Re: SELinux log

guix-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SELinux log

From:	Ricardo Wurmus
Subject:	Re: SELinux log
Date:	Mon, 10 Jun 2019 10:12:35 +0200
User-agent:	mu4e 1.2.0; emacs 26.2

Hi Laura,

> My audit log showed:
>
> type=AVC msg=audit(1560131803.485:381): avc:  denied  { search } for
>  pid=8177 comm="bash" name="guix" dev="dm-0" ino=679365
> scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tcontext=unconfined_u:object_r:guix_daemon.guix_daemon_conf_t:s0 tclass=dir
> permissive=0

This looks better.

This says that “guix” is not labeled correctly.  The message isn’t very
clear, but it looks like bash spawned “guix”, which has no particular
SELinux context (unconfined).  When it tries to access /var/guix (which
*does* have the correct label) it is denied access, because only the
guix-daemon type has been granted access to files of type
“guix_daemon_conf_t”.

So we need to figure out what file that “guix” command corresponds to,
so that we can add a rule to the policy to apply the correct label.

--
Ricardo

[Prev in Thread]

Current Thread

[Next in Thread]

Re: SELinux log, (continued)

Prev by Date: GNU ChangeLog Format: <> or []?
Next by Date: Re: Progress on 'guix deploy'
Previous by thread: Re: SELinux log
Next by thread: Re: SELinux log
Index(es):
- Date
- Thread