[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Guix SELinux issues
From: |
Gerry Agbobada |
Subject: |
Guix SELinux issues |
Date: |
Sun, 5 May 2019 23:07:06 +0200 |
Hello everyone,
I tried today to install Guix on my Fedora 30 machine with the binary
sh script installer.
The policy for guix-daemon wasn't installed by default with this
script (as far as I understand), so rekado on freenode told me about
the .cil file I could fill with the correct placeholder values.
Here is a short report of my adventures, I am not 100% sure it's going
to be reproducible, since I am not that good with SELinux in general.
It is a little lengthy because I tried to include relevant logs when I
could. Short version is :
"selinux is hard and has almost no support channels. guix-daemon.cil
apparently just needs lnk_file permissions somewhere to be usable out
of the box"
* Intro
Whenever I say "activate/deactivate" SELinux, I mean =# setenforce (1|0)=
* guix_store_content_t is not a file_type
** Issue
When I deactivate selinux to start the daemon, and later reactivate it
then the files can't be read by the guix-daemon. I assumed (thanks to the
SELinux helper applet), that I needed to restorecon the whole store, but
when I tried I had errors because the types in .cil policy
are not file_type attributes.
So the restorecon on /gnu/store is actually the first operation for which I have
some logs (I forgot to keep the logs when I just ran the daemon with
the .cil file)
** SEApplet summary of the issue
In french, but it basically states that
guix_daemon.guix_store_content_t is not a valid **file_type**
#+BEGIN_SRC text
SELinux interdit à restorecon d'utiliser l'accès relabelto sur le
fichier 1hzipga4xhria8q0n75dlclv4bgjghb6npidcswkf71qp9w58vd1.
***** Le greffon associate (99.5 de confiance) suggère ********************
Si vous souhaitez modifier l'étiquette de
1hzipga4xhria8q0n75dlclv4bgjghb6npidcswkf71qp9w58vd1 en
guix_daemon.guix_store_content_t, ce qui est interdit car pas un type
de fichier valide.
Alors vous devez choisir une étiquette de fichier valide.
Faire
select a valid file type. List valid file labels by executing:
# seinfo -afile_type -x
#+END_SRC
** State of seinfo after running the initial semodule -i guix-daemon.cil
#+BEGIN_SRC text
# seinfo -t -x | grep guix
type guix_daemon.guix_daemon_conf_t;
type guix_daemon.guix_daemon_exec_t, domain, pcmcia_typeattr_1;
type guix_daemon.guix_daemon_socket_t;
type guix_daemon.guix_daemon_t, domain, pcmcia_typeattr_1;
type guix_daemon.guix_profiles_t;
type guix_daemon.guix_store_content_t;
# seinfo -afile_type -x | grep guix
[No output]
#+END_SRC
** Added a few lines to cil policy file to be able to restorecon and relabel
The patch is at the end of the mail, look for ---
After this and =semodule -i=, I am able to restorecon on the files and have
a correct state there.
* Error on startup
** Issue
When SELinux is active, =systemctl start guix-daemon= fails because SELinux
forbids (x-daemon) to use read access on lnk_file.
I don't know what this 'x-daemon' stuff is, it is not in my path, and
there is no man
page.
#+BEGIN_SRC text
SELinux interdit à (x-daemon) d'utiliser l'accès read sur le lnk_file
guix-daemon.
Greffon : catchall
SELinux a refusé l'accès demandé par (x-daemon). Il n'est pas prévu que cet
accès soit requis par (x-daemon) et cet accès peut signaler une tentative
d'intrusion. Il est également possible que cette version ou cette configuration
spécifique de l'application provoque cette demande d'accès supplémentaire.
Si vous pensez que (x-daemon) devrait être autorisé à accéder read sur
guix-daemon lnk_file par défaut.
Vous devriez rapporter ceci en tant qu'anomalie.
Vous pouvez générer un module de stratégie local pour autoriser cet accès.
Autoriser cet accès pour le moment en exécutant :
# ausearch -c "(x-daemon)" --raw | audit2allow -M my-xdaemon
# semodule -X 300 -i my-xdaemon.pp
#+END_SRC
** Bug in the suggested solution
There is a compilation error when I try the suggested fix
#+BEGIN_SRC text
> sudo ausearch -c "(x-daemon)" --raw | sudo audit2allow -M my-xdaemon
compilation failed:
libsepol.hierarchy_add_type_callback: guix_daemon doesn't exist,
guix_daemon.guix_store_content_t is an orphan
libsepol.hierarchy_add_bounds: 1 errors found while adding hierarchies
#+END_SRC
* Workarounds
The obvious one is killing SELinux. And since I'm doing this, I won't
be able to help much more on the
subject.
Another one which seemed to work : since I saw the issue was
apparently because of symlinks (lnk_file),
I tried to run the command in the ExecStart of the service with sudo
in a terminal (so
sudo /var/guix/profiles/per-user/root/current-guix/bin/guix-daemon
--build-users-group=guixbuild )
and everything seemed to work (I could guix pull, guix install
glibc-locales and I saw the connections being
accepted in the daemon terminal too).
* Patch
c0c82d8f was the commit I used from guix-daemon.cli.in
---
diff --git a/guix-daemon.cil.in b/guix-daemon.cil
index 7b882fe..7a7d374 100644
--- a/guix-daemon.cil.in
+++ b/guix-daemon.cil
@@ -34,14 +34,19 @@
(roletype object_r guix_daemon_t)
(type guix_daemon_conf_t)
(roletype object_r guix_daemon_conf_t)
+ (typeattributeset file_type guix_daemon_conf_t)
(type guix_daemon_exec_t)
(roletype object_r guix_daemon_exec_t)
+ (typeattributeset file_type guix_daemon_exec_t)
(type guix_daemon_socket_t)
(roletype object_r guix_daemon_socket_t)
+ (typeattributeset file_type guix_daemon_socket_t)
(type guix_store_content_t)
(roletype object_r guix_store_content_t)
+ (typeattributeset file_type guix_store_content_t)
(type guix_profiles_t)
(roletype object_r guix_profiles_t)
+ (typeattributeset file_type guix_profiles_t)
;; These types are domains, thereby allowing process rules
(typeattributeset domain (guix_daemon_t guix_daemon_exec_t))
@@ -261,25 +266,25 @@
(udp_socket (ioctl create)))
;; Label file system
- (filecon "@guix_sysconfdir@/guix(/.*)?"
+ (filecon "/etc/guix(/.*)?"
any (system_u object_r guix_daemon_conf_t (low low)))
- (filecon "@guix_localstatedir@/guix(/.*)?"
+ (filecon "/var/guix(/.*)?"
any (system_u object_r guix_daemon_conf_t (low low)))
- (filecon "@guix_localstatedir@/guix/profiles(/.*)?"
+ (filecon "/var/guix/profiles(/.*)?"
any (system_u object_r guix_profiles_t (low low)))
(filecon "/gnu"
dir (unconfined_u object_r guix_store_content_t (low low)))
- (filecon "@storedir@(/.+)?"
+ (filecon "/gnu/store(/.+)?"
any (unconfined_u object_r guix_store_content_t (low low)))
- (filecon "@storedir@/[^/]+/.+"
+ (filecon "/gnu/store/[^/]+/.+"
any (unconfined_u object_r guix_store_content_t (low low)))
- (filecon "@prefix@/bin/guix-daemon"
+ (filecon "/usr/bin/guix-daemon"
file (system_u object_r guix_daemon_exec_t (low low)))
- (filecon "@storedir@/.+-(guix-.+|profile)/bin/guix-daemon"
+ (filecon "/gnu/store/.+-(guix-.+|profile)/bin/guix-daemon"
file (system_u object_r guix_daemon_exec_t (low low)))
- (filecon "@storedir@/.+-(guix-.+|profile)/libexec/guix-authenticate"
+ (filecon "/gnu/store/.+-(guix-.+|profile)/libexec/guix-authenticate"
file (system_u object_r guix_daemon_exec_t (low low)))
- (filecon "@storedir@/.+-(guix-.+|profile)/libexec/guix/(.*)?"
+ (filecon "/gnu/store/.+-(guix-.+|profile)/libexec/guix/(.*)?"
any (system_u object_r guix_daemon_exec_t (low low)))
- (filecon "@guix_localstatedir@/guix/daemon-socket/socket"
- any (system_u object_r guix_daemon_socket_t (low low))))
\ No newline at end of file
+ (filecon "/var/guix/daemon-socket/socket"
+ any (system_u object_r guix_daemon_socket_t (low low))))
Best regards,
Gerry (@gagbo)
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- Guix SELinux issues,
Gerry Agbobada <=