[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug#44549] [PATCH] etc: updates for the guix-daemon SELinux policy
|
From: |
Marius Bakke |
|
Subject: |
[bug#44549] [PATCH] etc: updates for the guix-daemon SELinux policy |
|
Date: |
Fri, 13 Nov 2020 16:59:52 +0100 |
Daniel Brooks <db48x@db48x.net> writes:
> Marius Bakke <marius@gnu.org> writes:
>
>> Interestingly, after updating the system (both RHEL8 and Guix) and
>> rebooting, I got new SELinux troubles!
>>
>> I had to add these additional rules to make guix-daemon start again:
>>
>> diff --git a/etc/guix-daemon.cil.in b/etc/guix-daemon.cil.in
>> index 47fd12a214..3e254a2187 100644
>> --- a/etc/guix-daemon.cil.in
>> +++ b/etc/guix-daemon.cil.in
>> @@ -86,12 +86,15 @@
>> (allow init_t
>> guix_daemon_t
>> (process (transition)))
>> + (allow init_t
>> + self
>> + (process (execmem)))
>
> At some point we should track down why that one is necessary, perhaps
> Guile has a JIT compiler or something?
Ding ding ding.
https://wingolog.org/archives/2019/05/24/lightening-run-time-code-generation
>> (allow init_t
>> guix_store_content_t
>> - (file (open read execute)))
>> + (file (open read execute execute_no_trans map)))
>
> This one looks pretty suspicious. I think it would allow any file
> labeled guix_store_content_t to run in the init_t domain? We wouldn't
> want that.
Right. The guix_store_content_t file in question was 'guile', which I
suppose is a kind of special case. Can you think of any workarounds
for this?
Are you testing with the latest version of guix-daemon?
signature.asc
Description: PGP signature
[bug#44549] [PATCH v2] etc: updates for the guix-daemon SELinux policy, Daniel Brooks, 2020/11/12
[bug#44549] [PATCH v3] etc: updates for the guix-daemon SELinux policy, Daniel Brooks, 2020/11/12
[bug#44549] [PATCH v4] etc: updates for the guix-daemon SELinux policy, Daniel Brooks, 2020/11/14
[bug#44549] [PATCH v4] doc: add a note about relabling after upgrades to the guix deamon, Daniel Brooks, 2020/11/14