Hi!
* I’m repeating myself here: do *not* use enforcing mode. Do use
> permissive mode only.
>
Oh, sorry for this, it was the "easy" way of checking that it didn't work.
I have byobu running now with a tail -f of the audit log.
My question was more like "I am hardcoding the path to guix -at l
Hi Laura,
> I have even tried adding the full path but when I test it I still see that
> Guix is not found using enforcing mode.
> Any ideas?
Two things:
* when you edit the .cil.in file you need to run the configure script
again to generate an updated .cil file. You can’t load the changed
Hi!
I am somewhat stuck :/
I cannot figure out why this doesn't work.
I have even tried adding the full path but when I test it I still see that
Guix is not found using enforcing mode.
Any ideas?
Regards :)
Laura
@@ -1,4 +1,4 @@
-;; -*- lisp -*-
+; -*- lisp -*-
;;; GNU Guix --- Functional packa
Hi!
Thanks for guiding me in solving this issue :)
I am editing the file to see if I can finish the task, will answer back
with my new results.
Thanks! (Please use “diff -u” in the future; it’s clearer when you’re
> used to git diffs.)
>
Will take this into account!
What about what “guix pull”
Laura Lazzati writes:
>> What is the file name of “guix” when running in permissive mode? We
>> need to know this to adjust the policy.
>>
> After running `which guix` I get:
> /usr/local/bin/guix
> I tried to add another label for it but it didn't work. I was going to ask
> you for a good tut
> What is the file name of “guix” when running in permissive mode? We
> need to know this to adjust the policy.
>
After running `which guix` I get:
/usr/local/bin/guix
I tried to add another label for it but it didn't work. I was going to ask
you for a good tutorial for writing the policies but I
Laura Lazzati writes:
>> That’s confusing. Didn’t you say that you ran “guix search” before?
>
> I've figured out the reason. In both cases -when I create the .autorelabel
> file and reboot (so the permissive mode goes away, since I am changing it
> through the CLI) and when I don't but run `r
That’s confusing. Didn’t you say that you ran “guix search” before?
I've figured out the reason. In both cases -when I create the .autorelabel
file and reboot (so the permissive mode goes away, since I am changing it
through the CLI) and when I don't but run `restorecon -r /` and set it to
enforc
Laura Lazzati writes:
>> When you run “which guix” what does it say? What does “readlink -f
>> $(which guix)” say?
>>
> I first get the result of evaluating `which guix` saying it is not found,
> and then thar readlink has no operand, see:
>
> /usr/bin/which: no guix in
> (/home/laura/.local/b
Yes, I know. The lines I proposed were untested, though, and some of
> them required adjustment, so I was curious to know what exact changes
> you performed locally and where.
After writing the previous email I have realized I could have done it in a
separate file, right? Like I said, I cloned th
Hi Laura,
> Which lines? All of the changes I described were not necessarily ready
>> for inclusion. They were all untested.
>>
> No, I meant I did it locally on my computer. I didn't even touched the
> original file.
Yes, I know. The lines I proposed were untested, though, and some of
them
Hi!
Which lines? All of the changes I described were not necessarily ready
> for inclusion. They were all untested.
>
No, I meant I did it locally on my computer. I didn't even touched the
original file. BTW, when they are finished how can I share that file
without pushing it?
> This probably j
Laura Lazzati writes:
> I added the lines to a copy of guix-daemon.cil which I got from cloning
> guix and placed it in root's home.
Which lines? All of the changes I described were not necessarily ready
for inclusion. They were all untested.
> Since everything was messy (/gnu had d???
Hi!
I added the lines to a copy of guix-daemon.cil which I got from cloning
guix and placed it in root's home.
Since everything was messy (/gnu had d?? as permissions as well as
all the fields listed with `ls -l`, and could not solve it, even trying to
delete it ), I restored my VM to the
Hi Laura,
> So we need to figure out what file that “guix” command corresponds to,
>> so that we can add a rule to the policy to apply the correct label.
>>
> I see. But how can we do this?
We then need to think about the kinds of file operations that the “guix”
command should be permitted to p
Hi!
So we need to figure out what file that “guix” command corresponds to,
> so that we can add a rule to the policy to apply the correct label.
>
I see. But how can we do this?
Regards :)
Laura
Hi Laura,
> My audit log showed:
>
> type=AVC msg=audit(1560131803.485:381): avc: denied { search } for
> pid=8177 comm="bash" name="guix" dev="dm-0" ino=679365
> scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tcontext=unconfined_u:object_r:guix_daemon.guix_daemon_conf_t:s0
Hi!
More info after having my fresh install.
First, I ran semode, and checked with -Z option my /gnu dir successfully.
After that, I created the file and rebooted. While rebooting this time I
got the message telling me that the system was being relabeled. Then, I ran
restorecon and set SELinux to
Hi!
>
> If this doesn’t work I don’t know how to proceed.
>
Me neither. I will delete my VM and have a fresh install, to see if I did
sth wrong in between, following the same steps. At least we know that in
Fedora/RHEL we deactivate SELinux and Guix works fine up to now :/
>
> Good luck! :)
>
Yes
Hey Laura,
> I ran `semodule -i etc/guix-daemon.cil`, then created the file, rebooted,
> and nothing happened.
Hmm, the order is fine. I don’t know what might be wrong.
> I am running again `restorecon -r /`.
This should also be fine, though “restorecon -r /gnu” would probably be
enough. Co
Hi!
Reinstallation should not be necessary for this. It’s unlikely that
> SELinux is broken. Just make sure that everything is properly labeled.
> The reboot should take a pretty long time while every file on the disk
> is labeled.
>
uhm then I am doing sth wrong, or did not understand very we
Laura Lazzati writes:
>> Uhm, that’s weird, but you’re not in permissive mode, are you? What
>> does “getenforce” say?
>>
> I tired it in both modes and the same result in the log file.
Well, when in permissive mode it should probably say “permissive=1” in
the logs, but otherwise it should be
Hi!
Uhm, that’s weird, but you’re not in permissive mode, are you? What
> does “getenforce” say?
>
I tired it in both modes and the same result in the log file.
>
> To relabel your whole file system according to installed policies run
> this:
>
> touch /.autorelabel
> reboot
>
I will see
Hi Laura,
> --8<---cut here---start->8---
> type=FS_RELABEL msg=audit(1559947443.686:26389): pid=2658 uid=0 auid=1000
> ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> msg='op=mass relabel exe="/usr/sbin/setfiles"
> hostname=localhost.locald
--8<---cut here---start->8---
type=FS_RELABEL msg=audit(1559947443.686:26389): pid=2658 uid=0 auid=1000
ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
msg='op=mass relabel exe="/usr/sbin/setfiles"
hostname=localhost.localdomain addr=? terminal=p
Sorry, my mail client apparently hates me, it is somewhat formatting
my mails after sending them ¬¬
Hi!
> Thank you, the log is helpful (even though it looks like your mail
> client reformatted it, which makes it very hard to read).
Sorry for that :/
> Did you run “restorecon” on the store to recursively label all files?
I did, but I have just found that you are right, looking at the log
that i
Hi Laura,
> My log shows that
> SELinux would have prevented the daemon from running, like when I had
> it in enforcing mode:
Thank you, the log is helpful (even though it looks like your mail
client reformatted it, which makes it very hard to read).
Searching for “denied” we see the following
Hi!
Hope to shed some light.
I followed all the steps that I hadn't followed before in the
documentation manual about SELinux for guix daemon (ran semodule,
restorecon for all the filesystem and restarted the daemon).
I forgot to set SELinux in permissive mode, so I still got the issue
with the s
Hi Laura,
>> Thanks. Did you install the SELinux policy for the daemon that is
>> included in the source code repository? (It is not included in the
>> files that “guix pull” installs.)
> My bad, I haven 't :/ Shall I put SELinux in enforcing mode and do so?
Permissive mode is better. It wil
Hi!
> Thanks. Did you install the SELinux policy for the daemon that is
> included in the source code repository? (It is not included in the
> files that “guix pull” installs.)
My bad, I haven 't :/ Shall I put SELinux in enforcing mode and do so?
Regards :)
Laura
Hi Laura,
> Today I've been installing Guix on top of Fedora (relase30), and I
> faced issues with guix-daemon, getting it did not have permissions for
> running. It was a SELinux problem, since after disabling it and
> restarting the daemon I could use guix normally.
> Here is my audit.log file
Hi Guix!
Today I've been installing Guix on top of Fedora (relase30), and I
faced issues with guix-daemon, getting it did not have permissions for
running. It was a SELinux problem, since after disabling it and
restarting the daemon I could use guix normally.
Here is my audit.log file, in case som
33 matches
Mail list logo
