From unknown Sun Jun 22 11:35:09 2025
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Mailer: MIME-tools 5.509 (Entity 5.509)
Content-Type: text/plain; charset=utf-8
From: bug#78317 <78317@debbugs.gnu.org>
To: bug#78317 <78317@debbugs.gnu.org>
Subject: Status: Unprivileged guix-daemon and SELinux
Reply-To: bug#78317 <78317@debbugs.gnu.org>
Date: Sun, 22 Jun 2025 18:35:09 +0000

retitle 78317 Unprivileged guix-daemon and SELinux
reassign 78317 guix
submitter 78317 Ido Yariv <yarivido@gmail.com>
severity 78317 normal

thanks


From debbugs-submit-bounces@debbugs.gnu.org Thu May 08 08:53:46 2025
Received: (at submit) by debbugs.gnu.org; 8 May 2025 12:53:46 +0000
Received: from localhost ([127.0.0.1]:55563 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1uD0l0-0001fq-4U
	for submit@debbugs.gnu.org; Thu, 08 May 2025 08:53:46 -0400
Received: from lists.gnu.org ([2001:470:142::17]:52004)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <yarivido@gmail.com>)
 id 1uD0kr-0001eI-Jh
 for submit@debbugs.gnu.org; Thu, 08 May 2025 08:53:41 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <yarivido@gmail.com>)
 id 1uD0kX-0007uk-KL
 for bug-guix@gnu.org; Thu, 08 May 2025 08:53:23 -0400
Received: from mail-ed1-x52a.google.com ([2a00:1450:4864:20::52a])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <yarivido@gmail.com>)
 id 1uD0kU-00069B-U4
 for bug-guix@gnu.org; Thu, 08 May 2025 08:53:17 -0400
Received: by mail-ed1-x52a.google.com with SMTP id
 4fb4d7f45d1cf-5fbeadf2275so1691330a12.2
 for <bug-guix@gnu.org>; Thu, 08 May 2025 05:53:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1746708791; x=1747313591; darn=gnu.org;
 h=to:subject:message-id:date:from:mime-version:from:to:cc:subject
 :date:message-id:reply-to;
 bh=ZfPkqcFbR6+Zzh1+Ecw1U8wBvWwui+YkwsVP/9PbQKQ=;
 b=ZOtQgxviosckiAQo+7aIxgDGFM5noqHQyeQfcP4I4aLyrgtJLH1gv7LiRCUtGvNFIq
 foYYZacGrWQyN8pKNM2fKvBZNOLu/q0n4Gdy4AgcAWhkHaxrkk3CqXaxVuqW1IaVaXQ9
 0Gy5vYEC11aur1mfV2rJgSxgc+Lil5rWHJfmtz5F8pySvrANHECAeRSM0Y+AyF/VYcD0
 Y0xa7rM3PgXQBQjKPu/m+3fwU7QlRTtxjEwJxUbP3Ffzw4OLK6udDI7u9Ujv0qtHMWUL
 MKro/Dw6C/qNVDqmkHap3hSv7cPbXbdK1v8BIXTprcMy6NYeYHYwepWzKNq13KpkzVAy
 O1sQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1746708791; x=1747313591;
 h=to:subject:message-id:date:from:mime-version:x-gm-message-state
 :from:to:cc:subject:date:message-id:reply-to;
 bh=ZfPkqcFbR6+Zzh1+Ecw1U8wBvWwui+YkwsVP/9PbQKQ=;
 b=XCrMPnoXDzH5o3fNrXvEkZ1KZ1fChPLtYV4vnmCG16QAo9DOd8ZW2JzWlfE6I4X4cJ
 Gk0cSiH8a3i/trhQxWsM4ShasgFbv6ss1UMt05MLQKUdI2be4vUkOScJGEffycxCySis
 sLflB5l+pBMtVznVEI4agGExrhzDStAyrmi9CD4a3sGsMjrvN02rbKGgP0lX/ohfBE1U
 5xfoB9k2ogGLeFHc3oaI3bXrIM2BV8IonQXY1/gvoHm4wOIMRev2zu/+BKxDJoF68PGt
 hPoiCFdiZpKT1V1r9fkX1Nol7Hw3rR9ossVmwELmlnrofF05v+R7cbg85JmYA5tI2XRN
 D4VQ==
X-Gm-Message-State: AOJu0YzyzNJNPWFg4UWFd7fWLco9YWJVn76aETP4TDCpTH4uS/zyr+7r
 NlELwRz2TfUkyYKO70YoHPwTHBHmcp2QKaSBpGYJ91gAqFdNdJ9L0qdrtU4NXf7yEmChYC12Jbp
 j6PArrOgmzuvn705HXo6WSKSzz/J9ZGahBQo=
X-Gm-Gg: ASbGncvgfdW2JmS5RDxrf2QBFVBdaCrPLbBYj1bauR8kNQqMAgJe4OGRgVvkeoYvhZI
 1PW0X3AK43fR4krDTfLdpJg6uhNI2MO3KLU6t2iE3oMOL23/Ch3VMcvAdMwJt9vPeGnN/7xX2wl
 SLT0ISUCdrBy/QvEg44zgEz/hSFosSjgwgQAfkNRtNr4jq8/0dBnNeJ5d2UEM8vHTd2s0=
X-Google-Smtp-Source: AGHT+IFhKPpwWdYIh3W8AOJLmDXB9AykLKnpkpAXt17X39BVUJOznnu8TnXpEM8khVZYEHeC6WRAQ3fppsrRFoliQF4=
X-Received: by 2002:a17:907:97c1:b0:acf:8d:bf9a with SMTP id
 a640c23a62f3a-ad1e8dbeb9emr730064366b.47.1746708791319; Thu, 08 May 2025
 05:53:11 -0700 (PDT)
MIME-Version: 1.0
From: Ido Yariv <yarivido@gmail.com>
Date: Thu, 8 May 2025 08:53:00 -0400
X-Gm-Features: ATxdqUEm2MQQz7zC9HBtZrt1hqtcYll3_u9RRx07QasLR2tRD3T8bWBe_4HKKSM
Message-ID: <CAMPn9M=+61f_NcQENzaUDe8iAr8fQnh0BS7zQZMKA2pqU4d8wA@mail.gmail.com>
Subject: Unprivileged guix-daemon and SELinux
To: bug-guix@gnu.org
Content-Type: multipart/alternative; boundary="00000000000008692a06349f558d"
Received-SPF: pass client-ip=2a00:1450:4864:20::52a;
 envelope-from=yarivido@gmail.com; helo=mail-ed1-x52a.google.com
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
 HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -0.0 (/)

--00000000000008692a06349f558d
Content-Type: text/plain; charset="UTF-8"

Hi,

It seems that the new unprivileged mode of guix-daemon breaks on some
foreign
distros with SELinux.
More specifically, SELinux prevents guix-daemon from creating & entering
user
namespaces.

The following change seems to mitigate this on Fedora:
--8<---------------cut here---------------start------------->8---
diff --git a/etc/guix-daemon.cil.in b/etc/guix-daemon.cil.in
index b221e31094..d98af865eb 100644
--- a/etc/guix-daemon.cil.in
+++ b/etc/guix-daemon.cil.in
@@ -361,6 +361,14 @@
          self
          (netlink_route_socket (bind create getattr nlmsg_read read write
getopt)))

+  ;; Allow use of user namespaces
+  (allow guix_daemon_t
+         self
+         (cap_userns (sys_admin net_admin sys_chroot)))
+  (allow guix_daemon_t
+         self
+         (user_namespace (create)))
+
   ;; Socket operations
   (allow guix_daemon_t
          guix_daemon_socket_t
--8<---------------cut here---------------end--------------->8---

The second rule requires the user_namespace class to be defined, and might
break
with policies which do not include it (e.g., Rocky Linux 9).

Given that the guix-daemon SELinux policy doesn't quite work out of the box
for
stable releases (cil file is outdated and doesn't include all required
permissions), one suggestion can be to use an unconfined domain for the time
being, at least optionally?

For instance, at least on Fedora and Rocky Linux 9, /gnu's file context can
be
set to usr_t, similar to /usr & /opt, requiring no extra policy:
--8<---------------cut here---------------start------------->8---
sudo semanage fcontext -a -t usr_t '/gnu(/.*)?'
--8<---------------cut here---------------end--------------->8---

More details can be found here: https://danwalsh.livejournal.com/70577.html

It might not be ideal, but it works without any extra tweaking on each
upgrade, and keeps the rest of the system policy enforced.

Thanks,
Ido.

--00000000000008692a06349f558d
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Hi,<br><br>It seems that the new unprivileged mode of guix=
-daemon breaks on some foreign<br>distros with SELinux.<br>More specificall=
y, SELinux prevents guix-daemon from creating &amp; entering user<br>namesp=
aces.<br><br>The following change seems to mitigate this on Fedora:<br>--8&=
lt;---------------cut here---------------start-------------&gt;8---<br>diff=
 --git a/etc/<a href=3D"http://guix-daemon.cil.in">guix-daemon.cil.in</a> b=
/etc/<a href=3D"http://guix-daemon.cil.in">guix-daemon.cil.in</a><br>index =
b221e31094..d98af865eb 100644<br>--- a/etc/<a href=3D"http://guix-daemon.ci=
l.in">guix-daemon.cil.in</a><br>+++ b/etc/<a href=3D"http://guix-daemon.cil=
.in">guix-daemon.cil.in</a><br>@@ -361,6 +361,14 @@<br>=C2=A0 =C2=A0 =C2=A0=
 =C2=A0 =C2=A0 self<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 (netlink_route_so=
cket (bind create getattr nlmsg_read read write getopt)))<br>=C2=A0<br>+ =
=C2=A0;; Allow use of user namespaces<br>+ =C2=A0(allow guix_daemon_t<br>+ =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 self<br>+ =C2=A0 =C2=A0 =C2=A0 =C2=A0 (cap_user=
ns (sys_admin net_admin sys_chroot)))<br>+ =C2=A0(allow guix_daemon_t<br>+ =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 self<br>+ =C2=A0 =C2=A0 =C2=A0 =C2=A0 (user_nam=
espace (create)))<br>+<br>=C2=A0 =C2=A0;; Socket operations<br>=C2=A0 =C2=
=A0(allow guix_daemon_t<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 guix_daemon_s=
ocket_t<br>--8&lt;---------------cut here---------------end---------------&=
gt;8---<br><br>The second rule requires the user_namespace class to be defi=
ned, and might break<br>with policies which do not include it (e.g., Rocky =
Linux 9).<br><br>Given that the guix-daemon SELinux policy doesn&#39;t quit=
e work out of the box for<br>stable releases (cil file is outdated and does=
n&#39;t include all required<br>permissions), one suggestion can be to use =
an unconfined domain for the time<br>being, at least optionally?<br><br>For=
 instance, at least on Fedora and Rocky Linux 9, /gnu&#39;s file context ca=
n be<br>set to usr_t, similar to /usr &amp; /opt, requiring no extra policy=
:<br>--8&lt;---------------cut here---------------start-------------&gt;8--=
-<br>sudo semanage fcontext -a -t usr_t &#39;/gnu(/.*)?&#39;<br>--8&lt;----=
-----------cut here---------------end---------------&gt;8---<br><br>More de=
tails can be found here: <a href=3D"https://danwalsh.livejournal.com/70577.=
html">https://danwalsh.livejournal.com/70577.html</a><br><br>It might not b=
e ideal, but it works without any extra tweaking on each<br>upgrade, and ke=
eps the rest of the system policy enforced.<br><br>Thanks,<br>Ido.</div>

--00000000000008692a06349f558d--