouoGN8xRY2EbOSyBLU= From: Daniel Brooks References: <87sg9h8s5j.fsf@db48x.net> <87361ecm7f.fsf@gnu.org> Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwBAMAAAClLOS0AAAABGdBTUEAALGOfPtRkwAAABJQ TFRFpKfbdou67PD6JjJgAwUWXGSeIcyLHgAAAkZJREFUOI1VU8Fy6yAMxLi+Q13fCZ3cnQL3dqTc 7RD+/1feStDXVnXHDuvVSivZTMba2GPdw3gyCGcMAFxTyrTd9dwGoxHiZX9PmRFUHYAQlGGtXY+F Uk0SJOxgJiUEnH1qkitT9D+pQub7qGAmUbR6bu3CvI96Yv6QqkBBMrsyfZccr1/RDXGDTLf4P7ZY glVxe2V+/ACXWO1gvDO9/gDRpFFVmPluvLcmBjd5H6d8DEte+Pbk4rcY/Fa5tLKLOtCZsuQKYhpa LOkYDT7hESya7/WIET3lfQBqX0pwFtbI832Is0ayMUR9B+12xjgPCQ089cfwkCkX6L5TPmRelJTh zMS0Sz1PyjLAMCUWjcmgQLWQMds+e3aaauZDf9dU9A2/8kPVF2odCUoMKHkfjJR+mbgC+DRiycw5 3XSqGe6HmhN/AWjHypkAXOAFW5EiuA1ge2GiZuMb0s1fSEXcATeLUfbyEY2L8yPOmdSsdghQXx3K pz2eoeXuYvMCINVFDrCdNfVUp4eJ6cSEbjbgFjBEvonGGTrgv9cHjAc8aVgSAPoxaONbzfwhDIhR at7IIS7fAGiDSwIA9alhhTBzfA7YM2FY6eMwayrIGK8FDFmshmUA43WqhFtpvoqG9HHaJ7fqtgTz 8EWVkgZgtsylFliHDgk0MB7KAEC45C/rgnGvanNLXyzOeTzcT2nw/N44gfrtYXRQLoz9Q3TgmJRx 2Mx/Q51qzpm+l3m8z2SWBqC5+PZXAtNYlGFf/gKfHfjFkDT4x7od7R+w3Ls+ZdQBuQAAAABJRU5E rkJggg== Date: Thu, 12 Nov 2020 13:45:10 -0800 In-Reply-To: <87361ecm7f.fsf@gnu.org> (Marius Bakke's message of "Thu, 12 Nov 2020 22:13:56 +0100") Message-ID: <87v9ea6yhl.fsf@db48x.net> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Sent-To: X-Spam-Score: -0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) Marius Bakke writes: > Hello Daniel, > > Thanks a lot for this. You're welcome. > > Daniel Brooks writes: > >>>>From 7dd9ed6da01c5bf125c95592f4978b579198731a Mon Sep 17 00:00:00 2001 >> From: Daniel Brooks >> Date: Mon, 9 Nov 2020 07:03:42 -0800 >> Subject: [PATCH] etc: updates for the guix-daemon SELinux policy >> >> * etc/guix-daemon.cil.in: I can't promise that this is a complete list of >> everything that guix-daemon needs, but it's probably most of them. It can >> search for, install, upgrade, and remove packages, create virtual machin= es, >> update itself, and so on. I haven't tried creating containers yet, which= might >> reveal more things to add. > > This commit message is somewhat unorthodox. :-) > > Perhaps it can be shortened to: > > * etc/guix-daemon.cil.in (guix_daemon): Specify more permissions for > guix-daemon to account for daemon updates and newer SELinux. I suppose. Personally I dislike the changelog style commit messages, but when in Rome=E2=80=A6 >> +;; In particular, you can run semanage permissive -a guix_daemon.guix_d= aemon_t >> +;; to allow guix-daemon to do whatever it wants. SELinux will still che= ck its >> +;; permissions, and when it doesn't have permission it will still send = an >> +;; audit message to your system logs. This lets you know what permissio= ns it >> +;; ought to have. Use ausearch --raw to find the permissions violations= , then >> +;; pipe that to audit2allow to generate an updated policy. You'll still= need >> +;; to translate that policy into CIL in order to update this file, but = that's >> +;; fairly straight-forward. Annoying, but easy. > > I'm not sure about the second paragraph. It's mainly a rehash of the > blog post, no? And there are many other ways to go about > troubleshooting SELinux (I did not use ausearch at all). True. I just wanted a quick summary somewhere in the source so that future us won't have to rely on a random blog post, even one from Dan Walsh. > diff --git a/etc/guix-daemon.cil.in b/etc/guix-daemon.cil.in > index 666e5677a3..b5909f1b18 100644 > --- a/etc/guix-daemon.cil.in > +++ b/etc/guix-daemon.cil.in > @@ -84,6 +84,9 @@ > (allow init_t > guix_daemon_t > (process (transition))) > + (allow init_t > + guix_store_content_t > + (lnk_file (read))) This one is a little unusual; is your service file symlinked or something? > (allow init_t > guix_store_content_t > (file (open read execute))) > @@ -166,6 +169,9 @@ > (allow guix_daemon_t > root_t > (dir (mounton))) > + (allow guix_daemon_t > + guix_daemon_socket_t > + (sock_file (unlink))) That shouldn't be a problem, though we don't have any other rules for guix_daemon_socket_t. Possibly that is because my socket file is labeled guix_daemon_conf_t, for unknown reasons. Perhaps it was not labeled correctly when created, and hasn't been relabeled since. > (allow guix_daemon_t > fs_t > (filesystem (getattr))) > @@ -348,7 +354,12 @@ > getopt setopt))) > (allow guix_daemon_t > self > - (tcp_socket (accept listen bind connect create setopt getopt ge= tattr ioctl))) > + (netlink_route_socket (read write))) > + (allow guix_daemon_t > + self > + (tcp_socket (accept > + listen bind connect create read write > + setopt getopt getattr ioctl))) These are fine; in fact I discovered these myself this morning and was going to send a patch. > Can you test these additional changes on Fedora? Yes, I'll let you know if there are any problems. Also, I'll investigate the socket file some more. > > With this, I no longer have to go through 'guix pack' and 'podman' to > run Guix packages on my RHEL workstation! :-) Ideal :) > > Also, is it OK to add you to the list of contributors at the top of the > file with this name and address? Certainly. db48x From unknown Mon Aug 18 15:38:57 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#44549] [PATCH] etc: updates for the guix-daemon SELinux policy Resent-From: Marius Bakke Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 12 Nov 2020 22:21:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 44549 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Daniel Brooks Cc: 44549@debbugs.gnu.org Received: via spool by 44549-submit@debbugs.gnu.org id=B44549.16052196065219 (code B ref 44549); Thu, 12 Nov 2020 22:21:02 +0000 Received: (at 44549) by debbugs.gnu.org; 12 Nov 2020 22:20:06 +0000 Received: from localhost ([127.0.0.1]:45892 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kdKwo-0001M6-9f for submit@debbugs.gnu.org; Thu, 12 Nov 2020 17:20:06 -0500 Received: from eggs.gnu.org ([209.51.188.92]:40288) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kdKwk-0001LS-4n for 44549@debbugs.gnu.org; Thu, 12 Nov 2020 17:20:05 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]:33663) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kdKwd-0007TM-1S; Thu, 12 Nov 2020 17:19:55 -0500 Received: from host-37-191-236-253.lynet.no ([37.191.236.253]:40016 helo=localhost) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1kdKwW-0000EW-9v; Thu, 12 Nov 2020 17:19:49 -0500 From: Marius Bakke In-Reply-To: <87v9ea6yhl.fsf@db48x.net> References: <87sg9h8s5j.fsf@db48x.net> <87361ecm7f.fsf@gnu.org> <87v9ea6yhl.fsf@db48x.net> Date: Thu, 12 Nov 2020 23:19:46 +0100 Message-ID: <87tutub4l9.fsf@gnu.org> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Daniel Brooks writes: >> Daniel Brooks writes: >> >>>>>From 7dd9ed6da01c5bf125c95592f4978b579198731a Mon Sep 17 00:00:00 2001 >>> From: Daniel Brooks >>> Date: Mon, 9 Nov 2020 07:03:42 -0800 >>> Subject: [PATCH] etc: updates for the guix-daemon SELinux policy >>> >>> * etc/guix-daemon.cil.in: I can't promise that this is a complete list = of >>> everything that guix-daemon needs, but it's probably most of them. It c= an >>> search for, install, upgrade, and remove packages, create virtual machi= nes, >>> update itself, and so on. I haven't tried creating containers yet, whic= h might >>> reveal more things to add. >> >> This commit message is somewhat unorthodox. :-) >> >> Perhaps it can be shortened to: >> >> * etc/guix-daemon.cil.in (guix_daemon): Specify more permissions for >> guix-daemon to account for daemon updates and newer SELinux. > > I suppose. Personally I dislike the changelog style commit messages, but > when in Rome=E2=80=A6 It's not a very strong opinion. I think it would be fine without the first person style. >>> +;; In particular, you can run semanage permissive -a guix_daemon.guix_= daemon_t >>> +;; to allow guix-daemon to do whatever it wants. SELinux will still ch= eck its >>> +;; permissions, and when it doesn't have permission it will still send= an >>> +;; audit message to your system logs. This lets you know what permissi= ons it >>> +;; ought to have. Use ausearch --raw to find the permissions violation= s, then >>> +;; pipe that to audit2allow to generate an updated policy. You'll stil= l need >>> +;; to translate that policy into CIL in order to update this file, but= that's >>> +;; fairly straight-forward. Annoying, but easy. >> >> I'm not sure about the second paragraph. It's mainly a rehash of the >> blog post, no? And there are many other ways to go about >> troubleshooting SELinux (I did not use ausearch at all). > > True. I just wanted a quick summary somewhere in the source so that > future us won't have to rely on a random blog post, even one from Dan > Walsh. Fair point. I can imagine a scenario when I'm stuck on a SELinux system without an internet connection. >> diff --git a/etc/guix-daemon.cil.in b/etc/guix-daemon.cil.in >> index 666e5677a3..b5909f1b18 100644 >> --- a/etc/guix-daemon.cil.in >> +++ b/etc/guix-daemon.cil.in >> @@ -84,6 +84,9 @@ >> (allow init_t >> guix_daemon_t >> (process (transition))) >> + (allow init_t >> + guix_store_content_t >> + (lnk_file (read))) > > This one is a little unusual; is your service file symlinked or something? Hmm. Could it be because /etc/systemd/system/guix-daemon.service refers to /var/guix/profiles/per-user/root/current-guix/bin/guix-daemon? >> (allow init_t >> guix_store_content_t >> (file (open read execute))) >> @@ -166,6 +169,9 @@ >> (allow guix_daemon_t >> root_t >> (dir (mounton))) >> + (allow guix_daemon_t >> + guix_daemon_socket_t >> + (sock_file (unlink))) > > That shouldn't be a problem, though we don't have any other rules for > guix_daemon_socket_t. Possibly that is because my socket file is labeled > guix_daemon_conf_t, for unknown reasons. Perhaps it was not labeled > correctly when created, and hasn't been relabeled since. It could also be an artifact from my ancient experiments with Guix and SELinux on this system. Perhaps we should test on a "clean" system to verify, I can do that next week. >> (allow guix_daemon_t >> fs_t >> (filesystem (getattr))) >> @@ -348,7 +354,12 @@ >> getopt setopt))) >> (allow guix_daemon_t >> self >> - (tcp_socket (accept listen bind connect create setopt getopt g= etattr ioctl))) >> + (netlink_route_socket (read write))) >> + (allow guix_daemon_t >> + self >> + (tcp_socket (accept >> + listen bind connect create read write >> + setopt getopt getattr ioctl))) > > These are fine; in fact I discovered these myself this morning and was > going to send a patch. > >> Can you test these additional changes on Fedora? > > Yes, I'll let you know if there are any problems. Also, I'll investigate > the socket file some more. Awesome, thanks a lot! Can you "squash" the relevant changes from my patch and send a new patch when you are done? As a side note, I've seen a couple other audit messages from guix-daemon, although though they don't seem to cause a problem in practice. type=3DAVC msg=3Daudit(1605189801.627:8637388): avc: denied { read } for = pid=3D2312896 comm=3D"guix-daemon" path=3D"socket:[74336318]" dev=3D"sockf= s" ino=3D74336318 scontext=3Dsystem_u:system_r:guix_daemon.guix_daemon_t:s0= tcontext=3Dsystem_u:system_r:init_t:s0 tclass=3Dunix_stream_socket permiss= ive=3D0 type=3DAVC msg=3Daudit(1605189801.627:8637388): avc: denied { read } for = pid=3D2312896 comm=3D"guix-daemon" path=3D"socket:[74336318]" dev=3D"sockf= s" ino=3D74336318 scontext=3Dsystem_u:system_r:guix_daemon.guix_daemon_t:s0= tcontext=3Dsystem_u:system_r:init_t:s0 tclass=3Dunix_stream_socket permiss= ive=3D0 type=3DAVC msg=3Daudit(1605189801.627:8637388): avc: denied { siginh } fo= r pid=3D2312896 comm=3D"guix-daemon" scontext=3Dsystem_u:system_r:init_t:s= 0 tcontext=3Dsystem_u:system_r:guix_daemon.guix_daemon_t:s0 tclass=3Dproces= s permissive=3D0 Not sure what that's about. --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQFDBAEBCgAtFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAl+ttQIPHG1hcml1c0Bn bnUub3JnAAoJEKKgbfKjOlT6CTIH/2FjjrWerYv+sxeFsEIgJ9f4PCqwqquU4LSl 2ebfNR2VSqKqbYpjLVM1eOY6sRe+pYtbUzoJS9Avw0JESxm9C+LWuOL+yfz4AnK1 /CpcpBr16nn4Wdc0UsF17cv7JKbrgvvc3v9tqQlm3ZBIBmzDJb4DkzCMfX+fiuRu 4wtyimlArOlGacIqmomhcSJ0w6GvS8EgHpsG+8Ee/vcwsI44zp9wMU223E2mdE0d 0hMxe6p28JD1uYa6yZGPh9vJ6l9wyvm31QOlgkfLxao1vf+fbwnTkZdXzyohpc9x AfVwq1/RRQ3T+NtHM+OxuApSB0yKII1wrrdJe9cS1YrvSncRV6Q= =oXtF -----END PGP SIGNATURE----- --=-=-=-- From unknown Mon Aug 18 15:38:57 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#44549] [PATCH] etc: updates for the guix-daemon SELinux policy Resent-From: Daniel Brooks Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 12 Nov 2020 23:57:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 44549 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Marius Bakke Cc: 44549@debbugs.gnu.org Received: via spool by 44549-submit@debbugs.gnu.org id=B44549.160522537714409 (code B ref 44549); Thu, 12 Nov 2020 23:57:02 +0000 Received: (at 44549) by debbugs.gnu.org; 12 Nov 2020 23:56:17 +0000 Received: from localhost ([127.0.0.1]:46073 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kdMRs-0003kL-KG for submit@debbugs.gnu.org; Thu, 12 Nov 2020 18:56:16 -0500 Received: from smtp-out-4.mxes.net ([198.205.123.69]:15630) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kdMRp-0003ju-LQ for 44549@debbugs.gnu.org; Thu, 12 Nov 2020 18:56:15 -0500 Received: from Customer-MUA (mua.mxes.net [10.0.0.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id A897F75996; Thu, 12 Nov 2020 18:56:07 -0500 (EST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mxes.net; s=mta; t=1605225368; bh=YZzeKksK6H8DgiWBMGUoQ92Rl651kcl/Vko9IuccXHg=; h=From:To:Subject:References:Date:In-Reply-To:Message-ID: MIME-Version:Content-Type; b=ta9Rfz8Z9FkeRzYbawLpmXQsP5J3nY+ZZ3dQOd6/Ln+ktP2tlO16e2ExNAllEb/gt ez95WiJ55UoLykckeuhsrm3F8McQBQFxTjuEHv60UNSGdhBRL/k3lp5QpU3ZEmZIaa zaWIUvTDR4Npg5McNlpV+mkNJYptRp5NUMDntfnw= From: Daniel Brooks References: <87sg9h8s5j.fsf@db48x.net> <87361ecm7f.fsf@gnu.org> <87v9ea6yhl.fsf@db48x.net> <87tutub4l9.fsf@gnu.org> Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwBAMAAAClLOS0AAAABGdBTUEAALGOfPtRkwAAABJQ TFRFpKfbdou67PD6JjJgAwUWXGSeIcyLHgAAAkZJREFUOI1VU8Fy6yAMxLi+Q13fCZ3cnQL3dqTc 7RD+/1feStDXVnXHDuvVSivZTMba2GPdw3gyCGcMAFxTyrTd9dwGoxHiZX9PmRFUHYAQlGGtXY+F Uk0SJOxgJiUEnH1qkitT9D+pQub7qGAmUbR6bu3CvI96Yv6QqkBBMrsyfZccr1/RDXGDTLf4P7ZY glVxe2V+/ACXWO1gvDO9/gDRpFFVmPluvLcmBjd5H6d8DEte+Pbk4rcY/Fa5tLKLOtCZsuQKYhpa LOkYDT7hESya7/WIET3lfQBqX0pwFtbI832Is0ayMUR9B+12xjgPCQ089cfwkCkX6L5TPmRelJTh zMS0Sz1PyjLAMCUWjcmgQLWQMds+e3aaauZDf9dU9A2/8kPVF2odCUoMKHkfjJR+mbgC+DRiycw5 3XSqGe6HmhN/AWjHypkAXOAFW5EiuA1ge2GiZuMb0s1fSEXcATeLUfbyEY2L8yPOmdSsdghQXx3K pz2eoeXuYvMCINVFDrCdNfVUp4eJ6cSEbjbgFjBEvonGGTrgv9cHjAc8aVgSAPoxaONbzfwhDIhR at7IIS7fAGiDSwIA9alhhTBzfA7YM2FY6eMwayrIGK8FDFmshmUA43WqhFtpvoqG9HHaJ7fqtgTz 8EWVkgZgtsylFliHDgk0MB7KAEC45C/rgnGvanNLXyzOeTzcT2nw/N44gfrtYXRQLoz9Q3TgmJRx 2Mx/Q51qzpm+l3m8z2SWBqC5+PZXAtNYlGFf/gKfHfjFkDT4x7od7R+w3Ls+ZdQBuQAAAABJRU5E rkJggg== Date: Thu, 12 Nov 2020 15:56:06 -0800 In-Reply-To: <87tutub4l9.fsf@gnu.org> (Marius Bakke's message of "Thu, 12 Nov 2020 23:19:46 +0100") Message-ID: <87eeky6sfd.fsf@db48x.net> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Sent-To: X-Spam-Score: -0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) Marius Bakke writes: >>> + (allow init_t >>> + guix_store_content_t >>> + (lnk_file (read))) >> >> This one is a little unusual; is your service file symlinked or something? > > Hmm. Could it be because /etc/systemd/system/guix-daemon.service refers > to /var/guix/profiles/per-user/root/current-guix/bin/guix-daemon? That was it. Not sure how I left that one out, in fact. >>> + (allow guix_daemon_t >>> + guix_daemon_socket_t >>> + (sock_file (unlink))) >> >> That shouldn't be a problem, though we don't have any other rules for >> guix_daemon_socket_t. Possibly that is because my socket file is labeled >> guix_daemon_conf_t, for unknown reasons. Perhaps it was not labeled >> correctly when created, and hasn't been relabeled since. > > It could also be an artifact from my ancient experiments with Guix and > SELinux on this system. Perhaps we should test on a "clean" system to > verify, I can do that next week. Ok, I figured this one out. When the socket file is created it is labeled at guix_daemon_conf_t, but the filecon rules will cause that to be relabeled to guix_daemon_socket_t at some point in the future. When the guix-daemon process stops it tries to delete the socket file, but can't. I'll go ahead and include the rule. > Can you "squash" the relevant changes from my patch and send a new patch > when you are done? Will do. > > As a side note, I've seen a couple other audit messages from > guix-daemon, although though they don't seem to cause a problem in > practice. > > type=AVC msg=audit(1605189801.627:8637388): avc: denied { read } for > pid=2312896 comm="guix-daemon" path="socket:[74336318]" dev="sockfs" > ino=74336318 scontext=system_u:system_r:guix_daemon.guix_daemon_t:s0 > tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket > permissive=0 > type=AVC msg=audit(1605189801.627:8637388): avc: denied { read } for > pid=2312896 comm="guix-daemon" path="socket:[74336318]" dev="sockfs" > ino=74336318 scontext=system_u:system_r:guix_daemon.guix_daemon_t:s0 > tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket > permissive=0 > type=AVC msg=audit(1605189801.627:8637388): avc: denied { siginh } for > pid=2312896 comm="guix-daemon" scontext=system_u:system_r:init_t:s0 > tcontext=system_u:system_r:guix_daemon.guix_daemon_t:s0 tclass=process > permissive=0 The first two are already covered by the new policy, and the third is inconsequential. The kernel checks on our behalf to see if our child processes are allowed to inherit our signal state. That's usually disallowed, so that rule is marked 'dontaudit' so that it doesn't spam the logs; you probably had that disabled. I'm not going to add a rule allowing that one; It would just cause accidents. db48x From unknown Mon Aug 18 15:38:57 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#44549] [PATCH v2] etc: updates for the guix-daemon SELinux policy References: <87sg9h8s5j.fsf@db48x.net> In-Reply-To: <87sg9h8s5j.fsf@db48x.net> Resent-From: Daniel Brooks Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Fri, 13 Nov 2020 00:03:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 44549 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 44549@debbugs.gnu.org Received: via spool by 44549-submit@debbugs.gnu.org id=B44549.160522572415000 (code B ref 44549); Fri, 13 Nov 2020 00:03:01 +0000 Received: (at 44549) by debbugs.gnu.org; 13 Nov 2020 00:02:04 +0000 Received: from localhost ([127.0.0.1]:46078 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kdMXT-0003ts-CO for submit@debbugs.gnu.org; Thu, 12 Nov 2020 19:02:03 -0500 Received: from smtp-out-4.mxes.net ([198.205.123.69]:20975) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kdMXR-0003tO-5l for 44549@debbugs.gnu.org; Thu, 12 Nov 2020 19:02:02 -0500 Received: from Customer-MUA (mua.mxes.net [10.0.0.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id 4A51D759BC for <44549@debbugs.gnu.org>; Thu, 12 Nov 2020 19:01:55 -0500 (EST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mxes.net; s=mta; t=1605225715; bh=BGIs7qigAQOS3MLUDk6oa+NecNYhZJEkXqZFKNuFHBw=; h=From:To:Subject:Date:Message-ID:MIME-Version:Content-Type; b=S75JAURwD3XV0c0ro7e61WeD+PEujtm6T5foxeCz0J6peaIQz28aq3JZgxh9Ccfty DW03X9pw18fOf5a1zm2Cd5c3HhpE8/pviPo4M6Wqlo1VslsLiNNUOMdvlX9MXR+jBm E01UUf07zO+2YKVLrEKxZiS40uqNonQr4YjWewE0= From: Daniel Brooks Date: Thu, 12 Nov 2020 16:01:54 -0800 Message-ID: <87a6vm6s5p.fsf@db48x.net> MIME-Version: 1.0 Content-Type: text/x-patch; charset=utf-8 Content-Disposition: inline; filename=0001-etc-updates-for-the-guix-daemon-SELinux-policy.patch Content-Transfer-Encoding: quoted-printable Content-Description: [PATCH v2] etc: updates for the guix-daemon SELinux policy X-Sent-To: X-Spam-Score: -0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) >From a4262f3ee0feb98d84e0eeb4b86c1575f00e2078 Mon Sep 17 00:00:00 2001 From: Daniel Brooks Date: Mon, 9 Nov 2020 07:03:42 -0800 Subject: [PATCH v2] etc: updates for the guix-daemon SELinux policy * etc/guix-daemon.cil.in (guix_daemon): Specify more permissions for guix-daemon to account for daemon updates and newer SELinux. I can't promise that this is a complete list of everything that guix-daemon needs, but it's probably most of them. It can search for, install, upgrade, and remove packages, create virtual machines and containers, update itself, and so on. --- etc/guix-daemon.cil.in | 175 ++++++++++++++++++++++++++++++++++++----- 1 file changed, 157 insertions(+), 18 deletions(-) diff --git a/etc/guix-daemon.cil.in b/etc/guix-daemon.cil.in index e0c9113498..5de89eb98e 100644 --- a/etc/guix-daemon.cil.in +++ b/etc/guix-daemon.cil.in @@ -1,6 +1,8 @@ ; -*- lisp -*- ;;; GNU Guix --- Functional package management for GNU ;;; Copyright =C2=A9 2018 Ricardo Wurmus +;;; Copyright =C2=A9 2020 Daniel Brooks +;;; Copyright =C2=A9 2020 Marius Bakke ;;; ;;; This file is part of GNU Guix. ;;; @@ -21,6 +23,18 @@ ;; Intermediate Language (CIL). It refers to types that must be defined in ;; the system's base policy. =20 +;; If you, like me, need advice about fixing an SELinux policy, I recommend +;; reading https://danwalsh.livejournal.com/55324.html + +;; In particular, you can run semanage permissive -a guix_daemon.guix_daem= on_t +;; to allow guix-daemon to do whatever it wants. SELinux will still check = its +;; permissions, and when it doesn't have permission it will still send an +;; audit message to your system logs. This lets you know what permissions = it +;; ought to have. Use ausearch --raw to find the permissions violations, t= hen +;; pipe that to audit2allow to generate an updated policy. You'll still ne= ed +;; to translate that policy into CIL in order to update this file, but tha= t's +;; fairly straight-forward. Annoying, but easy. + (block guix_daemon ;; Require existing types (typeattributeset cil_gen_require init_t) @@ -34,14 +48,19 @@ (roletype object_r guix_daemon_t) (type guix_daemon_conf_t) (roletype object_r guix_daemon_conf_t) + (typeattributeset file_type guix_daemon_conf_t) (type guix_daemon_exec_t) (roletype object_r guix_daemon_exec_t) + (typeattributeset file_type guix_daemon_exec_t) (type guix_daemon_socket_t) (roletype object_r guix_daemon_socket_t) + (typeattributeset file_type guix_daemon_socket_t) (type guix_store_content_t) (roletype object_r guix_store_content_t) + (typeattributeset file_type guix_store_content_t) (type guix_profiles_t) (roletype object_r guix_profiles_t) + (typeattributeset file_type guix_profiles_t) =20 ;; These types are domains, thereby allowing process rules (typeattributeset domain (guix_daemon_t guix_daemon_exec_t)) @@ -55,6 +74,30 @@ (typetransition guix_store_content_t guix_daemon_exec_t process guix_daemon_t) =20 + (roletype system_r guix_daemon_t) + + ;; allow init_t to read and execute guix files + (allow init_t + guix_profiles_t + (lnk_file (read))) + (allow init_t + guix_daemon_exec_t + (file (execute))) + (allow init_t + guix_daemon_t + (process (transition))) + (allow init_t + guix_store_content_t + (lnk_file (read))) + (allow init_t + guix_store_content_t + (file (open read execute))) + + ;; guix-daemon needs to know the names of users + (allow guix_daemon_t + passwd_file_t + (file (getattr open read))) + ;; Permit communication with NSCD (allow guix_daemon_t nscd_var_run_t @@ -71,25 +114,44 @@ (allow guix_daemon_t nscd_t (unix_stream_socket (connectto))) + (allow guix_daemon_t nscd_t + (nscd (getgrp gethost getpwd getserv shmemgrp shmemhost shmempwd = shmemserv))) + + ;; permit downloading packages via HTTP(s) + (allow guix_daemon_t http_port_t + (tcp_socket (name_connect))) + (allow guix_daemon_t ftp_port_t + (tcp_socket (name_connect))) + (allow guix_daemon_t ephemeral_port_t + (tcp_socket (name_connect))) =20 ;; Permit logging and temp file access (allow guix_daemon_t tmp_t - (lnk_file (setattr unlink))) + (lnk_file (create rename setattr unlink))) + (allow guix_daemon_t + tmp_t + (file (link rename create execute execute_no_trans write unlink s= etattr map relabelto))) + (allow guix_daemon_t + tmp_t + (fifo_file (open read write create getattr ioctl setattr unlink))) (allow guix_daemon_t tmp_t - (dir (create - rmdir + (dir (create rename + rmdir relabelto add_name remove_name open read write getattr setattr search))) + (allow guix_daemon_t + tmp_t + (sock_file (create getattr setattr unlink write))) (allow guix_daemon_t var_log_t (file (create getattr open write))) (allow guix_daemon_t var_log_t - (dir (getattr write add_name))) + (dir (getattr create write add_name))) (allow guix_daemon_t var_run_t (lnk_file (read))) @@ -100,10 +162,10 @@ ;; Spawning processes, execute helpers (allow guix_daemon_t self - (process (fork))) + (process (fork execmem setrlimit setpgid setsched))) (allow guix_daemon_t guix_daemon_exec_t - (file (execute execute_no_trans read open))) + (file (execute execute_no_trans read open entrypoint map))) =20 ;; TODO: unknown (allow guix_daemon_t @@ -119,38 +181,51 @@ ;; Build isolation (allow guix_daemon_t guix_store_content_t - (file (mounton))) + (file (ioctl mounton))) (allow guix_store_content_t fs_t (filesystem (associate))) (allow guix_daemon_t guix_store_content_t - (dir (mounton))) + (dir (read mounton))) (allow guix_daemon_t guix_daemon_t (capability (net_admin fsetid fowner chown setuid setgid dac_override dac_read_search - sys_chroot))) + sys_chroot + sys_admin))) (allow guix_daemon_t fs_t (filesystem (unmount))) + (allow guix_daemon_t + devpts_t + (dir (search))) (allow guix_daemon_t devpts_t (filesystem (mount))) (allow guix_daemon_t devpts_t - (chr_file (setattr getattr))) + (chr_file (ioctl open read write setattr getattr))) (allow guix_daemon_t tmpfs_t - (filesystem (mount))) + (filesystem (getattr mount))) (allow guix_daemon_t tmpfs_t - (dir (getattr))) + (file (create open read unlink write))) + (allow guix_daemon_t + tmpfs_t + (dir (getattr add_name remove_name write))) (allow guix_daemon_t proc_t - (filesystem (mount))) + (file (getattr open read))) + (allow guix_daemon_t + proc_t + (dir (read))) + (allow guix_daemon_t + proc_t + (filesystem (associate mount))) (allow guix_daemon_t null_device_t (chr_file (getattr open read write))) @@ -179,7 +254,7 @@ search rename add_name remove_name open write - rmdir))) + rmdir relabelfrom))) (allow guix_daemon_t guix_store_content_t (file (create @@ -189,7 +264,7 @@ link unlink map rename - open read write))) + open read write relabelfrom))) (allow guix_daemon_t guix_store_content_t (lnk_file (create @@ -197,17 +272,23 @@ link unlink read rename))) + (allow guix_daemon_t + guix_store_content_t + (fifo_file (create getattr open read unlink write))) + (allow guix_daemon_t + guix_store_content_t + (sock_file (create getattr unlink write))) =20 ;; Access to configuration files and directories (allow guix_daemon_t guix_daemon_conf_t - (dir (search + (dir (search create setattr getattr add_name remove_name open read write))) (allow guix_daemon_t guix_daemon_conf_t - (file (create + (file (create rename lock map getattr setattr @@ -216,11 +297,17 @@ (allow guix_daemon_t guix_daemon_conf_t (lnk_file (create getattr rename unlink))) + (allow guix_daemon_t net_conf_t + (file (getattr open read))) + (allow guix_daemon_t net_conf_t + (lnk_file (read))) + (allow guix_daemon_t NetworkManager_var_run_t + (dir (search))) =20 ;; Access to profiles (allow guix_daemon_t guix_profiles_t - (dir (getattr setattr read open))) + (dir (search getattr setattr read write open create add_name))) (allow guix_daemon_t guix_profiles_t (lnk_file (read getattr))) @@ -233,6 +320,17 @@ (allow guix_daemon_t user_home_t (dir (search))) + (allow guix_daemon_t + cache_home_t + (dir (search))) + + ;; self upgrades + (allow guix_daemon_t + self + (dir (add_name write))) + (allow guix_daemon_t + self + (netlink_route_socket (bind create getattr nlmsg_read read write)= )) =20 ;; Socket operations (allow guix_daemon_t @@ -253,12 +351,53 @@ read write connect bind accept getopt setopt))) + (allow guix_daemon_t + self + (tcp_socket (accept listen bind connect create setopt getopt geta= ttr ioctl read write shutdown))) + (allow guix_daemon_t + unreserved_port_t + (tcp_socket (name_bind name_connect accept listen))) + (allow guix_daemon_t + self + (udp_socket (connect getattr bind getopt setopt))) (allow guix_daemon_t self (fifo_file (write read))) (allow guix_daemon_t self (udp_socket (ioctl create))) + (allow guix_daemon_t + self + (unix_stream_socket (connectto))) + + (allow guix_daemon_t + node_t + (tcp_socket (node_bind))) + (allow guix_daemon_t + node_t + (udp_socket (node_bind))) + (allow guix_daemon_t + port_t + (tcp_socket (name_connect))) + (allow guix_daemon_t + rtp_media_port_t + (udp_socket (name_bind))) + (allow guix_daemon_t + vnc_port_t + (tcp_socket (name_bind))) + + ;; I guess sometimes it needs random numbers + (allow guix_daemon_t + random_device_t + (chr_file (read))) + + ;; guix system vm + (allow guix_daemon_t + kvm_device_t + (chr_file (ioctl open read write))) + (allow guix_daemon_t + kernel_t + (system (ipc_info))) =20 ;; Label file system (filecon "@guix_sysconfdir@/guix(/.*)?" --=20 2.26.2 From unknown Mon Aug 18 15:38:57 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#44549] [PATCH v3] etc: updates for the guix-daemon SELinux policy References: <87sg9h8s5j.fsf@db48x.net> In-Reply-To: <87sg9h8s5j.fsf@db48x.net> Resent-From: Daniel Brooks Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Fri, 13 Nov 2020 00:09:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 44549 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 44549@debbugs.gnu.org Received: via spool by 44549-submit@debbugs.gnu.org id=B44549.160522608215569 (code B ref 44549); Fri, 13 Nov 2020 00:09:02 +0000 Received: (at 44549) by debbugs.gnu.org; 13 Nov 2020 00:08:02 +0000 Received: from localhost ([127.0.0.1]:46093 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kdMdF-00042j-AP for submit@debbugs.gnu.org; Thu, 12 Nov 2020 19:08:02 -0500 Received: from smtp-out-4.mxes.net ([198.205.123.69]:13116) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kdMdD-00042P-TD for 44549@debbugs.gnu.org; Thu, 12 Nov 2020 19:08:00 -0500 Received: from Customer-MUA (mua.mxes.net [10.0.0.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id 2144D759EF for <44549@debbugs.gnu.org>; Thu, 12 Nov 2020 19:07:54 -0500 (EST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mxes.net; s=mta; t=1605226074; bh=8i5oDHXjhfzsIbHdeEcmYJmPLSWVQi/95jiI5pzkcd0=; h=From:To:Subject:Date:Message-ID:MIME-Version:Content-Type; b=p+Hvjv/TDmYGFBaBNtIMFwyCWLYYjf64TRqXplMDCToD9a6O2JG6NsahLXJfPKkjd HV6lvgfezV4JF97+3/p93JUkpLpe6IiE7CA6g/YbDq7NDiRa5W5vEkghrJshF1z9CR pT8lbIgjLPvqeOMiOy76wb3wPXYinUrKYPgIAkoM= From: Daniel Brooks Date: Thu, 12 Nov 2020 16:07:52 -0800 Message-ID: <875z6a6rvr.fsf@db48x.net> MIME-Version: 1.0 Content-Type: text/x-patch; charset=utf-8 Content-Disposition: inline; filename=0001-etc-updates-for-the-guix-daemon-SELinux-policy.patch Content-Transfer-Encoding: quoted-printable Content-Description: [PATCH v3] etc: updates for the guix-daemon SELinux policy X-Sent-To: X-Spam-Score: -0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) >From 9354e87ccbc465aea7cefa1c7cc827c2b4f6057c Mon Sep 17 00:00:00 2001 From: Daniel Brooks Date: Mon, 9 Nov 2020 07:03:42 -0800 Subject: [PATCH v3] etc: updates for the guix-daemon SELinux policy * etc/guix-daemon.cil.in (guix_daemon): Specify more permissions for guix-daemon to account for daemon updates and newer SELinux. I can't promise that this is a complete list of everything that guix-daemon needs, but it's probably most of them. It can search for, install, upgrade, and remove packages, create virtual machines and containers, update itself, and so on. --- etc/guix-daemon.cil.in | 178 ++++++++++++++++++++++++++++++++++++----- 1 file changed, 160 insertions(+), 18 deletions(-) diff --git a/etc/guix-daemon.cil.in b/etc/guix-daemon.cil.in index e0c9113498..47fd12a214 100644 --- a/etc/guix-daemon.cil.in +++ b/etc/guix-daemon.cil.in @@ -1,6 +1,8 @@ ; -*- lisp -*- ;;; GNU Guix --- Functional package management for GNU ;;; Copyright =C2=A9 2018 Ricardo Wurmus +;;; Copyright =C2=A9 2020 Daniel Brooks +;;; Copyright =C2=A9 2020 Marius Bakke ;;; ;;; This file is part of GNU Guix. ;;; @@ -21,6 +23,18 @@ ;; Intermediate Language (CIL). It refers to types that must be defined in ;; the system's base policy. =20 +;; If you, like me, need advice about fixing an SELinux policy, I recommend +;; reading https://danwalsh.livejournal.com/55324.html + +;; In particular, you can run semanage permissive -a guix_daemon.guix_daem= on_t +;; to allow guix-daemon to do whatever it wants. SELinux will still check = its +;; permissions, and when it doesn't have permission it will still send an +;; audit message to your system logs. This lets you know what permissions = it +;; ought to have. Use ausearch --raw to find the permissions violations, t= hen +;; pipe that to audit2allow to generate an updated policy. You'll still ne= ed +;; to translate that policy into CIL in order to update this file, but tha= t's +;; fairly straight-forward. Annoying, but easy. + (block guix_daemon ;; Require existing types (typeattributeset cil_gen_require init_t) @@ -34,14 +48,19 @@ (roletype object_r guix_daemon_t) (type guix_daemon_conf_t) (roletype object_r guix_daemon_conf_t) + (typeattributeset file_type guix_daemon_conf_t) (type guix_daemon_exec_t) (roletype object_r guix_daemon_exec_t) + (typeattributeset file_type guix_daemon_exec_t) (type guix_daemon_socket_t) (roletype object_r guix_daemon_socket_t) + (typeattributeset file_type guix_daemon_socket_t) (type guix_store_content_t) (roletype object_r guix_store_content_t) + (typeattributeset file_type guix_store_content_t) (type guix_profiles_t) (roletype object_r guix_profiles_t) + (typeattributeset file_type guix_profiles_t) =20 ;; These types are domains, thereby allowing process rules (typeattributeset domain (guix_daemon_t guix_daemon_exec_t)) @@ -55,6 +74,30 @@ (typetransition guix_store_content_t guix_daemon_exec_t process guix_daemon_t) =20 + (roletype system_r guix_daemon_t) + + ;; allow init_t to read and execute guix files + (allow init_t + guix_profiles_t + (lnk_file (read))) + (allow init_t + guix_daemon_exec_t + (file (execute))) + (allow init_t + guix_daemon_t + (process (transition))) + (allow init_t + guix_store_content_t + (lnk_file (read))) + (allow init_t + guix_store_content_t + (file (open read execute))) + + ;; guix-daemon needs to know the names of users + (allow guix_daemon_t + passwd_file_t + (file (getattr open read))) + ;; Permit communication with NSCD (allow guix_daemon_t nscd_var_run_t @@ -71,25 +114,44 @@ (allow guix_daemon_t nscd_t (unix_stream_socket (connectto))) + (allow guix_daemon_t nscd_t + (nscd (getgrp gethost getpwd getserv shmemgrp shmemhost shmempwd = shmemserv))) + + ;; permit downloading packages via HTTP(s) + (allow guix_daemon_t http_port_t + (tcp_socket (name_connect))) + (allow guix_daemon_t ftp_port_t + (tcp_socket (name_connect))) + (allow guix_daemon_t ephemeral_port_t + (tcp_socket (name_connect))) =20 ;; Permit logging and temp file access (allow guix_daemon_t tmp_t - (lnk_file (setattr unlink))) + (lnk_file (create rename setattr unlink))) + (allow guix_daemon_t + tmp_t + (file (link rename create execute execute_no_trans write unlink s= etattr map relabelto))) + (allow guix_daemon_t + tmp_t + (fifo_file (open read write create getattr ioctl setattr unlink))) (allow guix_daemon_t tmp_t - (dir (create - rmdir + (dir (create rename + rmdir relabelto add_name remove_name open read write getattr setattr search))) + (allow guix_daemon_t + tmp_t + (sock_file (create getattr setattr unlink write))) (allow guix_daemon_t var_log_t (file (create getattr open write))) (allow guix_daemon_t var_log_t - (dir (getattr write add_name))) + (dir (getattr create write add_name))) (allow guix_daemon_t var_run_t (lnk_file (read))) @@ -100,10 +162,10 @@ ;; Spawning processes, execute helpers (allow guix_daemon_t self - (process (fork))) + (process (fork execmem setrlimit setpgid setsched))) (allow guix_daemon_t guix_daemon_exec_t - (file (execute execute_no_trans read open))) + (file (execute execute_no_trans read open entrypoint map))) =20 ;; TODO: unknown (allow guix_daemon_t @@ -119,38 +181,51 @@ ;; Build isolation (allow guix_daemon_t guix_store_content_t - (file (mounton))) + (file (ioctl mounton))) (allow guix_store_content_t fs_t (filesystem (associate))) (allow guix_daemon_t guix_store_content_t - (dir (mounton))) + (dir (read mounton))) (allow guix_daemon_t guix_daemon_t (capability (net_admin fsetid fowner chown setuid setgid dac_override dac_read_search - sys_chroot))) + sys_chroot + sys_admin))) (allow guix_daemon_t fs_t (filesystem (unmount))) + (allow guix_daemon_t + devpts_t + (dir (search))) (allow guix_daemon_t devpts_t (filesystem (mount))) (allow guix_daemon_t devpts_t - (chr_file (setattr getattr))) + (chr_file (ioctl open read write setattr getattr))) (allow guix_daemon_t tmpfs_t - (filesystem (mount))) + (filesystem (getattr mount))) + (allow guix_daemon_t + tmpfs_t + (file (create open read unlink write))) (allow guix_daemon_t tmpfs_t - (dir (getattr))) + (dir (getattr add_name remove_name write))) (allow guix_daemon_t proc_t - (filesystem (mount))) + (file (getattr open read))) + (allow guix_daemon_t + proc_t + (dir (read))) + (allow guix_daemon_t + proc_t + (filesystem (associate mount))) (allow guix_daemon_t null_device_t (chr_file (getattr open read write))) @@ -179,7 +254,7 @@ search rename add_name remove_name open write - rmdir))) + rmdir relabelfrom))) (allow guix_daemon_t guix_store_content_t (file (create @@ -189,7 +264,7 @@ link unlink map rename - open read write))) + open read write relabelfrom))) (allow guix_daemon_t guix_store_content_t (lnk_file (create @@ -197,17 +272,23 @@ link unlink read rename))) + (allow guix_daemon_t + guix_store_content_t + (fifo_file (create getattr open read unlink write))) + (allow guix_daemon_t + guix_store_content_t + (sock_file (create getattr unlink write))) =20 ;; Access to configuration files and directories (allow guix_daemon_t guix_daemon_conf_t - (dir (search + (dir (search create setattr getattr add_name remove_name open read write))) (allow guix_daemon_t guix_daemon_conf_t - (file (create + (file (create rename lock map getattr setattr @@ -216,11 +297,17 @@ (allow guix_daemon_t guix_daemon_conf_t (lnk_file (create getattr rename unlink))) + (allow guix_daemon_t net_conf_t + (file (getattr open read))) + (allow guix_daemon_t net_conf_t + (lnk_file (read))) + (allow guix_daemon_t NetworkManager_var_run_t + (dir (search))) =20 ;; Access to profiles (allow guix_daemon_t guix_profiles_t - (dir (getattr setattr read open))) + (dir (search getattr setattr read write open create add_name))) (allow guix_daemon_t guix_profiles_t (lnk_file (read getattr))) @@ -233,8 +320,22 @@ (allow guix_daemon_t user_home_t (dir (search))) + (allow guix_daemon_t + cache_home_t + (dir (search))) + + ;; self upgrades + (allow guix_daemon_t + self + (dir (add_name write))) + (allow guix_daemon_t + self + (netlink_route_socket (bind create getattr nlmsg_read read write)= )) =20 ;; Socket operations + (allow guix_daemon_t + guix_daemon_socket_t + (sock_file (unlink))) (allow guix_daemon_t init_t (fd (use))) @@ -253,12 +354,53 @@ read write connect bind accept getopt setopt))) + (allow guix_daemon_t + self + (tcp_socket (accept listen bind connect create setopt getopt geta= ttr ioctl read write shutdown))) + (allow guix_daemon_t + unreserved_port_t + (tcp_socket (name_bind name_connect accept listen))) + (allow guix_daemon_t + self + (udp_socket (connect getattr bind getopt setopt))) (allow guix_daemon_t self (fifo_file (write read))) (allow guix_daemon_t self (udp_socket (ioctl create))) + (allow guix_daemon_t + self + (unix_stream_socket (connectto))) + + (allow guix_daemon_t + node_t + (tcp_socket (node_bind))) + (allow guix_daemon_t + node_t + (udp_socket (node_bind))) + (allow guix_daemon_t + port_t + (tcp_socket (name_connect))) + (allow guix_daemon_t + rtp_media_port_t + (udp_socket (name_bind))) + (allow guix_daemon_t + vnc_port_t + (tcp_socket (name_bind))) + + ;; I guess sometimes it needs random numbers + (allow guix_daemon_t + random_device_t + (chr_file (read))) + + ;; guix system vm + (allow guix_daemon_t + kvm_device_t + (chr_file (ioctl open read write))) + (allow guix_daemon_t + kernel_t + (system (ipc_info))) =20 ;; Label file system (filecon "@guix_sysconfdir@/guix(/.*)?" --=20 2.26.2 From unknown Mon Aug 18 15:38:57 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#44549] [PATCH] etc: updates for the guix-daemon SELinux policy Resent-From: Marius Bakke Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Fri, 13 Nov 2020 14:54:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 44549 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Daniel Brooks Cc: 44549@debbugs.gnu.org Received: via spool by 44549-submit@debbugs.gnu.org id=B44549.160527918411391 (code B ref 44549); Fri, 13 Nov 2020 14:54:01 +0000 Received: (at 44549) by debbugs.gnu.org; 13 Nov 2020 14:53:04 +0000 Received: from localhost ([127.0.0.1]:47348 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kdaRj-0002xe-Ir for submit@debbugs.gnu.org; Fri, 13 Nov 2020 09:53:03 -0500 Received: from eggs.gnu.org ([209.51.188.92]:46338) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kdaRh-0002wl-F9 for 44549@debbugs.gnu.org; Fri, 13 Nov 2020 09:53:01 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]:60576) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kdaRb-0002ph-Sp; Fri, 13 Nov 2020 09:52:55 -0500 Received: from host-37-191-236-253.lynet.no ([37.191.236.253]:56368 helo=localhost) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1kdaRa-0000em-Pu; Fri, 13 Nov 2020 09:52:55 -0500 From: Marius Bakke In-Reply-To: <87eeky6sfd.fsf@db48x.net> References: <87sg9h8s5j.fsf@db48x.net> <87361ecm7f.fsf@gnu.org> <87v9ea6yhl.fsf@db48x.net> <87tutub4l9.fsf@gnu.org> <87eeky6sfd.fsf@db48x.net> Date: Fri, 13 Nov 2020 15:52:52 +0100 Message-ID: <87r1oxb96j.fsf@gnu.org> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="==-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) --==-=-= Content-Type: multipart/mixed; boundary="=-=-=" --=-=-= Content-Type: text/plain Daniel Brooks writes: >>>> + (allow guix_daemon_t >>>> + guix_daemon_socket_t >>>> + (sock_file (unlink))) >>> >>> That shouldn't be a problem, though we don't have any other rules for >>> guix_daemon_socket_t. Possibly that is because my socket file is labeled >>> guix_daemon_conf_t, for unknown reasons. Perhaps it was not labeled >>> correctly when created, and hasn't been relabeled since. >> >> It could also be an artifact from my ancient experiments with Guix and >> SELinux on this system. Perhaps we should test on a "clean" system to >> verify, I can do that next week. > > Ok, I figured this one out. When the socket file is created it is > labeled at guix_daemon_conf_t, but the filecon rules will cause that to > be relabeled to guix_daemon_socket_t at some point in the future. When > the guix-daemon process stops it tries to delete the socket file, but > can't. I'll go ahead and include the rule. OK. >> As a side note, I've seen a couple other audit messages from >> guix-daemon, although though they don't seem to cause a problem in >> practice. >> >> type=AVC msg=audit(1605189801.627:8637388): avc: denied { read } for >> pid=2312896 comm="guix-daemon" path="socket:[74336318]" dev="sockfs" >> ino=74336318 scontext=system_u:system_r:guix_daemon.guix_daemon_t:s0 >> tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket >> permissive=0 >> type=AVC msg=audit(1605189801.627:8637388): avc: denied { read } for >> pid=2312896 comm="guix-daemon" path="socket:[74336318]" dev="sockfs" >> ino=74336318 scontext=system_u:system_r:guix_daemon.guix_daemon_t:s0 >> tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket >> permissive=0 >> type=AVC msg=audit(1605189801.627:8637388): avc: denied { siginh } for >> pid=2312896 comm="guix-daemon" scontext=system_u:system_r:init_t:s0 >> tcontext=system_u:system_r:guix_daemon.guix_daemon_t:s0 tclass=process >> permissive=0 > > The first two are already covered by the new policy, and the third is > inconsequential. The kernel checks on our behalf to see if our child > processes are allowed to inherit our signal state. That's usually > disallowed, so that rule is marked 'dontaudit' so that it doesn't spam > the logs; you probably had that disabled. I'm not going to add a rule > allowing that one; It would just cause accidents. Thanks for investigating. Interestingly, after updating the system (both RHEL8 and Guix) and rebooting, I got new SELinux troubles! I had to add these additional rules to make guix-daemon start again: --=-=-= Content-Type: text/x-patch Content-Disposition: inline; filename=diff Content-Transfer-Encoding: quoted-printable diff --git a/etc/guix-daemon.cil.in b/etc/guix-daemon.cil.in index 47fd12a214..3e254a2187 100644 =2D-- a/etc/guix-daemon.cil.in +++ b/etc/guix-daemon.cil.in @@ -86,12 +86,15 @@ (allow init_t guix_daemon_t (process (transition))) + (allow init_t + self + (process (execmem))) (allow init_t guix_store_content_t (lnk_file (read))) (allow init_t guix_store_content_t =2D (file (open read execute))) + (file (open read execute execute_no_trans map))) =20 ;; guix-daemon needs to know the names of users (allow guix_daemon_t --=-=-= Content-Type: text/plain Do these look sane to you? I can squash them into the commit if so. --=-=-=-- --==-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQFDBAEBCgAtFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAl+uncQPHG1hcml1c0Bn bnUub3JnAAoJEKKgbfKjOlT6LsoIAKp33a9Rq5wI/POwb1n3XS7C9iFSSGsKlKOv EeF8gNdqiIvnh/1BNpNFlWmUQv3z7+B3+Ulp8DeoS7lla6NX4O+UGFU9qtf0Y2HX P+nNbGVRkQ5ptQiphjdJ5NqWvaezMRfmXEESjYElNIh1eC+eEP7RfoFZ8a86R3XG PvxnceZSqQy3cnw2ovpSmo2IjYCqXNMUi15vvQIeGoWVOdb+USxYFPXJKZQLV2PV hJExs1YmqYQrSH2r16BOQO9fRij81j3ZWHzv0Mht2oNShvr3PgiyWllPkHE7QqwK GrNtm3X4xdLQC0xvwcb8LW22a/LxStBFK8R99w01mWItBFpZ0aE= =YIeS -----END PGP SIGNATURE----- --==-=-=-- From unknown Mon Aug 18 15:38:57 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#44549] [PATCH] etc: updates for the guix-daemon SELinux policy Resent-From: Daniel Brooks Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Fri, 13 Nov 2020 15:35:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 44549 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Marius Bakke Cc: 44549@debbugs.gnu.org Received: via spool by 44549-submit@debbugs.gnu.org id=B44549.160528165316927 (code B ref 44549); Fri, 13 Nov 2020 15:35:01 +0000 Received: (at 44549) by debbugs.gnu.org; 13 Nov 2020 15:34:13 +0000 Received: from localhost ([127.0.0.1]:49115 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kdb5Z-0004Ox-Ak for submit@debbugs.gnu.org; Fri, 13 Nov 2020 10:34:13 -0500 Received: from smtp-out-4.mxes.net ([198.205.123.69]:48669) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kdb5X-0004Ol-4Y for 44549@debbugs.gnu.org; Fri, 13 Nov 2020 10:34:11 -0500 Received: from Customer-MUA (mua.mxes.net [10.0.0.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id 33DB6759BC; Fri, 13 Nov 2020 10:34:04 -0500 (EST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mxes.net; s=mta; t=1605281645; bh=36se8UjVeKagc1i3CvTg2sp8Q5XUzFMrUzDOsGDCQM0=; h=From:To:Subject:References:Date:In-Reply-To:Message-ID: MIME-Version:Content-Type; b=Sg1LKa7HT+FUCuMHjkBJ+zQoFT0B6ruAffxSgggnvh+pyXtpXV3QfF3VTkp386n/u l2Z8THozXLGmTw7x0Z5FlZhob2V1VuBVQs4c78ubOiXwXbL3dM3px4TUX09PAnK4YJ KBEpupgX4ctv/KzwYskUiFEfDo9/3+f6RxHb3r6I= From: Daniel Brooks References: <87sg9h8s5j.fsf@db48x.net> <87361ecm7f.fsf@gnu.org> <87v9ea6yhl.fsf@db48x.net> <87tutub4l9.fsf@gnu.org> <87eeky6sfd.fsf@db48x.net> <87r1oxb96j.fsf@gnu.org> Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwBAMAAAClLOS0AAAABGdBTUEAALGOfPtRkwAAABJQ TFRFpKfbdou67PD6JjJgAwUWXGSeIcyLHgAAAkZJREFUOI1VU8Fy6yAMxLi+Q13fCZ3cnQL3dqTc 7RD+/1feStDXVnXHDuvVSivZTMba2GPdw3gyCGcMAFxTyrTd9dwGoxHiZX9PmRFUHYAQlGGtXY+F Uk0SJOxgJiUEnH1qkitT9D+pQub7qGAmUbR6bu3CvI96Yv6QqkBBMrsyfZccr1/RDXGDTLf4P7ZY glVxe2V+/ACXWO1gvDO9/gDRpFFVmPluvLcmBjd5H6d8DEte+Pbk4rcY/Fa5tLKLOtCZsuQKYhpa LOkYDT7hESya7/WIET3lfQBqX0pwFtbI832Is0ayMUR9B+12xjgPCQ089cfwkCkX6L5TPmRelJTh zMS0Sz1PyjLAMCUWjcmgQLWQMds+e3aaauZDf9dU9A2/8kPVF2odCUoMKHkfjJR+mbgC+DRiycw5 3XSqGe6HmhN/AWjHypkAXOAFW5EiuA1ge2GiZuMb0s1fSEXcATeLUfbyEY2L8yPOmdSsdghQXx3K pz2eoeXuYvMCINVFDrCdNfVUp4eJ6cSEbjbgFjBEvonGGTrgv9cHjAc8aVgSAPoxaONbzfwhDIhR at7IIS7fAGiDSwIA9alhhTBzfA7YM2FY6eMwayrIGK8FDFmshmUA43WqhFtpvoqG9HHaJ7fqtgTz 8EWVkgZgtsylFliHDgk0MB7KAEC45C/rgnGvanNLXyzOeTzcT2nw/N44gfrtYXRQLoz9Q3TgmJRx 2Mx/Q51qzpm+l3m8z2SWBqC5+PZXAtNYlGFf/gKfHfjFkDT4x7od7R+w3Ls+ZdQBuQAAAABJRU5E rkJggg== Date: Fri, 13 Nov 2020 07:34:04 -0800 In-Reply-To: <87r1oxb96j.fsf@gnu.org> (Marius Bakke's message of "Fri, 13 Nov 2020 15:52:52 +0100") Message-ID: <87v9e95l03.fsf@db48x.net> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Sent-To: X-Spam-Score: -0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) Marius Bakke writes: > Interestingly, after updating the system (both RHEL8 and Guix) and > rebooting, I got new SELinux troubles! > > I had to add these additional rules to make guix-daemon start again: > > diff --git a/etc/guix-daemon.cil.in b/etc/guix-daemon.cil.in > index 47fd12a214..3e254a2187 100644 > --- a/etc/guix-daemon.cil.in > +++ b/etc/guix-daemon.cil.in > @@ -86,12 +86,15 @@ > (allow init_t > guix_daemon_t > (process (transition))) > + (allow init_t > + self > + (process (execmem))) At some point we should track down why that one is necessary, perhaps Guile has a JIT compiler or something? > (allow init_t > guix_store_content_t > - (file (open read execute))) > + (file (open read execute execute_no_trans map))) This one looks pretty suspicious. I think it would allow any file labeled guix_store_content_t to run in the init_t domain? We wouldn't want that. db48x From unknown Mon Aug 18 15:38:57 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#44549] [PATCH] etc: updates for the guix-daemon SELinux policy Resent-From: Marius Bakke Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Fri, 13 Nov 2020 16:01:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 44549 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Daniel Brooks Cc: 44549@debbugs.gnu.org Received: via spool by 44549-submit@debbugs.gnu.org id=B44549.160528320619395 (code B ref 44549); Fri, 13 Nov 2020 16:01:02 +0000 Received: (at 44549) by debbugs.gnu.org; 13 Nov 2020 16:00:06 +0000 Received: from localhost ([127.0.0.1]:49156 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kdbUb-00052l-Qo for submit@debbugs.gnu.org; Fri, 13 Nov 2020 11:00:06 -0500 Received: from eggs.gnu.org ([209.51.188.92]:38148) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kdbUZ-00051k-TL for 44549@debbugs.gnu.org; Fri, 13 Nov 2020 11:00:04 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]:33604) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kdbUS-0001o3-MW; Fri, 13 Nov 2020 10:59:56 -0500 Received: from host-37-191-236-253.lynet.no ([37.191.236.253]:57070 helo=localhost) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1kdbUR-0006pj-A7; Fri, 13 Nov 2020 10:59:56 -0500 From: Marius Bakke In-Reply-To: <87v9e95l03.fsf@db48x.net> References: <87sg9h8s5j.fsf@db48x.net> <87361ecm7f.fsf@gnu.org> <87v9ea6yhl.fsf@db48x.net> <87tutub4l9.fsf@gnu.org> <87eeky6sfd.fsf@db48x.net> <87r1oxb96j.fsf@gnu.org> <87v9e95l03.fsf@db48x.net> Date: Fri, 13 Nov 2020 16:59:52 +0100 Message-ID: <87ima9b62v.fsf@gnu.org> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) --=-=-= Content-Type: text/plain Daniel Brooks writes: > Marius Bakke writes: > >> Interestingly, after updating the system (both RHEL8 and Guix) and >> rebooting, I got new SELinux troubles! >> >> I had to add these additional rules to make guix-daemon start again: >> >> diff --git a/etc/guix-daemon.cil.in b/etc/guix-daemon.cil.in >> index 47fd12a214..3e254a2187 100644 >> --- a/etc/guix-daemon.cil.in >> +++ b/etc/guix-daemon.cil.in >> @@ -86,12 +86,15 @@ >> (allow init_t >> guix_daemon_t >> (process (transition))) >> + (allow init_t >> + self >> + (process (execmem))) > > At some point we should track down why that one is necessary, perhaps > Guile has a JIT compiler or something? Ding ding ding. https://wingolog.org/archives/2019/05/24/lightening-run-time-code-generation >> (allow init_t >> guix_store_content_t >> - (file (open read execute))) >> + (file (open read execute execute_no_trans map))) > > This one looks pretty suspicious. I think it would allow any file > labeled guix_store_content_t to run in the init_t domain? We wouldn't > want that. Right. The guix_store_content_t file in question was 'guile', which I suppose is a kind of special case. Can you think of any workarounds for this? Are you testing with the latest version of guix-daemon? --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQFDBAEBCgAtFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAl+urXkPHG1hcml1c0Bn bnUub3JnAAoJEKKgbfKjOlT6GBAH/2l8/6lRmpFu1KlRIT4hLppslJuDL1i9uQVR Sat+LpUqlkkGHjK82EkYs4M+ghJgEfn3yq5VT1H16rv9qJjWzPUgxjVRrzP/PwpW L1Z6TiT4OtCYzo4gaoJq4mhqR3h6RJg70c+rqd6DB8Vh3+TX/EwDgx5+Lk3wzwb/ K9J9Ef1LCXhh1+ZyVyBDs42URyjjklZH0VyDjnum/+n1uceyxEBfo896+Zcufyl2 wrPgZaoWj8UdlulnBX4LPKUsdf97iHfn7bAg0DgIz5JnIRMU/43rMSu49NNIJpq5 E9XBVeIJ+i3GMz1NwY68BFUyNrlISst6TpA/JGghSUzMYRvWcd4= =9CUY -----END PGP SIGNATURE----- --=-=-=-- From unknown Mon Aug 18 15:38:57 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#44549] [PATCH v4] etc: updates for the guix-daemon SELinux policy References: <87sg9h8s5j.fsf@db48x.net> In-Reply-To: <87sg9h8s5j.fsf@db48x.net> Resent-From: Daniel Brooks Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sat, 14 Nov 2020 14:58:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 44549 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 44549@debbugs.gnu.org Received: via spool by 44549-submit@debbugs.gnu.org id=B44549.16053658663028 (code B ref 44549); Sat, 14 Nov 2020 14:58:01 +0000 Received: (at 44549) by debbugs.gnu.org; 14 Nov 2020 14:57:46 +0000 Received: from localhost ([127.0.0.1]:51468 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kdwzq-0000ml-6g for submit@debbugs.gnu.org; Sat, 14 Nov 2020 09:57:46 -0500 Received: from smtp-out-4.mxes.net ([198.205.123.69]:44523) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kdwzm-0000mY-US for 44549@debbugs.gnu.org; Sat, 14 Nov 2020 09:57:44 -0500 Received: from Customer-MUA (mua.mxes.net [10.0.0.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id 9FAB3759A6 for <44549@debbugs.gnu.org>; Sat, 14 Nov 2020 09:57:36 -0500 (EST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mxes.net; s=mta; t=1605365857; bh=Vh5UngVNpfxIY+C0bWglt6HsU0MFJO690HRJN3+qQ3w=; h=From:To:Subject:Date:Message-ID:MIME-Version:Content-Type; b=WDuZe4NmTtvNwjauQOsqsXBKlx2SFaJHAY+kpjJwGIL6r0fXccqxnuwqO3snFFtnd nYiZ1hF8aIE00BpFF+4i2hYPBIJxpVurEpRCTfNzn8mPa3HZvT0S5T7KLTYoqn/pDZ f16pl52yldyk1/6/c5DSlHjuNvz0jp0mNEgzMY9k= From: Daniel Brooks Date: Sat, 14 Nov 2020 06:57:35 -0800 Message-ID: <87mtzk56lc.fsf@db48x.net> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-Sent-To: X-Spam-Score: -0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) --=-=-= Content-Type: text/plain This update adds a filecon rule for the guix-daemon shell script in the store. --=-=-= Content-Type: text/x-patch; charset=utf-8 Content-Disposition: inline; filename=0001-etc-updates-for-the-guix-daemon-SELinux-policy.patch Content-Transfer-Encoding: quoted-printable Content-Description: [PATCH v4] etc: updates for the guix-daemon SELinux policy >From 8858b4df306e7846a1709c420ba7f7b194f05a97 Mon Sep 17 00:00:00 2001 From: Daniel Brooks Date: Mon, 9 Nov 2020 07:03:42 -0800 Subject: [PATCH v4] etc: updates for the guix-daemon SELinux policy * etc/guix-daemon.cil.in (guix_daemon): Specify more permissions for guix-daemon to account for daemon updates and newer SELinux. I can't promise that this is a complete list of everything that guix-daemon needs, but it's probably most of them. It can search for, install, upgrade, and remove packages, create virtual machines and containers, update itself, and so on. --- etc/guix-daemon.cil.in | 180 ++++++++++++++++++++++++++++++++++++----- 1 file changed, 162 insertions(+), 18 deletions(-) diff --git a/etc/guix-daemon.cil.in b/etc/guix-daemon.cil.in index e0c9113498..91958b7617 100644 --- a/etc/guix-daemon.cil.in +++ b/etc/guix-daemon.cil.in @@ -1,6 +1,8 @@ ; -*- lisp -*- ;;; GNU Guix --- Functional package management for GNU ;;; Copyright =C2=A9 2018 Ricardo Wurmus +;;; Copyright =C2=A9 2020 Daniel Brooks +;;; Copyright =C2=A9 2020 Marius Bakke ;;; ;;; This file is part of GNU Guix. ;;; @@ -21,6 +23,18 @@ ;; Intermediate Language (CIL). It refers to types that must be defined in ;; the system's base policy. =20 +;; If you, like me, need advice about fixing an SELinux policy, I recommend +;; reading https://danwalsh.livejournal.com/55324.html + +;; In particular, you can run semanage permissive -a guix_daemon.guix_daem= on_t +;; to allow guix-daemon to do whatever it wants. SELinux will still check = its +;; permissions, and when it doesn't have permission it will still send an +;; audit message to your system logs. This lets you know what permissions = it +;; ought to have. Use ausearch --raw to find the permissions violations, t= hen +;; pipe that to audit2allow to generate an updated policy. You'll still ne= ed +;; to translate that policy into CIL in order to update this file, but tha= t's +;; fairly straight-forward. Annoying, but easy. + (block guix_daemon ;; Require existing types (typeattributeset cil_gen_require init_t) @@ -34,14 +48,19 @@ (roletype object_r guix_daemon_t) (type guix_daemon_conf_t) (roletype object_r guix_daemon_conf_t) + (typeattributeset file_type guix_daemon_conf_t) (type guix_daemon_exec_t) (roletype object_r guix_daemon_exec_t) + (typeattributeset file_type guix_daemon_exec_t) (type guix_daemon_socket_t) (roletype object_r guix_daemon_socket_t) + (typeattributeset file_type guix_daemon_socket_t) (type guix_store_content_t) (roletype object_r guix_store_content_t) + (typeattributeset file_type guix_store_content_t) (type guix_profiles_t) (roletype object_r guix_profiles_t) + (typeattributeset file_type guix_profiles_t) =20 ;; These types are domains, thereby allowing process rules (typeattributeset domain (guix_daemon_t guix_daemon_exec_t)) @@ -55,6 +74,30 @@ (typetransition guix_store_content_t guix_daemon_exec_t process guix_daemon_t) =20 + (roletype system_r guix_daemon_t) + + ;; allow init_t to read and execute guix files + (allow init_t + guix_profiles_t + (lnk_file (read))) + (allow init_t + guix_daemon_exec_t + (file (execute))) + (allow init_t + guix_daemon_t + (process (transition))) + (allow init_t + guix_store_content_t + (lnk_file (read))) + (allow init_t + guix_store_content_t + (file (open read execute))) + + ;; guix-daemon needs to know the names of users + (allow guix_daemon_t + passwd_file_t + (file (getattr open read))) + ;; Permit communication with NSCD (allow guix_daemon_t nscd_var_run_t @@ -71,25 +114,44 @@ (allow guix_daemon_t nscd_t (unix_stream_socket (connectto))) + (allow guix_daemon_t nscd_t + (nscd (getgrp gethost getpwd getserv shmemgrp shmemhost shmempwd = shmemserv))) + + ;; permit downloading packages via HTTP(s) + (allow guix_daemon_t http_port_t + (tcp_socket (name_connect))) + (allow guix_daemon_t ftp_port_t + (tcp_socket (name_connect))) + (allow guix_daemon_t ephemeral_port_t + (tcp_socket (name_connect))) =20 ;; Permit logging and temp file access (allow guix_daemon_t tmp_t - (lnk_file (setattr unlink))) + (lnk_file (create rename setattr unlink))) + (allow guix_daemon_t + tmp_t + (file (link rename create execute execute_no_trans write unlink s= etattr map relabelto))) + (allow guix_daemon_t + tmp_t + (fifo_file (open read write create getattr ioctl setattr unlink))) (allow guix_daemon_t tmp_t - (dir (create - rmdir + (dir (create rename + rmdir relabelto add_name remove_name open read write getattr setattr search))) + (allow guix_daemon_t + tmp_t + (sock_file (create getattr setattr unlink write))) (allow guix_daemon_t var_log_t (file (create getattr open write))) (allow guix_daemon_t var_log_t - (dir (getattr write add_name))) + (dir (getattr create write add_name))) (allow guix_daemon_t var_run_t (lnk_file (read))) @@ -100,10 +162,10 @@ ;; Spawning processes, execute helpers (allow guix_daemon_t self - (process (fork))) + (process (fork execmem setrlimit setpgid setsched))) (allow guix_daemon_t guix_daemon_exec_t - (file (execute execute_no_trans read open))) + (file (execute execute_no_trans read open entrypoint map))) =20 ;; TODO: unknown (allow guix_daemon_t @@ -119,38 +181,51 @@ ;; Build isolation (allow guix_daemon_t guix_store_content_t - (file (mounton))) + (file (ioctl mounton))) (allow guix_store_content_t fs_t (filesystem (associate))) (allow guix_daemon_t guix_store_content_t - (dir (mounton))) + (dir (read mounton))) (allow guix_daemon_t guix_daemon_t (capability (net_admin fsetid fowner chown setuid setgid dac_override dac_read_search - sys_chroot))) + sys_chroot + sys_admin))) (allow guix_daemon_t fs_t (filesystem (unmount))) + (allow guix_daemon_t + devpts_t + (dir (search))) (allow guix_daemon_t devpts_t (filesystem (mount))) (allow guix_daemon_t devpts_t - (chr_file (setattr getattr))) + (chr_file (ioctl open read write setattr getattr))) (allow guix_daemon_t tmpfs_t - (filesystem (mount))) + (filesystem (getattr mount))) + (allow guix_daemon_t + tmpfs_t + (file (create open read unlink write))) (allow guix_daemon_t tmpfs_t - (dir (getattr))) + (dir (getattr add_name remove_name write))) (allow guix_daemon_t proc_t - (filesystem (mount))) + (file (getattr open read))) + (allow guix_daemon_t + proc_t + (dir (read))) + (allow guix_daemon_t + proc_t + (filesystem (associate mount))) (allow guix_daemon_t null_device_t (chr_file (getattr open read write))) @@ -179,7 +254,7 @@ search rename add_name remove_name open write - rmdir))) + rmdir relabelfrom))) (allow guix_daemon_t guix_store_content_t (file (create @@ -189,7 +264,7 @@ link unlink map rename - open read write))) + open read write relabelfrom))) (allow guix_daemon_t guix_store_content_t (lnk_file (create @@ -197,17 +272,23 @@ link unlink read rename))) + (allow guix_daemon_t + guix_store_content_t + (fifo_file (create getattr open read unlink write))) + (allow guix_daemon_t + guix_store_content_t + (sock_file (create getattr unlink write))) =20 ;; Access to configuration files and directories (allow guix_daemon_t guix_daemon_conf_t - (dir (search + (dir (search create setattr getattr add_name remove_name open read write))) (allow guix_daemon_t guix_daemon_conf_t - (file (create + (file (create rename lock map getattr setattr @@ -216,11 +297,17 @@ (allow guix_daemon_t guix_daemon_conf_t (lnk_file (create getattr rename unlink))) + (allow guix_daemon_t net_conf_t + (file (getattr open read))) + (allow guix_daemon_t net_conf_t + (lnk_file (read))) + (allow guix_daemon_t NetworkManager_var_run_t + (dir (search))) =20 ;; Access to profiles (allow guix_daemon_t guix_profiles_t - (dir (getattr setattr read open))) + (dir (search getattr setattr read write open create add_name))) (allow guix_daemon_t guix_profiles_t (lnk_file (read getattr))) @@ -233,8 +320,22 @@ (allow guix_daemon_t user_home_t (dir (search))) + (allow guix_daemon_t + cache_home_t + (dir (search))) + + ;; self upgrades + (allow guix_daemon_t + self + (dir (add_name write))) + (allow guix_daemon_t + self + (netlink_route_socket (bind create getattr nlmsg_read read write)= )) =20 ;; Socket operations + (allow guix_daemon_t + guix_daemon_socket_t + (sock_file (unlink))) (allow guix_daemon_t init_t (fd (use))) @@ -253,12 +354,53 @@ read write connect bind accept getopt setopt))) + (allow guix_daemon_t + self + (tcp_socket (accept listen bind connect create setopt getopt geta= ttr ioctl read write shutdown))) + (allow guix_daemon_t + unreserved_port_t + (tcp_socket (name_bind name_connect accept listen))) + (allow guix_daemon_t + self + (udp_socket (connect getattr bind getopt setopt))) (allow guix_daemon_t self (fifo_file (write read))) (allow guix_daemon_t self (udp_socket (ioctl create))) + (allow guix_daemon_t + self + (unix_stream_socket (connectto))) + + (allow guix_daemon_t + node_t + (tcp_socket (node_bind))) + (allow guix_daemon_t + node_t + (udp_socket (node_bind))) + (allow guix_daemon_t + port_t + (tcp_socket (name_connect))) + (allow guix_daemon_t + rtp_media_port_t + (udp_socket (name_bind))) + (allow guix_daemon_t + vnc_port_t + (tcp_socket (name_bind))) + + ;; I guess sometimes it needs random numbers + (allow guix_daemon_t + random_device_t + (chr_file (read))) + + ;; guix system vm + (allow guix_daemon_t + kvm_device_t + (chr_file (ioctl open read write))) + (allow guix_daemon_t + kernel_t + (system (ipc_info))) =20 ;; Label file system (filecon "@guix_sysconfdir@/guix(/.*)?" @@ -277,5 +419,7 @@ file (system_u object_r guix_daemon_exec_t (low low))) (filecon "@storedir@/.+-(guix-.+|profile)/bin/guix-daemon" file (system_u object_r guix_daemon_exec_t (low low))) + (filecon "@storedir@/[a-z0-9]+-guix-daemon" + file (system_u object_r guix_daemon_exec_t (low low))) (filecon "@guix_localstatedir@/guix/daemon-socket/socket" any (system_u object_r guix_daemon_socket_t (low low)))) --=20 2.26.2 --=-=-=-- From unknown Mon Aug 18 15:38:57 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#44549] [PATCH v4] doc: add a note about relabling after upgrades to the guix deamon References: <87sg9h8s5j.fsf@db48x.net> In-Reply-To: <87sg9h8s5j.fsf@db48x.net> Resent-From: Daniel Brooks Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sat, 14 Nov 2020 16:50:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 44549 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 44549@debbugs.gnu.org Received: via spool by 44549-submit@debbugs.gnu.org id=B44549.16053725756351 (code B ref 44549); Sat, 14 Nov 2020 16:50:01 +0000 Received: (at 44549) by debbugs.gnu.org; 14 Nov 2020 16:49:35 +0000 Received: from localhost ([127.0.0.1]:51822 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kdyk3-0001eM-GC for submit@debbugs.gnu.org; Sat, 14 Nov 2020 11:49:35 -0500 Received: from smtp-out-4.mxes.net ([198.205.123.69]:52484) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kdyk1-0001e8-LH for 44549@debbugs.gnu.org; Sat, 14 Nov 2020 11:49:34 -0500 Received: from Customer-MUA (mua.mxes.net [10.0.0.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id DB15E759D1 for <44549@debbugs.gnu.org>; Sat, 14 Nov 2020 11:49:27 -0500 (EST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mxes.net; s=mta; t=1605372568; bh=zKYQ+KM6p8nmIWGhTtnR3IgwPP3mWMik/CmKLebAB8c=; h=From:To:Subject:Date:Message-ID:MIME-Version:Content-Type; b=KGE0Ns8ET6BEPL+bM2bzXkJxE/9c5P34AriuVCU9Ebhba0UQFWKbQu1OYPEw9saOP yPUm6BmB79ZJziDZRle03L/QgX4FetM9uNbj+FLntJRyieZJqPa1sLJvI5f82soAZW FiuxNMuI3uwvlkGrBzedYSLAEGOaOewo8RvFfyPQ= From: Daniel Brooks Date: Sat, 14 Nov 2020 08:49:26 -0800 Message-ID: <87a6vj6fzd.fsf@db48x.net> MIME-Version: 1.0 Content-Type: text/x-patch Content-Disposition: inline; filename=0001-doc-add-a-note-about-relabling-after-upgrades-to-the.patch Content-Description: [PATCH v4] doc: add a note about relabling after upgrades to the X-Sent-To: X-Spam-Score: -0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) >From b29749885c93811f901d0ec4e13de38f70f8c100 Mon Sep 17 00:00:00 2001 From: Daniel Brooks Date: Sat, 14 Nov 2020 08:04:30 -0800 Subject: [PATCH v4] doc: add a note about relabling after upgrades to the SELinux Support section of the manual * doc/guix.texi (SELinux Support): add note about upgrades --- doc/guix.texi | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/doc/guix.texi b/doc/guix.texi index 8440ffffc7..67f5155b9f 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -1398,6 +1398,11 @@ install and run it, which lifts it into the @code{guix_daemon_t} domain. At that point SELinux could not prevent it from accessing files that are allowed for processes in that domain. +You will need to relabel the @file{/gnu} directory after all upgrades to +@file{guix-daemon}, such as with @code{guix pull}. You can do this with +@code{restorecon -vR /gnu}, or by other means provided by your operating +system. + We could generate a much more restrictive policy at installation time, so that only the @emph{exact} file name of the currently installed @code{guix-daemon} executable would be labelled with -- 2.26.2 From unknown Mon Aug 18 15:38:57 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#44549] [PATCH v4] doc: add a note about relabling after upgrades to the guix deamon Resent-From: Marius Bakke Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sun, 15 Nov 2020 22:19:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 44549 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Daniel Brooks , 44549@debbugs.gnu.org Received: via spool by 44549-submit@debbugs.gnu.org id=B44549.160547873929464 (code B ref 44549); Sun, 15 Nov 2020 22:19:02 +0000 Received: (at 44549) by debbugs.gnu.org; 15 Nov 2020 22:18:59 +0000 Received: from localhost ([127.0.0.1]:54466 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1keQMN-0007fA-Ce for submit@debbugs.gnu.org; Sun, 15 Nov 2020 17:18:59 -0500 Received: from eggs.gnu.org ([209.51.188.92]:51592) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1keQML-0007ex-5t for 44549@debbugs.gnu.org; Sun, 15 Nov 2020 17:18:58 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]:49076) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1keQMF-0000bE-Jq; Sun, 15 Nov 2020 17:18:51 -0500 Received: from host-37-191-236-253.lynet.no ([37.191.236.253]:52784 helo=localhost) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1keQMF-0005xg-1o; Sun, 15 Nov 2020 17:18:51 -0500 From: Marius Bakke In-Reply-To: <87a6vj6fzd.fsf@db48x.net> References: <87sg9h8s5j.fsf@db48x.net> <87a6vj6fzd.fsf@db48x.net> Date: Sun, 15 Nov 2020 23:18:49 +0100 Message-ID: <87y2j29sc6.fsf@gnu.org> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) --=-=-= Content-Type: text/plain Daniel Brooks writes: >>>From b29749885c93811f901d0ec4e13de38f70f8c100 Mon Sep 17 00:00:00 2001 > From: Daniel Brooks > Date: Sat, 14 Nov 2020 08:04:30 -0800 > Subject: [PATCH v4] doc: add a note about relabling after upgrades to the > SELinux Support section of the manual > > * doc/guix.texi (SELinux Support): add note about upgrades I reworded this slightly and pushed to 'master'. --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQFDBAEBCgAtFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAl+xqUkPHG1hcml1c0Bn bnUub3JnAAoJEKKgbfKjOlT6NQYH/3agsLuNegqw6eiF7X20/XwOEutgddrYRDY2 31axTq/eaEgpdj6P/BjkA9YgdJFaaqVtEBNM21RCPCLv6CxZ2mci34Tv9yCUR7gr McpPQI9Xq5Hm/s2qmUD/Z/0YUBmytRewuJ8swjdEFx0aVZiSebs4mkLzBz3+WvZy MJ8FQPHumJICq3GK0Q564T6lG+pE8cssLMgqjilMuQbGlvKi5GDiAf2qobb++Vzl J/hb3QwwO0F1wm007ysX08pl6l/djLBJ/HCFhCVquWIhcwOfBo7tdTZwPcTnBbgt SH6U1c8yQoRl3s70RPdzdYEnhVxIYtZF5QG/bDTTEhVQ+s1pE8k= =MRPF -----END PGP SIGNATURE----- --=-=-=-- From unknown Mon Aug 18 15:38:57 2025 MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) X-Loop: help-debbugs@gnu.org From: help-debbugs@gnu.org (GNU bug Tracking System) To: Daniel Brooks Subject: bug#44549: closed (Re: [bug#44549] [PATCH v4] etc: updates for the guix-daemon SELinux policy) Message-ID: References: <87v9e69sa8.fsf@gnu.org> <87sg9h8s5j.fsf@db48x.net> X-Gnu-PR-Message: they-closed 44549 X-Gnu-PR-Package: guix-patches X-Gnu-PR-Keywords: patch Reply-To: 44549@debbugs.gnu.org Date: Sun, 15 Nov 2020 22:21:02 +0000 Content-Type: multipart/mixed; boundary="----------=_1605478862-29669-1" This is a multi-part message in MIME format... ------------=_1605478862-29669-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Your bug report #44549: [PATCH] etc: updates for the guix-daemon SELinux policy which was filed against the guix-patches package, has been closed. The explanation is attached below, along with your original report. If you require more details, please reply to 44549@debbugs.gnu.org. --=20 44549: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D44549 GNU Bug Tracking System Contact help-debbugs@gnu.org with problems ------------=_1605478862-29669-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at 44549-done) by debbugs.gnu.org; 15 Nov 2020 22:20:11 +0000 Received: from localhost ([127.0.0.1]:54470 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1keQNW-0007hN-O9 for submit@debbugs.gnu.org; Sun, 15 Nov 2020 17:20:10 -0500 Received: from eggs.gnu.org ([209.51.188.92]:51816) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1keQNU-0007h3-IV for 44549-done@debbugs.gnu.org; Sun, 15 Nov 2020 17:20:08 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]:49092) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1keQNP-0000gS-C0; Sun, 15 Nov 2020 17:20:03 -0500 Received: from host-37-191-236-253.lynet.no ([37.191.236.253]:52792 helo=localhost) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1keQNN-00062f-FN; Sun, 15 Nov 2020 17:20:02 -0500 From: Marius Bakke To: Daniel Brooks , 44549-done@debbugs.gnu.org Subject: Re: [bug#44549] [PATCH v4] etc: updates for the guix-daemon SELinux policy In-Reply-To: <87mtzk56lc.fsf@db48x.net> References: <87sg9h8s5j.fsf@db48x.net> <87mtzk56lc.fsf@db48x.net> Date: Sun, 15 Nov 2020 23:19:59 +0100 Message-ID: <87v9e69sa8.fsf@gnu.org> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 44549-done X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) --=-=-= Content-Type: text/plain Daniel Brooks writes: > This update adds a filecon rule for the guix-daemon shell script in the store. > >>>From 8858b4df306e7846a1709c420ba7f7b194f05a97 Mon Sep 17 00:00:00 2001 > From: Daniel Brooks > Date: Mon, 9 Nov 2020 07:03:42 -0800 > Subject: [PATCH v4] etc: updates for the guix-daemon SELinux policy > > * etc/guix-daemon.cil.in (guix_daemon): Specify more permissions for > guix-daemon to account for daemon updates and newer SELinux. > > I can't promise that this is a complete list of everything that guix-daemon > needs, but it's probably most of them. It can search for, install, upgrade, > and remove packages, create virtual machines and containers, update itself, > and so on. Pushed to the 'version-1.2.0' branch, which will show up on 'master' eventually. Thank you! --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQFDBAEBCgAtFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAl+xqY8PHG1hcml1c0Bn bnUub3JnAAoJEKKgbfKjOlT68qgH/1t/KiLxItaGdzpi1YSpP34Bzw1n9c4X5rdl q84Q5JfZbRPBHH+o1BO3qz11+PfHGTK367+cfJKm6bGvgWTIa4SCmNmumSLa/oaT Y2T79Klad3KusqKwtc8jW5esBVKk0O7ekfLGyIqnpidS56MdpD3tXlvS3BskMTpq Q2pVH5ylBJd7SX7b2f5mB451UdS2iYej9jZw4La3ApvR/P/9gBwF0MieVUZGlZ3F dZ8vm4gl8xiKIuTCjBgNHaMz67Exjr8+sk4IOO6olDBaithB+VvUmgfBGd6PeUq+ MBxfXLlJNF93gH4v0um4XDLts4EjzqYn4neI7TFs1VjuKQAtWQY= =SNBq -----END PGP SIGNATURE----- --=-=-=-- ------------=_1605478862-29669-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by debbugs.gnu.org; 10 Nov 2020 09:42:29 +0000 Received: from localhost ([127.0.0.1]:36409 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kcQAW-0007Bq-Oy for submit@debbugs.gnu.org; Tue, 10 Nov 2020 04:42:29 -0500 Received: from lists.gnu.org ([209.51.188.17]:39434) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kcQAU-0007Bi-Mc for submit@debbugs.gnu.org; Tue, 10 Nov 2020 04:42:27 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:53668) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kcQAS-0000xW-UJ for guix-patches@gnu.org; Tue, 10 Nov 2020 04:42:26 -0500 Received: from smtp-out-4.mxes.net ([2605:d100:2f:10::315]:61712) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kcQAO-0006Kr-0D for guix-patches@gnu.org; Tue, 10 Nov 2020 04:42:24 -0500 Received: from Customer-MUA (mua.mxes.net [10.0.0.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id B898875996 for ; Tue, 10 Nov 2020 04:42:17 -0500 (EST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mxes.net; s=mta; t=1605001338; bh=443DUDxM6JbfUyRVhfrdLUYNQCUYqvU3oKk2eSioblY=; h=From:To:Subject:Date:Message-ID:MIME-Version:Content-Type; b=ZcCa80l/cVEZwlmtOXhPAj2o7mwympqoGZK/00UIZO5xB8uUFSW8GffXAS8lVYfkJ icJXIJO4RrUG9GRQn/zHMmtrZWSsvSgP5HU2Dp1l8wS2sKMkNrRW2EebLu/pETcP3R T4LN/HjbScxPqdrmQ3MRprk4RhRuEGshQrbBake8= From: Daniel Brooks To: Guix Patches List Subject: [PATCH] etc: updates for the guix-daemon SELinux policy Date: Tue, 10 Nov 2020 01:42:16 -0800 Message-ID: <87sg9h8s5j.fsf@db48x.net> MIME-Version: 1.0 Content-Type: text/x-patch Content-Disposition: inline; filename=0001-etc-updates-for-the-guix-daemon-SELinux-policy.patch Content-Description: [PATCH] etc: updates for the guix-daemon SELinux policy X-Sent-To: Received-SPF: none client-ip=2605:d100:2f:10::315; envelope-from=db48x@db48x.net; helo=smtp-out-4.mxes.net X-detected-operating-system: by eggs.gnu.org: No matching host in p0f cache. That's all we know. X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_HELO_PASS=-0.001, SPF_NONE=0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) >From 7dd9ed6da01c5bf125c95592f4978b579198731a Mon Sep 17 00:00:00 2001 From: Daniel Brooks Date: Mon, 9 Nov 2020 07:03:42 -0800 Subject: [PATCH] etc: updates for the guix-daemon SELinux policy * etc/guix-daemon.cil.in: I can't promise that this is a complete list of everything that guix-daemon needs, but it's probably most of them. It can search for, install, upgrade, and remove packages, create virtual machines, update itself, and so on. I haven't tried creating containers yet, which might reveal more things to add. --- etc/guix-daemon.cil.in | 170 ++++++++++++++++++++++++++++++++++++----- 1 file changed, 152 insertions(+), 18 deletions(-) diff --git a/etc/guix-daemon.cil.in b/etc/guix-daemon.cil.in index e0c9113498..666e5677a3 100644 --- a/etc/guix-daemon.cil.in +++ b/etc/guix-daemon.cil.in @@ -21,6 +21,18 @@ ;; Intermediate Language (CIL). It refers to types that must be defined in ;; the system's base policy. +;; If you, like me, need advice about fixing an SELinux policy, I recommend +;; reading https://danwalsh.livejournal.com/55324.html + +;; In particular, you can run semanage permissive -a guix_daemon.guix_daemon_t +;; to allow guix-daemon to do whatever it wants. SELinux will still check its +;; permissions, and when it doesn't have permission it will still send an +;; audit message to your system logs. This lets you know what permissions it +;; ought to have. Use ausearch --raw to find the permissions violations, then +;; pipe that to audit2allow to generate an updated policy. You'll still need +;; to translate that policy into CIL in order to update this file, but that's +;; fairly straight-forward. Annoying, but easy. + (block guix_daemon ;; Require existing types (typeattributeset cil_gen_require init_t) @@ -34,14 +46,19 @@ (roletype object_r guix_daemon_t) (type guix_daemon_conf_t) (roletype object_r guix_daemon_conf_t) + (typeattributeset file_type guix_daemon_conf_t) (type guix_daemon_exec_t) (roletype object_r guix_daemon_exec_t) + (typeattributeset file_type guix_daemon_exec_t) (type guix_daemon_socket_t) (roletype object_r guix_daemon_socket_t) + (typeattributeset file_type guix_daemon_socket_t) (type guix_store_content_t) (roletype object_r guix_store_content_t) + (typeattributeset file_type guix_store_content_t) (type guix_profiles_t) (roletype object_r guix_profiles_t) + (typeattributeset file_type guix_profiles_t) ;; These types are domains, thereby allowing process rules (typeattributeset domain (guix_daemon_t guix_daemon_exec_t)) @@ -55,6 +72,27 @@ (typetransition guix_store_content_t guix_daemon_exec_t process guix_daemon_t) + (roletype system_r guix_daemon_t) + + ;; allow init_t to read and execute guix files + (allow init_t + guix_profiles_t + (lnk_file (read))) + (allow init_t + guix_daemon_exec_t + (file (execute))) + (allow init_t + guix_daemon_t + (process (transition))) + (allow init_t + guix_store_content_t + (file (open read execute))) + + ;; guix-daemon needs to know the names of users + (allow guix_daemon_t + passwd_file_t + (file (getattr open read))) + ;; Permit communication with NSCD (allow guix_daemon_t nscd_var_run_t @@ -71,25 +109,44 @@ (allow guix_daemon_t nscd_t (unix_stream_socket (connectto))) + (allow guix_daemon_t nscd_t + (nscd (getgrp gethost getpwd getserv shmemgrp shmemhost shmempwd shmemserv))) + + ;; permit downloading packages via HTTP(s) + (allow guix_daemon_t http_port_t + (tcp_socket (name_connect))) + (allow guix_daemon_t ftp_port_t + (tcp_socket (name_connect))) + (allow guix_daemon_t ephemeral_port_t + (tcp_socket (name_connect))) ;; Permit logging and temp file access (allow guix_daemon_t tmp_t - (lnk_file (setattr unlink))) + (lnk_file (create rename setattr unlink))) + (allow guix_daemon_t + tmp_t + (file (link rename create execute execute_no_trans write unlink setattr map relabelto))) + (allow guix_daemon_t + tmp_t + (fifo_file (open read write create getattr ioctl setattr unlink))) (allow guix_daemon_t tmp_t - (dir (create - rmdir + (dir (create rename + rmdir relabelto add_name remove_name open read write getattr setattr search))) + (allow guix_daemon_t + tmp_t + (sock_file (create getattr setattr unlink write))) (allow guix_daemon_t var_log_t (file (create getattr open write))) (allow guix_daemon_t var_log_t - (dir (getattr write add_name))) + (dir (getattr create write add_name))) (allow guix_daemon_t var_run_t (lnk_file (read))) @@ -100,10 +157,10 @@ ;; Spawning processes, execute helpers (allow guix_daemon_t self - (process (fork))) + (process (fork execmem setrlimit setpgid setsched))) (allow guix_daemon_t guix_daemon_exec_t - (file (execute execute_no_trans read open))) + (file (execute execute_no_trans read open entrypoint map))) ;; TODO: unknown (allow guix_daemon_t @@ -119,38 +176,51 @@ ;; Build isolation (allow guix_daemon_t guix_store_content_t - (file (mounton))) + (file (ioctl mounton))) (allow guix_store_content_t fs_t (filesystem (associate))) (allow guix_daemon_t guix_store_content_t - (dir (mounton))) + (dir (read mounton))) (allow guix_daemon_t guix_daemon_t (capability (net_admin fsetid fowner chown setuid setgid dac_override dac_read_search - sys_chroot))) + sys_chroot + sys_admin))) (allow guix_daemon_t fs_t (filesystem (unmount))) + (allow guix_daemon_t + devpts_t + (dir (search))) (allow guix_daemon_t devpts_t (filesystem (mount))) (allow guix_daemon_t devpts_t - (chr_file (setattr getattr))) + (chr_file (ioctl open read write setattr getattr))) (allow guix_daemon_t tmpfs_t - (filesystem (mount))) + (filesystem (getattr mount))) + (allow guix_daemon_t + tmpfs_t + (file (create open read unlink write))) (allow guix_daemon_t tmpfs_t - (dir (getattr))) + (dir (getattr add_name remove_name write))) (allow guix_daemon_t proc_t - (filesystem (mount))) + (file (getattr open read))) + (allow guix_daemon_t + proc_t + (dir (read))) + (allow guix_daemon_t + proc_t + (filesystem (associate mount))) (allow guix_daemon_t null_device_t (chr_file (getattr open read write))) @@ -179,7 +249,7 @@ search rename add_name remove_name open write - rmdir))) + rmdir relabelfrom))) (allow guix_daemon_t guix_store_content_t (file (create @@ -189,7 +259,7 @@ link unlink map rename - open read write))) + open read write relabelfrom))) (allow guix_daemon_t guix_store_content_t (lnk_file (create @@ -197,17 +267,23 @@ link unlink read rename))) + (allow guix_daemon_t + guix_store_content_t + (fifo_file (create getattr open read unlink write))) + (allow guix_daemon_t + guix_store_content_t + (sock_file (create getattr unlink write))) ;; Access to configuration files and directories (allow guix_daemon_t guix_daemon_conf_t - (dir (search + (dir (search create setattr getattr add_name remove_name open read write))) (allow guix_daemon_t guix_daemon_conf_t - (file (create + (file (create rename lock map getattr setattr @@ -216,11 +292,17 @@ (allow guix_daemon_t guix_daemon_conf_t (lnk_file (create getattr rename unlink))) + (allow guix_daemon_t net_conf_t + (file (getattr open read))) + (allow guix_daemon_t net_conf_t + (lnk_file (read))) + (allow guix_daemon_t NetworkManager_var_run_t + (dir (search))) ;; Access to profiles (allow guix_daemon_t guix_profiles_t - (dir (getattr setattr read open))) + (dir (search getattr setattr read write open create add_name))) (allow guix_daemon_t guix_profiles_t (lnk_file (read getattr))) @@ -233,6 +315,17 @@ (allow guix_daemon_t user_home_t (dir (search))) + (allow guix_daemon_t + cache_home_t + (dir (search))) + + ;; self upgrades + (allow guix_daemon_t + self + (dir (add_name write))) + (allow guix_daemon_t + self + (netlink_route_socket (bind create getattr nlmsg_read))) ;; Socket operations (allow guix_daemon_t @@ -253,12 +346,53 @@ read write connect bind accept getopt setopt))) + (allow guix_daemon_t + self + (tcp_socket (accept listen bind connect create setopt getopt getattr ioctl))) + (allow guix_daemon_t + unreserved_port_t + (tcp_socket (name_bind name_connect accept listen))) + (allow guix_daemon_t + self + (udp_socket (connect getattr bind getopt setopt))) (allow guix_daemon_t self (fifo_file (write read))) (allow guix_daemon_t self (udp_socket (ioctl create))) + (allow guix_daemon_t + self + (unix_stream_socket (connectto))) + + (allow guix_daemon_t + node_t + (tcp_socket (node_bind))) + (allow guix_daemon_t + node_t + (udp_socket (node_bind))) + (allow guix_daemon_t + port_t + (tcp_socket (name_connect))) + (allow guix_daemon_t + rtp_media_port_t + (udp_socket (name_bind))) + (allow guix_daemon_t + vnc_port_t + (tcp_socket (name_bind))) + + ;; I guess sometimes it needs random numbers + (allow guix_daemon_t + random_device_t + (chr_file (read))) + + ;; guix system vm + (allow guix_daemon_t + kvm_device_t + (chr_file (ioctl open read write))) + (allow guix_daemon_t + kernel_t + (system (ipc_info))) ;; Label file system (filecon "@guix_sysconfdir@/guix(/.*)?" -- 2.26.2 ------------=_1605478862-29669-1--