GNU bug report logs - #44549
[PATCH] etc: updates for the guix-daemon SELinux policy

Previous Next

Full log

Message #32 received at 44549 <at> debbugs.gnu.org (full text, mbox):

From: Marius Bakke <marius <at> gnu.org>
To: Daniel Brooks <db48x <at> db48x.net>
Cc: 44549 <at> debbugs.gnu.org
Subject: Re: [bug#44549] [PATCH] etc: updates for the guix-daemon SELinux
 policy
Date: Fri, 13 Nov 2020 16:59:52 +0100

[Message part 1 (text/plain, inline)]

Daniel Brooks <db48x <at> db48x.net> writes:

> Marius Bakke <marius <at> gnu.org> writes:
>
>> Interestingly, after updating the system (both RHEL8 and Guix) and
>> rebooting, I got new SELinux troubles!
>>
>> I had to add these additional rules to make guix-daemon start again:
>>
>> diff --git a/etc/guix-daemon.cil.in b/etc/guix-daemon.cil.in
>> index 47fd12a214..3e254a2187 100644
>> --- a/etc/guix-daemon.cil.in
>> +++ b/etc/guix-daemon.cil.in
>> @@ -86,12 +86,15 @@
>>    (allow init_t
>>           guix_daemon_t
>>           (process (transition)))
>> +  (allow init_t
>> +         self
>> +         (process (execmem)))
>
> At some point we should track down why that one is necessary, perhaps
> Guile has a JIT compiler or something?

Ding ding ding.

  https://wingolog.org/archives/2019/05/24/lightening-run-time-code-generation

>>    (allow init_t
>>           guix_store_content_t
>> -         (file (open read execute)))
>> +         (file (open read execute execute_no_trans map)))
>
> This one looks pretty suspicious. I think it would allow any file
> labeled guix_store_content_t to run in the init_t domain? We wouldn't
> want that.

Right.  The guix_store_content_t file in question was 'guile', which I
suppose is a kind of special case.  Can you think of any workarounds
for this?

Are you testing with the latest version of guix-daemon?

[signature.asc (application/pgp-signature, inline)]

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.