[bug#44549] [PATCH] etc: updates for the guix-daemon SELinux policy

[Marius Bakke]

Hello Daniel,

Thanks a lot for this.

Daniel Brooks <db48x@db48x.net> writes:

>>From 7dd9ed6da01c5bf125c95592f4978b579198731a Mon Sep 17 00:00:00 2001
> From: Daniel Brooks <db48x@db48x.net>
> Date: Mon, 9 Nov 2020 07:03:42 -0800
> Subject: [PATCH] etc: updates for the guix-daemon SELinux policy
>
> * etc/guix-daemon.cil.in: I can't promise that this is a complete list of
> everything that guix-daemon needs, but it's probably most of them. It can
> search for, install, upgrade, and remove packages, create virtual machines,
> update itself, and so on. I haven't tried creating containers yet, which might
> reveal more things to add.

This commit message is somewhat unorthodox.  :-)

Perhaps it can be shortened to:

* etc/guix-daemon.cil.in (guix_daemon): Specify more permissions for
guix-daemon to account for daemon updates and newer SELinux.

[...]

> diff --git a/etc/guix-daemon.cil.in b/etc/guix-daemon.cil.in
> index e0c9113498..666e5677a3 100644
> --- a/etc/guix-daemon.cil.in
> +++ b/etc/guix-daemon.cil.in
> @@ -21,6 +21,18 @@
>  ;; Intermediate Language (CIL).  It refers to types that must be defined in
>  ;; the system's base policy.
>  
> +;; If you, like me, need advice about fixing an SELinux policy, I recommend
> +;; reading https://danwalsh.livejournal.com/55324.html
> +
> +;; In particular, you can run semanage permissive -a 
> guix_daemon.guix_daemon_t
> +;; to allow guix-daemon to do whatever it wants. SELinux will still check its
> +;; permissions, and when it doesn't have permission it will still send an
> +;; audit message to your system logs. This lets you know what permissions it
> +;; ought to have. Use ausearch --raw to find the permissions violations, then
> +;; pipe that to audit2allow to generate an updated policy. You'll still need
> +;; to translate that policy into CIL in order to update this file, but that's
> +;; fairly straight-forward. Annoying, but easy.

I'm not sure about the second paragraph.  It's mainly a rehash of the
blog post, no?  And there are many other ways to go about
troubleshooting SELinux (I did not use ausearch at all).

Anyway!  I tried it on RHEL8, and had to do a few more tweaks to get it
working:

diff --git a/etc/guix-daemon.cil.in b/etc/guix-daemon.cil.in
index 666e5677a3..b5909f1b18 100644
--- a/etc/guix-daemon.cil.in
+++ b/etc/guix-daemon.cil.in
@@ -84,6 +84,9 @@
   (allow init_t
          guix_daemon_t
          (process (transition)))
+  (allow init_t
+         guix_store_content_t
+         (lnk_file (read)))
   (allow init_t
          guix_store_content_t
          (file (open read execute)))
@@ -166,6 +169,9 @@
   (allow guix_daemon_t
          root_t
          (dir (mounton)))
+  (allow guix_daemon_t
+         guix_daemon_socket_t
+         (sock_file (unlink)))
   (allow guix_daemon_t
          fs_t
          (filesystem (getattr)))
@@ -348,7 +354,12 @@
                               getopt setopt)))
   (allow guix_daemon_t
          self
-         (tcp_socket (accept listen bind connect create setopt getopt getattr 
ioctl)))
+         (netlink_route_socket (read write)))
+  (allow guix_daemon_t
+         self
+         (tcp_socket (accept
+                      listen bind connect create read write
+                      setopt getopt getattr ioctl)))
   (allow guix_daemon_t
          unreserved_port_t
          (tcp_socket (name_bind name_connect accept listen)))

Can you test these additional changes on Fedora?

With this, I no longer have to go through 'guix pack' and 'podman' to
run Guix packages on my RHEL workstation!  :-)

Also, is it OK to add you to the list of contributors at the top of the
file with this name and address?

Thanks!  It's really great to get this in before 1.2.0.

signature.asc
Description: PGP signature