Guix SELinux issues

[Gerry Agbobada]

Hello everyone,

I tried today to install Guix on my Fedora 30 machine with the binary
sh script installer.

The policy for guix-daemon wasn't installed by default with this
script (as far as I understand), so rekado on freenode told me about
the .cil file I could fill with the correct placeholder values.

Here is a short report of my adventures, I am not 100% sure it's going
to be reproducible, since I am not that good with SELinux in general.

It is a little lengthy because I tried to include relevant logs when I
could. Short version is :
"selinux is hard and has almost no support channels. guix-daemon.cil
apparently just needs lnk_file permissions somewhere to be usable out
of the box"

* Intro
Whenever I say "activate/deactivate" SELinux, I mean =# setenforce (1|0)=

* guix_store_content_t is not a file_type

** Issue
When I deactivate selinux to start the daemon, and later reactivate it
then the files can't be read by the guix-daemon. I assumed (thanks to the
SELinux helper applet), that I needed to restorecon the whole store, but
when I tried I had errors because the types in .cil policy
are not file_type attributes.

So the restorecon on /gnu/store is actually the first operation for which I have
some logs (I forgot to keep the logs when I just ran the daemon with
the .cil file)

** SEApplet summary of the issue

In french, but it basically states that
guix_daemon.guix_store_content_t is not a valid **file_type**

#+BEGIN_SRC text
 SELinux interdit à restorecon d'utiliser l'accès relabelto sur le
fichier 1hzipga4xhria8q0n75dlclv4bgjghb6npidcswkf71qp9w58vd1.

 *****  Le greffon associate (99.5 de confiance) suggère   ********************

 Si vous souhaitez modifier l'étiquette de
1hzipga4xhria8q0n75dlclv4bgjghb6npidcswkf71qp9w58vd1 en
guix_daemon.guix_store_content_t,  ce qui est interdit car pas un type
de fichier valide.
 Alors vous devez choisir une étiquette de fichier valide.
 Faire
 select a valid file type.  List valid file labels by executing:
 # seinfo -afile_type -x
#+END_SRC

** State of seinfo after running the initial semodule -i guix-daemon.cil

#+BEGIN_SRC text
# seinfo -t -x | grep guix
   type guix_daemon.guix_daemon_conf_t;
   type guix_daemon.guix_daemon_exec_t, domain, pcmcia_typeattr_1;
   type guix_daemon.guix_daemon_socket_t;
   type guix_daemon.guix_daemon_t, domain, pcmcia_typeattr_1;
   type guix_daemon.guix_profiles_t;
   type guix_daemon.guix_store_content_t;
# seinfo -afile_type -x | grep guix
   [No output]
#+END_SRC

** Added a few lines to cil policy file to be able to restorecon and relabel

The patch is at the end of the mail, look for ---

   After this and =semodule -i=, I am able to restorecon on the files and have
a correct state there.

*  Error on startup

** Issue
When SELinux is active, =systemctl start guix-daemon= fails because SELinux
forbids (x-daemon) to use read access on lnk_file.

I don't know what this 'x-daemon' stuff is, it is not in my path, and
there is no man
page.

#+BEGIN_SRC text
SELinux interdit à (x-daemon) d'utiliser l'accès read sur le lnk_file
guix-daemon.

Greffon : catchall
 SELinux a refusé l'accès demandé par (x-daemon). Il n'est pas prévu que cet
 accès soit requis par (x-daemon) et cet accès peut signaler une tentative
 d'intrusion. Il est également possible que cette version ou cette configuration
 spécifique de l'application provoque cette demande d'accès supplémentaire.

Si vous pensez que (x-daemon) devrait être autorisé à accéder read sur
guix-daemon lnk_file par défaut.
Vous devriez rapporter ceci en tant qu'anomalie.
Vous pouvez générer un module de stratégie local pour autoriser cet accès.
Autoriser cet accès pour le moment en exécutant :
# ausearch -c "(x-daemon)" --raw | audit2allow -M my-xdaemon
# semodule -X 300 -i my-xdaemon.pp
#+END_SRC

** Bug in the suggested solution

   There is a compilation error when I try the suggested fix
#+BEGIN_SRC text
> sudo ausearch -c "(x-daemon)" --raw | sudo audit2allow -M my-xdaemon
compilation failed:
libsepol.hierarchy_add_type_callback: guix_daemon doesn't exist,
guix_daemon.guix_store_content_t is an orphan
libsepol.hierarchy_add_bounds: 1 errors found while adding hierarchies
#+END_SRC

* Workarounds

The obvious one is killing SELinux. And since I'm doing this, I won't
be able to help much more on the
subject.

Another one which seemed to work : since I saw the issue was
apparently because of symlinks (lnk_file),
I tried to run the command in the ExecStart of the service with sudo
in a terminal (so
sudo /var/guix/profiles/per-user/root/current-guix/bin/guix-daemon
--build-users-group=guixbuild )
and everything seemed to work (I could guix pull, guix install
glibc-locales and I saw the connections being
accepted in the daemon terminal too).

* Patch

c0c82d8f was the commit I used from guix-daemon.cli.in
---
diff --git a/guix-daemon.cil.in b/guix-daemon.cil
index 7b882fe..7a7d374 100644
--- a/guix-daemon.cil.in
+++ b/guix-daemon.cil
@@ -34,14 +34,19 @@
   (roletype object_r guix_daemon_t)
   (type guix_daemon_conf_t)
   (roletype object_r guix_daemon_conf_t)
+  (typeattributeset file_type guix_daemon_conf_t)
   (type guix_daemon_exec_t)
   (roletype object_r guix_daemon_exec_t)
+  (typeattributeset file_type guix_daemon_exec_t)
   (type guix_daemon_socket_t)
   (roletype object_r guix_daemon_socket_t)
+  (typeattributeset file_type guix_daemon_socket_t)
   (type guix_store_content_t)
   (roletype object_r guix_store_content_t)
+  (typeattributeset file_type guix_store_content_t)
   (type guix_profiles_t)
   (roletype object_r guix_profiles_t)
+  (typeattributeset file_type guix_profiles_t)

   ;; These types are domains, thereby allowing process rules
   (typeattributeset domain (guix_daemon_t guix_daemon_exec_t))
@@ -261,25 +266,25 @@
          (udp_socket (ioctl create)))

   ;; Label file system
-  (filecon "@guix_sysconfdir@/guix(/.*)?"
+  (filecon "/etc/guix(/.*)?"
            any (system_u object_r guix_daemon_conf_t (low low)))
-  (filecon "@guix_localstatedir@/guix(/.*)?"
+  (filecon "/var/guix(/.*)?"
            any (system_u object_r guix_daemon_conf_t (low low)))
-  (filecon "@guix_localstatedir@/guix/profiles(/.*)?"
+  (filecon "/var/guix/profiles(/.*)?"
            any (system_u object_r guix_profiles_t (low low)))
   (filecon "/gnu"
            dir (unconfined_u object_r guix_store_content_t (low low)))
-  (filecon "@storedir@(/.+)?"
+  (filecon "/gnu/store(/.+)?"
            any (unconfined_u object_r guix_store_content_t (low low)))
-  (filecon "@storedir@/[^/]+/.+"
+  (filecon "/gnu/store/[^/]+/.+"
            any (unconfined_u object_r guix_store_content_t (low low)))
-  (filecon "@prefix@/bin/guix-daemon"
+  (filecon "/usr/bin/guix-daemon"
            file (system_u object_r guix_daemon_exec_t (low low)))
-  (filecon "@storedir@/.+-(guix-.+|profile)/bin/guix-daemon"
+  (filecon "/gnu/store/.+-(guix-.+|profile)/bin/guix-daemon"
            file (system_u object_r guix_daemon_exec_t (low low)))
-  (filecon "@storedir@/.+-(guix-.+|profile)/libexec/guix-authenticate"
+  (filecon "/gnu/store/.+-(guix-.+|profile)/libexec/guix-authenticate"
            file (system_u object_r guix_daemon_exec_t (low low)))
-  (filecon "@storedir@/.+-(guix-.+|profile)/libexec/guix/(.*)?"
+  (filecon "/gnu/store/.+-(guix-.+|profile)/libexec/guix/(.*)?"
            any (system_u object_r guix_daemon_exec_t (low low)))
-  (filecon "@guix_localstatedir@/guix/daemon-socket/socket"
-           any (system_u object_r guix_daemon_socket_t (low low))))
\ No newline at end of file
+  (filecon "/var/guix/daemon-socket/socket"
+           any (system_u object_r guix_daemon_socket_t (low low))))

Best regards,
Gerry (@gagbo)