Re: SELinux log
Hi!
* I’m repeating myself here: do *not* use enforcing mode. Do use
> permissive mode only.
>
Oh, sorry for this, it was the "easy" way of checking that it didn't work.
I have byobu running now with a tail -f of the audit log.
My question was more like "I am hardcoding the path to guix -at least
before doing a guix pull -, I cannot understand why that doesn't work, even
if I did it just for trying if it solved partially why guix was not found.
On the other hand, I get:
type=AVC msg=audit(1560741907.590:426): avc: denied { search } for
pid=31810 comm="which" name="gnu" dev="dm-0" ino=931548
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:guix_daemon.guix_store_content_t:s0
tclass=dir permissive=1
Should I add something allowing commands under /usr/bin to operate over
guix? Or am I mixing things too much?
Regards :)
Laura
--
> Ricardo
>
>
Re: SELinux log
Hi Laura, > I have even tried adding the full path but when I test it I still see that > Guix is not found using enforcing mode. > Any ideas? Two things: * when you edit the .cil.in file you need to run the configure script again to generate an updated .cil file. You can’t load the changed .cil.in file directly. * I’m repeating myself here: do *not* use enforcing mode. Do use permissive mode only. -- Ricardo
Re: SELinux log
Hi! I am somewhat stuck :/ I cannot figure out why this doesn't work. I have even tried adding the full path but when I test it I still see that Guix is not found using enforcing mode. Any ideas? Regards :) Laura @@ -1,4 +1,4 @@ -;; -*- lisp -*- +; -*- lisp -*- ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2018 Ricardo Wurmus ;;; @@ -42,13 +42,9 @@ (roletype object_r guix_store_content_t) (type guix_profiles_t) (roletype object_r guix_profiles_t) - (type guix_client_exec_t) - (roletype object_r guix_client_exec_t) - (type guix_client_t) - (roletype object_r guix_client_t) ;; These types are domains, thereby allowing process rules - (typeattributeset domain (guix_daemon_t guix_daemon_exec_t guix_client_t)) + (typeattributeset domain (guix_daemon_t guix_daemon_exec_t)) (level low (s0)) @@ -58,8 +54,6 @@ process guix_daemon_t) (typetransition guix_store_content_t guix_daemon_exec_t process guix_daemon_t) - (typetransition guix_store_content_t guix_client_exec_t - process guix_client_t) ;; Permit communication with NSCD (allow guix_daemon_t @@ -266,19 +260,6 @@ self (udp_socket (ioctl create))) - ;;Client operations - (allow guix_client_t - guix_daemon_conf_t - (dir (search - getattr - open read))) - (allow guix_client_t - guix_daemon_conf_t - (file (map -getattr -open read))) - - ;; Label file system (filecon "@guix_sysconfdir@/guix(/.*)?" any (system_u object_r guix_daemon_conf_t (low low))) @@ -301,6 +282,4 @@ (filecon "@storedir@/.+-(guix-.+|profile)/libexec/guix/(.*)?" any (system_u object_r guix_daemon_exec_t (low low))) (filecon "@guix_localstatedir@/guix/daemon-socket/socket" - any (system_u object_r guix_daemon_socket_t (low low))) - (filecon "/var/guix/profiles/per-user/root/current-guix/bin/guix" - file (system_u object_r guix_client_exec_t (low low + any (system_u object_r guix_daemon_socket_t (low low
Re: SELinux log
Hi! Thanks for guiding me in solving this issue :) I am editing the file to see if I can finish the task, will answer back with my new results. Thanks! (Please use “diff -u” in the future; it’s clearer when you’re > used to git diffs.) > Will take this into account! What about what “guix pull” installs? > Yes, I thought about this. Regards :) Laura
Re: SELinux log
Laura Lazzati writes: >> What is the file name of “guix” when running in permissive mode? We >> need to know this to adjust the policy. >> > After running `which guix` I get: > /usr/local/bin/guix > I tried to add another label for it but it didn't work. I was going to ask > you for a good tutorial for writing the policies but I have just found > https://github.com/SELinuxProject/cil/wiki, I will read it the next days :) > > I am attaching the diff file. Thanks! (Please use “diff -u” in the future; it’s clearer when you’re used to git diffs.) I see this: < (filecon "@storedir@/.../bin/guix"
Re: SELinux log
> What is the file name of “guix” when running in permissive mode? We > need to know this to adjust the policy. > After running `which guix` I get: /usr/local/bin/guix I tried to add another label for it but it didn't work. I was going to ask you for a good tutorial for writing the policies but I have just found https://github.com/SELinuxProject/cil/wiki, I will read it the next days :) I am attaching the diff file. Regards! Laura diff -b guix-daemon.cil /home/laura/guix/etc/guix-daemon.cil.in 1c1 < ;; -*- lisp -*- --- > ; -*- lisp -*- 45,48d44 < (type guix_client_exec_t) < (roletype object_r guix_client_exec_t) < (type guix_client_t) < (roletype object_r guix_client_t) 51c47 < (typeattributeset domain (guix_daemon_t guix_daemon_exec_t guix_client_t)) --- > (typeattributeset domain (guix_daemon_t guix_daemon_exec_t)) 267,279d262 < ;;Client operations < (allow guix_client_t < guix_daemon_conf_t < (dir (search < getattr < open read))) < (allow guix_client_t < guix_daemon_conf_t < (file (map < getattr < open read))) < < 302,306c285any (system_u object_r guix_daemon_socket_t (low low
Re: SELinux log
Laura Lazzati writes: >> That’s confusing. Didn’t you say that you ran “guix search” before? > > I've figured out the reason. In both cases -when I create the .autorelabel > file and reboot (so the permissive mode goes away, since I am changing it > through the CLI) and when I don't but run `restorecon -r /` and set it to > enforcing mode manually - guix is not found anymore. In permissive mode > guix is found and I can use it without issues. Throughout this experiment you should be using permissive mode. There is no point in using enforcing mode until the policy is fixed. What is the file name of “guix” when running in permissive mode? We need to know this to adjust the policy. > I only added/changed the lines of > the file that you sent me here. It would be easier if I could see a diff. -- Ricardo
Re: SELinux log
That’s confusing. Didn’t you say that you ran “guix search” before? I've figured out the reason. In both cases -when I create the .autorelabel file and reboot (so the permissive mode goes away, since I am changing it through the CLI) and when I don't but run `restorecon -r /` and set it to enforcing mode manually - guix is not found anymore. In permissive mode guix is found and I can use it without issues. I even don't get anything logged in the audit.log file. Any ideas? I only added/changed the lines of the file that you sent me here. Regards :) Laura
Re: SELinux log
Laura Lazzati writes: >> When you run “which guix” what does it say? What does “readlink -f >> $(which guix)” say? >> > I first get the result of evaluating `which guix` saying it is not found, > and then thar readlink has no operand, see: > > /usr/bin/which: no guix in > (/home/laura/.local/bin:/home/laura/bin:/usr/share/Modules/bin:/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin) > readlink: missing operand That’s confusing. Didn’t you say that you ran “guix search” before? -- Ricardo
Re: SELinux log
Yes, I know. The lines I proposed were untested, though, and some of > them required adjustment, so I was curious to know what exact changes > you performed locally and where. After writing the previous email I have realized I could have done it in a separate file, right? Like I said, I cloned the repo copied the the etc/guix-daemon.cil, under /root, added the types/ rules and replaced the typeattributeset in the "sections" of the file. > > > BTW, when they are finished how can I share that file > > without pushing it? > > You can share a git formatted patch as an email attachment. > Ok, I will do it then. > > When you run “which guix” what does it say? What does “readlink -f > $(which guix)” say? > I first get the result of evaluating `which guix` saying it is not found, and then thar readlink has no operand, see: /usr/bin/which: no guix in (/home/laura/.local/bin:/home/laura/bin:/usr/share/Modules/bin:/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin) readlink: missing operand Regards :)
Re: SELinux log
Hi Laura, > Which lines? All of the changes I described were not necessarily ready >> for inclusion. They were all untested. >> > No, I meant I did it locally on my computer. I didn't even touched the > original file. Yes, I know. The lines I proposed were untested, though, and some of them required adjustment, so I was curious to know what exact changes you performed locally and where. > BTW, when they are finished how can I share that file > without pushing it? You can share a git formatted patch as an email attachment. >> This probably just means that there is no context permissions for “ls” >> to access /gnu. Another “allow” rule may be required to permit >> read-only access on /gnu to any process. >> > Oh, I see, but I still have the issue of not finding Guix. I will try to > create rules and share them here. When you run “which guix” what does it say? What does “readlink -f $(which guix)” say? -- Ricardo
Re: SELinux log
Hi! Which lines? All of the changes I described were not necessarily ready > for inclusion. They were all untested. > No, I meant I did it locally on my computer. I didn't even touched the original file. BTW, when they are finished how can I share that file without pushing it? > This probably just means that there is no context permissions for “ls” > to access /gnu. Another “allow” rule may be required to permit > read-only access on /gnu to any process. > Oh, I see, but I still have the issue of not finding Guix. I will try to create rules and share them here. Regards :) Laura > > -- > Ricardo > >
Re: SELinux log
Laura Lazzati writes: > I added the lines to a copy of guix-daemon.cil which I got from cloning > guix and placed it in root's home. Which lines? All of the changes I described were not necessarily ready for inclusion. They were all untested. > Since everything was messy (/gnu had d?? as permissions as well as > all the fields listed with `ls -l`, and could not solve it, even trying to > delete it ), I restored my VM to the point prior to adding the policy and > loading the module. > There i ran semodule, using the new file, created the .autorelabel file > and rebooted. It labeled everything, but I still can't run guix, and /gnu > dir again ended with these weird permisions: > d?? ? ???? gnu This probably just means that there is no context permissions for “ls” to access /gnu. Another “allow” rule may be required to permit read-only access on /gnu to any process. -- Ricardo
Re: SELinux log
Hi! I added the lines to a copy of guix-daemon.cil which I got from cloning guix and placed it in root's home. Since everything was messy (/gnu had d?? as permissions as well as all the fields listed with `ls -l`, and could not solve it, even trying to delete it ), I restored my VM to the point prior to adding the policy and loading the module. There i ran semodule, using the new file, created the .autorelabel file and rebooted. It labeled everything, but I still can't run guix, and /gnu dir again ended with these weird permisions: d?? ? ???? gnu Any ideas? Regards :/ Laura
Re: SELinux log
Hi Laura, > So we need to figure out what file that “guix” command corresponds to, >> so that we can add a rule to the policy to apply the correct label. >> > I see. But how can we do this? We then need to think about the kinds of file operations that the “guix” command should be permitted to perform. We know already that it should be allowed to access files of type “guix_daemon_conf_t”. What do you think: should we define a new type for the Guix command? If so, we need to declare it near the top: ;; Declare own types (type guix_daemon_t) … We would add two new types: one is a file type “guix_client_exec_t”, which will be given to the “guix” executables. The file type should allow the *process* spawned by the executable to operate in the “guix_client_t” domain. So, we’ll do this: (type guix_client_exec_t) (roletype object_r guix_client_exec_t) (type guix_client_t) (roletype object_r guix_client_t) Since this type should not just be a file type but a *process* domain (= a type for processes), we need to declare it as such, so this line (typeattributeset domain (guix_daemon_t guix_daemon_exec_t)) would become that line: (typeattributeset domain (guix_daemon_t guix_daemon_exec_t guix_client_t)) Now we need to permit a domain transition: a file with type guix_client_exec_t (when executed) should cause the resulting process to transition to the guix_client_t domain. I’m not sure about this, but I think we want this transition declaration: (typetransition guix_store_content_t guix_client_exec_t process guix_client_t) This means: when a process in guix_store_content_t spawns a guix_client_exec_t process, let it run in the guix_client_t context. And *now* we can add rules of access for processes running in the guix_client_t domain, such as these read-only directory access permissions: (allow guix_client_t guix_daemon_conf_t (dir (search getattr open read))) and perhaps these read-only file access permissions: (allow guix_client_t guix_daemon_conf_t (file (map getattr open read))) Lastly, we need to add a file rule, so that the guix executables all get the right type. The first step is to see what “guix” is: readlink -f $(which guix) It’s probably a store item with a particular name that isn’t captured by an explicit rule in etc/guix-daemon.cil yet. We then add a rule to give the “guix” file the proper label, something like the following, but with a glob pattern matching the actual “guix” file: (filecon "@storedir@/…/bin/guix" file (system_u object_r guix_client_exec_t (low low))) Every time we change the policy we need to run semanage to unload the loaded policy and load the new one from file, then run restorecon to relabel (a subset of the) files in /gnu. A little tedious, but it should be manageable. Would you like to give it a try? -- Ricardo
Re: SELinux log
Hi! So we need to figure out what file that “guix” command corresponds to, > so that we can add a rule to the policy to apply the correct label. > I see. But how can we do this? Regards :) Laura
Re: SELinux log
Hi Laura,
> My audit log showed:
>
> type=AVC msg=audit(1560131803.485:381): avc: denied { search } for
> pid=8177 comm="bash" name="guix" dev="dm-0" ino=679365
> scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tcontext=unconfined_u:object_r:guix_daemon.guix_daemon_conf_t:s0 tclass=dir
> permissive=0
This looks better.
This says that “guix” is not labeled correctly. The message isn’t very
clear, but it looks like bash spawned “guix”, which has no particular
SELinux context (unconfined). When it tries to access /var/guix (which
*does* have the correct label) it is denied access, because only the
guix-daemon type has been granted access to files of type
“guix_daemon_conf_t”.
So we need to figure out what file that “guix” command corresponds to,
so that we can add a rule to the policy to apply the correct label.
--
Ricardo
Re: SELinux log
Hi!
More info after having my fresh install.
First, I ran semode, and checked with -Z option my /gnu dir successfully.
After that, I created the file and rebooted. While rebooting this time I
got the message telling me that the system was being relabeled. Then, I ran
restorecon and set SELinux to Permissive mode. Tried it doing a guix search
hello.
My audit log showed:
type=AVC msg=audit(1560131803.485:381): avc: denied { search } for
pid=8177 comm="bash" name="guix" dev="dm-0" ino=679365
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:guix_daemon.guix_daemon_conf_t:s0 tclass=dir
permissive=0
After that I SELinux to Enforcing to see what message I got i the CLI, and
it was a Permission Denied, and now I am getting that guix is not
installed, double checking with `which guix` :S
I am trying installing guix again with the script, and it reaches the point
where I get:
mv: cannot stat '/var/guix': Permission denied
Any ideas?
Regards!
Laura
Re: SELinux log
Hi! > > If this doesn’t work I don’t know how to proceed. > Me neither. I will delete my VM and have a fresh install, to see if I did sth wrong in between, following the same steps. At least we know that in Fedora/RHEL we deactivate SELinux and Guix works fine up to now :/ > > Good luck! :) > Yes, I wish I did sth wrongly and it works on my new VM. Will answer back here! Regards :) Laura
Re: SELinux log
Hey Laura, > I ran `semodule -i etc/guix-daemon.cil`, then created the file, rebooted, > and nothing happened. Hmm, the order is fine. I don’t know what might be wrong. > I am running again `restorecon -r /`. This should also be fine, though “restorecon -r /gnu” would probably be enough. Confirm that contexts have been set properly with “ls -laZ /gnu”. If this doesn’t work I don’t know how to proceed. Good luck! :) -- Ricardo
Re: SELinux log
Hi! Reinstallation should not be necessary for this. It’s unlikely that > SELinux is broken. Just make sure that everything is properly labeled. > The reboot should take a pretty long time while every file on the disk > is labeled. > uhm then I am doing sth wrong, or did not understand very well when I should run the last two commands. I ran `semodule -i etc/guix-daemon.cil`, then created the file, rebooted, and nothing happened. I am running again `restorecon -r /`. Which one should be the order?
Re: SELinux log
Laura Lazzati writes: >> Uhm, that’s weird, but you’re not in permissive mode, are you? What >> does “getenforce” say? >> > I tired it in both modes and the same result in the log file. Well, when in permissive mode it should probably say “permissive=1” in the logs, but otherwise it should be the same. >> To relabel your whole file system according to installed policies run >> this: >> >> touch /.autorelabel >> reboot >> > I will see if my Fedora on the VM is not broken and try it. Otherwise fresh > install... and do this. > will answer back with my results. Reinstallation should not be necessary for this. It’s unlikely that SELinux is broken. Just make sure that everything is properly labeled. The reboot should take a pretty long time while every file on the disk is labeled. -- Ricardo
Re: SELinux log
Hi! Uhm, that’s weird, but you’re not in permissive mode, are you? What > does “getenforce” say? > I tired it in both modes and the same result in the log file. > > To relabel your whole file system according to installed policies run > this: > > touch /.autorelabel > reboot > I will see if my Fedora on the VM is not broken and try it. Otherwise fresh install... and do this. will answer back with my results. Regards :) Laura
Re: SELinux log
Hi Laura,
> --8<---cut here---start->8---
> type=FS_RELABEL msg=audit(1559947443.686:26389): pid=2658 uid=0 auid=1000
> ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> msg='op=mass relabel exe="/usr/sbin/setfiles"
> hostname=localhost.localdomain addr=? terminal=pts/1 res=failed'UID="root"
> AUID="laura"
> type=MAC_POLICY_LOAD msg=audit(1559947618.423:26390): auid=1000 ses=3
> lsm=selinux res=1AUID="laura"
>
> type=USER_AVC msg=audit(1559947745.466:39283): pid=1 uid=0 auid=4294967295
> ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received
> policyload notice (seqno=3) exe="/usr/lib/systemd/systemd" sauid=0
> hostname=? addr=? terminal=?'UID="root" AUID="unset" SAUID="root"
> type=USER_AVC msg=audit(1559947745.467:39284): pid=1 uid=0 auid=4294967295
> ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received
> policyload notice (seqno=4) exe="/usr/lib/systemd/systemd" sauid=0
> hostname=? addr=? terminal=?'UID="root" AUID="unset" SAUID="root"
> type=AVC msg=audit(1559947746.785:39285): avc: denied { relabelto } for
> pid=2688 comm="restorecon" name="guix" dev="dm-0" ino=311508
> scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tcontext=unconfined_u:object_r:guix_daemon.guix_daemon_conf_t:s0 tclass=dir
> permissive=0
> type=AVC msg=audit(1559947746.787:39286): avc: denied { relabelto } for
> pid=2688 comm="restorecon" name="acl" dev="dm-0" ino=306189
> scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tcontext=unconfined_u:object_r:guix_daemon.guix_daemon_conf_t:s0
> tclass=file permissive=0
> --8<---cut here---end--->8---
Uhm, that’s weird, but you’re not in permissive mode, are you? What
does “getenforce” say?
To relabel your whole file system according to installed policies run
this:
touch /.autorelabel
reboot
as root. Upon rebooting all your files will be relabeled. Before doing
this better double check that the guix-daemon policy has in fact been
installed, because labeling takes a very long time.
--
Ricardo
Re: SELinux log
--8<---cut here---start->8---
type=FS_RELABEL msg=audit(1559947443.686:26389): pid=2658 uid=0 auid=1000
ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
msg='op=mass relabel exe="/usr/sbin/setfiles"
hostname=localhost.localdomain addr=? terminal=pts/1 res=failed'UID="root"
AUID="laura"
type=MAC_POLICY_LOAD msg=audit(1559947618.423:26390): auid=1000 ses=3
lsm=selinux res=1AUID="laura"
type=USER_AVC msg=audit(1559947745.466:39283): pid=1 uid=0 auid=4294967295
ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received
policyload notice (seqno=3) exe="/usr/lib/systemd/systemd" sauid=0
hostname=? addr=? terminal=?'UID="root" AUID="unset" SAUID="root"
type=USER_AVC msg=audit(1559947745.467:39284): pid=1 uid=0 auid=4294967295
ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received
policyload notice (seqno=4) exe="/usr/lib/systemd/systemd" sauid=0
hostname=? addr=? terminal=?'UID="root" AUID="unset" SAUID="root"
type=AVC msg=audit(1559947746.785:39285): avc: denied { relabelto } for
pid=2688 comm="restorecon" name="guix" dev="dm-0" ino=311508
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:guix_daemon.guix_daemon_conf_t:s0 tclass=dir
permissive=0
type=AVC msg=audit(1559947746.787:39286): avc: denied { relabelto } for
pid=2688 comm="restorecon" name="acl" dev="dm-0" ino=306189
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:guix_daemon.guix_daemon_conf_t:s0
tclass=file permissive=0
--8<---cut here---end--->8---
Re: SELinux log
Sorry, my mail client apparently hates me, it is somewhat formatting my mails after sending them ¬¬
Re: SELinux log
Hi!
> Thank you, the log is helpful (even though it looks like your mail
> client reformatted it, which makes it very hard to read).
Sorry for that :/
> Did you run “restorecon” on the store to recursively label all files?
I did, but I have just found that you are right, looking at the log
that it is not labeling properly (I am running the commands like they
are in the manual, with the proper path to the policy, and `restorecon
-r /`), weird, see:
--8<---cut here---start->8---
type=FS_RELABEL msg=audit(1559947443.686:26389): pid=2658 uid=0
auid=1000 ses=3
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
msg='op=mass relabel exe="/usr/sbin/setfiles"
hostname=localhost.localdomain addr=? terminal=pts/1
res=failed'UID="root" AUID="laura"
type=MAC_POLICY_LOAD msg=audit(1559947618.423:26390): auid=1000 ses=3
lsm=selinux res=1AUID="laura"
addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
type=USER_AVC msg=audit(1559947745.466:39283): pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
msg='avc: received policyload notice (seqno=3)
exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=?
terminal=?'UID="root" AUID="unset" SAUID="root"
type=USER_AVC msg=audit(1559947745.467:39284): pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
msg='avc: received policyload notice (seqno=4)
exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=?
terminal=?'UID="root" AUID="unset" SAUID="root"
type=AVC msg=audit(1559947746.785:39285): avc: denied { relabelto }
for pid=2688 comm="restorecon" name="guix" dev="dm-0" ino=311508
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:guix_daemon.guix_daemon_conf_t:s0
tclass=dir permissive=0
type=AVC msg=audit(1559947746.787:39286): avc: denied { relabelto }
for pid=2688 comm="restorecon" name="acl" dev="dm-0" ino=306189
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:guix_daemon.guix_daemon_conf_t:s0
tclass=file permissive=0
--8<---cut here---end--->8---
And taking a look at /gnu I get:
d?? ? ???? gnu
:S
Regards :)
Laura
Re: SELinux log
Hi!
Hope to shed some light.
I followed all the steps that I hadn't followed before in the
documentation manual about SELinux for guix daemon (ran semodule,
restorecon for all the filesystem and restarted the daemon).
I forgot to set SELinux in permissive mode, so I still got the issue
with the socket.
Then I realized about this, and changed the mode. My log shows that
SELinux would have prevented the daemon from running, like when I had
it in enforcing mode:
---start
here---
type=SERVICE_START msg=audit(1559870054.070:258): pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
msg='unit=flatpak-system-helper comm="systemd"
exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
res=success'^]UID="root" AUID="unset"
type=SERVICE_STOP msg=audit(1559870056.300:259): pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
msg='unit=user@42 comm="systemd" exe="/usr/lib/systemd/systemd"
hostname=? addr=? terminal=? res=success'^]UID="root" AUID="unset"
type=SERVICE_STOP msg=audit(1559870056.340:260): pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
msg='unit=user-runtime-dir@42 comm="systemd"
exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
res=success'^]UID="root" AUID="unset"
type=AVC msg=audit(1559870056.930:261): avc: denied { read } for
pid=750 comm="guix-daemon" name="libnss_files.so.2" dev="dm-0"
ino=559459 scontext=system_u:system_r:init_t:s0
tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file
permissive=1
type=AVC msg=audit(1559870056.930:262): avc: denied { map } for
pid=750 comm="guix-daemon"
path="/gnu/store/h90vnqw0nwd0hhm1l5dgxsdrigddfmq4-glibc-2.28/lib/libnss_files-2.28.so"
dev="dm-0" ino=559457 scontext=system_u:system_r:init_t:s0
tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file permissive=1
type=AVC msg=audit(1559870056.930:263): avc: denied { execute } for
pid=750 comm="guix-daemon"
path="/gnu/store/h90vnqw0nwd0hhm1l5dgxsdrigddfmq4-glibc-2.28/lib/libnss_files-2.28.so"
dev="dm-0" ino=559457 scontext=system_u:system_r:init_t:s0
tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file permissive=1
type=AVC msg=audit(1559870056.937:264): avc: denied { create } for
pid=2170 comm="guix-daemon" name="reserved"
scontext=system_u:system_r:init_t:s0
tcontext=system_u:object_r:user_tmp_t:s0 tclass=file permissive=1
type=AVC msg=audit(1559870056.937:265): avc: denied { write } for
pid=2170 comm="guix-daemon" path="/var/guix/db/reserved" dev="dm-0"
ino=306296 scontext=system_u:system_r:init_t:s0
tcontext=system_u:object_r:user_tmp_t:s0 tclass=file permissive=1
type=AVC msg=audit(1559870056.940:266): avc: denied { write } for
pid=2170 comm="guix-daemon" name="db.sqlite" dev="dm-0" ino=306225
scontext=system_u:system_r:init_t:s0
tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file permissive=1
type=AVC msg=audit(1559870056.950:267): avc: denied { setattr } for
pid=2170 comm="guix-daemon" name="db.sqlite-wal" dev="dm-0" ino=306376
scontext=system_u:system_r:init_t:s0
tcontext=system_u:object_r:user_tmp_t:s0 tclass=file permissive=1
type=AVC msg=audit(1559870056.950:268): avc: denied { map } for
pid=2170 comm="guix-daemon" path="/var/guix/db/db.sqlite-shm"
dev="dm-0" ino=306377 scontext=system_u:system_r:init_t:s0
tcontext=system_u:object_r:user_tmp_t:s0 tclass=file permissive=1
type=AVC msg=audit(1559870058.000:269): avc: denied { link } for
pid=2170 comm="guix-daemon"
name="7f1alh9qj2h0wwy2220npgnmw6pbrkwx-mirrors" dev="dm-0" ino=551918
scontext=system_u:system_r:init_t:s0
tcontext=system_u:object_r:user_tmp_t:s0 tclass=file permissive=1
type=AVC msg=audit(1559870058.130:270): avc: denied { rename } for
pid=2170 comm="guix-daemon" name=".tmp-link-2170-1804289383"
dev="dm-0" ino=551930 scontext=system_u:system_r:init_t:s0
tcontext=system_u:object_r:user_tmp_t:s0 tclass=file permissive=1
type=AVC msg=audit(1559870060.410:271): avc: denied {
execute_no_trans } for pid=2173 comm="guix-daemon"
path="/gnu/store/ncknl03pkmamrxg7q9nxi1rn1qhvwbi9-guix-1.0.1/libexec/guix/substitute"
dev="dm-0" ino=679069 scontext=system_u:system_r:init_t:s0
tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file permissive=1
type=AVC msg=audit(1559870060.886:272): avc: denied { name_connect }
for pid=2173 comm=677569782073756273746974757465 dest=443
scontext=system_u:system_r:init_t:s0
tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket
permissive=1
type=SERVICE_STOP msg=audit(1559870062.620:273): pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
msg='unit=fprintd comm="systemd" exe="/usr/lib/systemd/systemd"
hostname=? addr=? terminal=? res=success'^]UID="root" AUID="unset"
type=SERVICE_STOP msg=audit(1559870070.140:274): pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
msg='unit=systemd-localed comm="systemd"
exe="/usr/lib/systemd/systemd"
Re: SELinux log
Hi Laura, >> Thanks. Did you install the SELinux policy for the daemon that is >> included in the source code repository? (It is not included in the >> files that “guix pull” installs.) > My bad, I haven 't :/ Shall I put SELinux in enforcing mode and do so? Permissive mode is better. It will log violations but not prevent them. This allows us to see the details in the logs without impacting our use of Guix. -- Ricardo
Re: SELinux log
Hi! > Thanks. Did you install the SELinux policy for the daemon that is > included in the source code repository? (It is not included in the > files that “guix pull” installs.) My bad, I haven 't :/ Shall I put SELinux in enforcing mode and do so? Regards :) Laura
Re: SELinux log
Hi Laura, > Today I've been installing Guix on top of Fedora (relase30), and I > faced issues with guix-daemon, getting it did not have permissions for > running. It was a SELinux problem, since after disabling it and > restarting the daemon I could use guix normally. > Here is my audit.log file […] Thanks. Did you install the SELinux policy for the daemon that is included in the source code repository? (It is not included in the files that “guix pull” installs.) -- Ricardo
SELinux log
Hi Guix! Today I've been installing Guix on top of Fedora (relase30), and I faced issues with guix-daemon, getting it did not have permissions for running. It was a SELinux problem, since after disabling it and restarting the daemon I could use guix normally. Here is my audit.log file, in case someone is interested. AFAIK I don't see anything terrible. Regards :) Lauratype=USER_START msg=audit(1559677185.958:270): pid=3429 uid=0 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_keyinit,pam_limits,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/0 res=success'^]UID="root" AUID="laura" type=USER_AUTH msg=audit(1559677185.980:271): pid=3435 uid=0 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=pam_rootok acct="root" exe="/usr/bin/su" hostname=localhost.localdomain addr=? terminal=pts/0 res=success'^]UID="root" AUID="laura" type=USER_ACCT msg=audit(1559677185.980:272): pid=3435 uid=0 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_succeed_if acct="root" exe="/usr/bin/su" hostname=localhost.localdomain addr=? terminal=pts/0 res=success'^]UID="root" AUID="laura" type=CRED_ACQ msg=audit(1559677185.984:273): pid=3435 uid=0 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_rootok acct="root" exe="/usr/bin/su" hostname=localhost.localdomain addr=? terminal=pts/0 res=success'^]UID="root" AUID="laura" type=USER_START msg=audit(1559677186.010:274): pid=3435 uid=0 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_keyinit,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_umask acct="root" exe="/usr/bin/su" hostname=localhost.localdomain addr=? terminal=pts/0 res=success'^]UID="root" AUID="laura" type=SERVICE_STOP msg=audit(1559677213.721:275): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=fprintd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'^]UID="root" AUID="unset" type=ADD_GROUP msg=audit(1559677295.645:276): pid=3555 uid=0 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=add-group id=976 exe="/usr/sbin/groupadd" hostname=localhost.localdomain addr=? terminal=pts/0 res=success'^]UID="root" AUID="laura" ID="guixbuild" type=GRP_MGMT msg=audit(1559677296.166:277): pid=3555 uid=0 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=add-shadow-group id=976 exe="/usr/sbin/groupadd" hostname=localhost.localdomain addr=? terminal=pts/0 res=success'^]UID="root" AUID="laura" ID="guixbuild" type=ADD_USER msg=audit(1559677307.042:278): pid=3565 uid=0 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=add-user id=978 exe="/usr/sbin/useradd" hostname=localhost.localdomain addr=? terminal=pts/0 res=success'^]UID="root" AUID="laura" ID="unknown(978)" type=USER_MGMT msg=audit(1559677307.048:279): pid=3565 uid=0 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=add-user-to-group grp="guixbuild" acct="guixbuilder01" exe="/usr/sbin/useradd" hostname=localhost.localdomain addr=? terminal=pts/0 res=success'^]UID="root" AUID="laura" type=USER_MGMT msg=audit(1559677307.060:280): pid=3565 uid=0 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=add-to-shadow-group grp="guixbuild" acct="guixbuilder01" exe="/usr/sbin/useradd" hostname=localhost.localdomain addr=? terminal=pts/0 res=success'^]UID="root" AUID="laura" type=ADD_USER msg=audit(1559677309.363:281): pid=3577 uid=0 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=add-user id=977 exe="/usr/sbin/useradd" hostname=localhost.localdomain addr=? terminal=pts/0 res=success'^]UID="root" AUID="laura" ID="unknown(977)"
