GNU bug report logs - #66305
Error with recursive git checkout

Previous Next

Package: guix;

Reported by: Guillaume Le Vaillant <glv <at> posteo.net>

Date: Mon, 2 Oct 2023 11:35:02 UTC

Severity: important

Done: Ludovic Courtès <ludo <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

Message #43 received at 66305 <at> debbugs.gnu.org (full text, mbox):

From: Alexis Simon <alexis.simon <at> runbox.com>
To: 66305 <at> debbugs.gnu.org
Subject: Error with recursive git checkout
Date: Wed, 25 Oct 2023 09:51:37 -0700

ah well it seems this is due to a selinux policy error

--8<---------------cut here---------------start------------->8---
SELinux is preventing git-submodule from execute access on the file 
/usr/bin/sed.

*****  Plugin catchall (100. confidence) suggests 
**************************

If you believe that git-submodule should be allowed execute access on 
the sed file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'git-submodule' --raw | audit2allow -M my-gitsubmodule
# semodule -X 300 -i my-gitsubmodule.pp


Additional Information:
Source Context                system_u:system_r:guix_daemon.guix_daemon_t:s0
Target Context                system_u:object_r:bin_t:s0
Target Objects                /usr/bin/sed [ file ]
Source                        git-submodule
Source Path                   git-submodule
Port                          <Unknown>
Host                          xps13
Source RPM Packages
Target RPM Packages           sed-4.8-12.fc38.x86_64
SELinux Policy RPM            selinux-policy-targeted-38.29-1.fc38.noarch
Local Policy RPM
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     xps13
Platform                      Linux xps13 6.5.7-200.fc38.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Wed Oct 11 04:07:58 UTC 2023
                              x86_64
Alert Count                   460
First Seen                    2023-10-24 20:20:26 PDT
Last Seen                     2023-10-25 09:44:31 PDT
Local ID                      fa57086c-6738-4eec-8252-3abb66a9e249

Raw Audit Messages
type=AVC msg=audit(1698252271.150:513): avc:  denied  { execute } for 
pid=10644 comm="git-submodule" name="sed" dev="dm-0" ino=261979 
scontext=system_u:system_r:guix_daemon.guix_daemon_t:s0 
tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0


Hash: git-submodule,guix_daemon.guix_daemon_t,bin_t,file,execute
--8<---------------cut here---------------end--------------->8---

But trying to fix it does not seem to have any effect. I've added this 
to the guix-daemon.cil and re-applied
--8<---------------cut here---------------start------------->8---
(allow guix_daemon_t
       bin_t
       (file (execute)))
--8<---------------cut here---------------end--------------->8---

Alexis
This bug report was last modified 1 year and 259 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.