Message ID | 87r1oxb96j.fsf@gnu.org |
---|---|
State | Accepted |
Headers | show |
Series | [bug#44549] etc: updates for the guix-daemon SELinux policy | expand |
Context | Check | Description |
---|---|---|
cbaines/applying patch | fail | View Laminar job |
Marius Bakke <marius@gnu.org> writes: > Interestingly, after updating the system (both RHEL8 and Guix) and > rebooting, I got new SELinux troubles! > > I had to add these additional rules to make guix-daemon start again: > > diff --git a/etc/guix-daemon.cil.in b/etc/guix-daemon.cil.in > index 47fd12a214..3e254a2187 100644 > --- a/etc/guix-daemon.cil.in > +++ b/etc/guix-daemon.cil.in > @@ -86,12 +86,15 @@ > (allow init_t > guix_daemon_t > (process (transition))) > + (allow init_t > + self > + (process (execmem))) At some point we should track down why that one is necessary, perhaps Guile has a JIT compiler or something? > (allow init_t > guix_store_content_t > - (file (open read execute))) > + (file (open read execute execute_no_trans map))) This one looks pretty suspicious. I think it would allow any file labeled guix_store_content_t to run in the init_t domain? We wouldn't want that. db48x
Daniel Brooks <db48x@db48x.net> writes: > Marius Bakke <marius@gnu.org> writes: > >> Interestingly, after updating the system (both RHEL8 and Guix) and >> rebooting, I got new SELinux troubles! >> >> I had to add these additional rules to make guix-daemon start again: >> >> diff --git a/etc/guix-daemon.cil.in b/etc/guix-daemon.cil.in >> index 47fd12a214..3e254a2187 100644 >> --- a/etc/guix-daemon.cil.in >> +++ b/etc/guix-daemon.cil.in >> @@ -86,12 +86,15 @@ >> (allow init_t >> guix_daemon_t >> (process (transition))) >> + (allow init_t >> + self >> + (process (execmem))) > > At some point we should track down why that one is necessary, perhaps > Guile has a JIT compiler or something? Ding ding ding. https://wingolog.org/archives/2019/05/24/lightening-run-time-code-generation >> (allow init_t >> guix_store_content_t >> - (file (open read execute))) >> + (file (open read execute execute_no_trans map))) > > This one looks pretty suspicious. I think it would allow any file > labeled guix_store_content_t to run in the init_t domain? We wouldn't > want that. Right. The guix_store_content_t file in question was 'guile', which I suppose is a kind of special case. Can you think of any workarounds for this? Are you testing with the latest version of guix-daemon?
diff --git a/etc/guix-daemon.cil.in b/etc/guix-daemon.cil.in index 47fd12a214..3e254a2187 100644 --- a/etc/guix-daemon.cil.in +++ b/etc/guix-daemon.cil.in @@ -86,12 +86,15 @@ (allow init_t guix_daemon_t (process (transition))) + (allow init_t + self + (process (execmem))) (allow init_t guix_store_content_t (lnk_file (read))) (allow init_t guix_store_content_t - (file (open read execute))) + (file (open read execute execute_no_trans map))) ;; guix-daemon needs to know the names of users (allow guix_daemon_t