Hi Laura,
> My audit log showed:
>
> type=AVC msg=audit(1560131803.485:381): avc: denied { search } for
> pid=8177 comm="bash" name="guix" dev="dm-0" ino=679365
> scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tcontext=unconfined_u:object_r:guix_daemon.guix_daemon_conf_t:s0 tclass=dir
> permissive=0
This looks better.
This says that “guix” is not labeled correctly. The message isn’t very
clear, but it looks like bash spawned “guix”, which has no particular
SELinux context (unconfined). When it tries to access /var/guix (which
*does* have the correct label) it is denied access, because only the
guix-daemon type has been granted access to files of type
“guix_daemon_conf_t”.
So we need to figure out what file that “guix” command corresponds to,
so that we can add a rule to the policy to apply the correct label.
--
Ricardo
