GNU bug report logs - #47985
CentOS : SELinux is preventing /usr/lib/systemd/systemd from read access on the lnk_file current-guix

Previous Next

Package: guix;

Reported by: josephenry <josephenry <at> protonmail.com>

Date: Sat, 24 Apr 2021 00:26:02 UTC

Severity: normal

To reply to this bug, email your comments to 47985 AT debbugs.gnu.org.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to bug-guix <at> gnu.org:
bug#47985; Package guix. (Sat, 24 Apr 2021 00:26:02 GMT) Full text and rfc822 format available.
Acknowledgement sent to josephenry <josephenry <at> protonmail.com>:
New bug report received and forwarded. Copy sent to bug-guix <at> gnu.org. (Sat, 24 Apr 2021 00:26:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: josephenry <josephenry <at> protonmail.com>
To: "bug-guix <at> gnu.org" <bug-guix <at> gnu.org>
Subject: CentOS : SELinux is preventing /usr/lib/systemd/systemd from read
 access on the lnk_file current-guix
Date: Sat, 24 Apr 2021 00:10:43 +0000

[Message part 1 (text/plain, inline)]
Hi,

I am starting with Guix and I just installed it on a CentOS Linux 8 x86_64 (kernel 4.18.0-240.15.1.el8_3.x86_64)

It went well but the daemon service exited and I couldn't install a package :

$ sudo systemctl status guix-daemon.service
● guix-daemon.service - Build daemon for GNU Guix
Loaded: loaded (/etc/systemd/system/guix-daemon.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Sat 2021-04-24 01:44:16 CEST; 16min ago
Process: 92489 ExecStart=/var/guix/profiles/per-user/root/current-guix/bin/guix-daemon --build-users-group=guixbuild (code=exited, status=203/EXEC)
Main PID: 92489 (code=exited, status=203/EXEC)

Apr 24 01:44:16 localhost.localdomain systemd[1]: Started Build daemon for GNU Guix.
Apr 24 01:44:16 localhost.localdomain systemd[1]: guix-daemon.service: Main process exited, code=exited, status=203/EXEC
Apr 24 01:44:16 localhost.localdomain systemd[1]: guix-daemon.service: Failed with result 'exit-code'.

I found this similar bug report Fedora : https://bugzilla.redhat.com/show_bug.cgi?id=1433971

It seems to be related to the SELinux policy.

// ----------------------------------------------------------------------------

I run :

$ journalctl -t setroubleshoot
Apr 24 01:30:30 localhost.localdomain setroubleshoot[92081]: AnalyzeThread.run(): Set alarm timeout to 10
Apr 24 01:44:18 localhost.localdomain setroubleshoot[92492]: Deleting alert f25667a8-16fa-447b-8df1-8bd6a8cddc10, it is allowed in current policy
Apr 24 01:44:18 localhost.localdomain setroubleshoot[92492]: AnalyzeThread.run(): Cancel pending alarm
Apr 24 01:44:21 localhost.localdomain setroubleshoot[92492]: SELinux is preventing /usr/bin/bash from execute access on the file guix-daemon. For complete SELinux messages run: sealert -l f4db012c-2639-4a2a-80>
Apr 24 01:44:21 localhost.localdomain setroubleshoot[92492]: SELinux is preventing /usr/bin/bash from execute access on the file guix-daemon.

$ sudo sealert -l f4db012c-2639-4a2a-809a-023ba4accbfd
SELinux is preventing /usr/bin/bash from execute access on the file guix-daemon.

***** Plugin catchall (100. confidence) suggests **************************

If you believe that bash should be allowed execute access on the guix-daemon file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'sesinetd' --raw | audit2allow -M my-sesinetd
# semodule -X 300 -i my-sesinetd.pp

Additional Information:
Source Context system_u:system_r:init_t:s0
Target Context unconfined_u:object_r:user_tmp_t:s0
Target Objects guix-daemon [ file ]
Source sesinetd
Source Path /usr/bin/bash
Port <Unknown>
Host localhost.localdomain
Source RPM Packages systemd-239-41.el8_3.2.x86_64
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-3.14.3-54.el8_3.2.noarch
Local Policy RPM selinux-policy-targeted-3.14.3-54.el8_3.2.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name localhost.localdomain
Platform Linux localhost.localdomain
4.18.0-240.15.1.el8_3.x86_64 #1 SMP Mon Mar 1
17:16:16 UTC 2021 x86_64 x86_64
Alert Count 2
First Seen 2021-03-20 21:06:10 CET
Last Seen 2021-04-24 01:44:16 CEST
Local ID f4db012c-2639-4a2a-809a-023ba4accbfd

Raw Audit Messages
type=AVC msg=audit(1619221456.618:467): avc: denied { execute } for pid=92489 comm="(x-daemon)" name="guix-daemon" dev="dm-0" ino=2625286 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file permissive=0

type=SYSCALL msg=audit(1619221456.618:467): arch=x86_64 syscall=execve success=no exit=EACCES a0=5609e6745860 a1=5609e6600e20 a2=5609e66a8720 a3=2d646c6975622d2d items=0 ppid=1 pid=92489 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=(x-daemon) exe=/usr/lib/systemd/systemd subj=system_u:system_r:init_t:s0 key=(null)

Hash: sesinetd,init_t,user_tmp_t,file,execute

// ----------------------------------------------------------------------------

I tried executing the commands provided by SELinux to allow the access but it doesn't work and I don't really understand how it works.

Also on the [SELinux support page](https://guix.gnu.org/manual/en/html_node/SELinux-Support.html) in the Guix documentation, the etc/guix-daemon.cil file doesn't exist so I don't know how to run the command.

Has anyone gotten to run guix on a CentOS with SELinux enabled?

Any help would be greatly appreciated!

Thanks

Joseph
[Message part 2 (text/html, inline)]
Information forwarded to bug-guix <at> gnu.org:
bug#47985; Package guix. (Wed, 28 Apr 2021 21:33:02 GMT) Full text and rfc822 format available.

Message #8 received at 47985 <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: josephenry <josephenry <at> protonmail.com>
Cc: 47985 <at> debbugs.gnu.org
Subject: Re: bug#47985: CentOS : SELinux is preventing
 /usr/lib/systemd/systemd from read access on the lnk_file current-guix
Date: Wed, 28 Apr 2021 23:32:44 +0200

Hi,

josephenry <josephenry <at> protonmail.com> skribis:

> Also on the [SELinux support page](https://guix.gnu.org/manual/en/html_node/SELinux-Support.html) in the Guix documentation, the etc/guix-daemon.cil file doesn't exist so I don't know how to run the command.
>
> Has anyone gotten to run guix on a CentOS with SELinux enabled?

I’m not familiar with SELinux, but the .cil file is available in Guix
itself:

--8<---------------cut here---------------start------------->8---
$ wget -qO - https://ftp.gnu.org/gnu/guix/guix-binary-1.2.0.x86_64-linux.tar.xz | xz -d | tar tv | grep '\.cil'
-r--r--r-- root/root     13492 1970-01-01 01:00 ./gnu/store/6rn4l3h0p9x0m615pp1ynlv9v0743kl3-guix-1.2.0/share/selinux/guix-daemon.cil
--8<---------------cut here---------------end--------------->8---

Hope this helps!

Ludo’.
Information forwarded to bug-guix <at> gnu.org:
bug#47985; Package guix. (Wed, 26 May 2021 21:56:01 GMT) Full text and rfc822 format available.

Message #11 received at 47985 <at> debbugs.gnu.org (full text, mbox):

From: josephenry <josephenry <at> protonmail.com>
To: "47985 <at> debbugs.gnu.org" <47985 <at> debbugs.gnu.org>
Subject: (No Subject)
Date: Wed, 26 May 2021 21:55:42 +0000

[Message part 1 (text/plain, inline)]
Hi Ludo,

Thanks for your answer and sorry for the late response!

Actually I did :

``` sudo semodule -i /gnu/store/6rn4l3h0p9x0m615pp1ynlv9v0743kl3-guix-1.2.0/share/selinux/guix-daemon.cil ```

and then tried to use restorecon as stated in the doc :

``` sudo restorecon /gnu ```

but restarting guix didn't work, I am probably not doing it the right way...

What does that mean in the documentation :

Then relabel the file system with restorecon or by a different mechanism provided by your system. Can someone provide some explanation about this?

Thanks
[Message part 2 (text/html, inline)]
Information forwarded to bug-guix <at> gnu.org:
bug#47985; Package guix. (Thu, 27 May 2021 12:26:01 GMT) Full text and rfc822 format available.

Message #14 received at 47985 <at> debbugs.gnu.org (full text, mbox):

From: josephenry <josephenry <at> protonmail.com>
To: Ludovic Courtès <ludo <at> gnu.org>
Subject: Re: bug#47985: CentOS : SELinux is preventing
 /usr/lib/systemd/systemd from read access on the lnk_file current-guix
Date: Wed, 26 May 2021 21:53:59 +0000

Hi Ludo,

Thanks for your answer and sorry for the late response!

Actually I did :

```
sudo semodule -i /gnu/store/6rn4l3h0p9x0m615pp1ynlv9v0743kl3-guix-1.2.0/share/selinux/guix-daemon.cil
```

and then tried to use restorecon as stated in the doc :

```
sudo restorecon /gnu
```

but restarting guix didn't work, I am probably not doing it the right way...

What does that mean in the documentation :

Then relabel the file system with restorecon or by a different mechanism provided by your system.

Can someone provide some explanation about this?

Thanks
Information forwarded to bug-guix <at> gnu.org:
bug#47985; Package guix. (Tue, 14 Feb 2023 11:57:01 GMT) Full text and rfc822 format available.

Message #17 received at 47985 <at> debbugs.gnu.org (full text, mbox):

From: Ricardo Wurmus <rekado <at> elephly.net>
To: 47985 <at> debbugs.gnu.org
Subject: CentOS : SELinux is preventing /usr/lib/systemd/systemd from read
 access on the lnk_file current-guix
Date: Tue, 14 Feb 2023 12:54:54 +0100

Hi,

the cil file has been updated to work with a more recent base policy as
provided by current Fedora releases.  We also updated the documentation
to make the relabeling step a little clearer.

Does this solve your problem?

-- 
Ricardo
This bug report was last modified 2 years and 126 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.