[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SELinux log

From: Ricardo Wurmus
Subject: Re: SELinux log
Date: Mon, 10 Jun 2019 10:12:35 +0200
User-agent: mu4e 1.2.0; emacs 26.2

Hi Laura,

> My audit log showed:
> type=AVC msg=audit(1560131803.485:381): avc:  denied  { search } for
>  pid=8177 comm="bash" name="guix" dev="dm-0" ino=679365
> scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tcontext=unconfined_u:object_r:guix_daemon.guix_daemon_conf_t:s0 tclass=dir
> permissive=0

This looks better.

This says that “guix” is not labeled correctly.  The message isn’t very
clear, but it looks like bash spawned “guix”, which has no particular
SELinux context (unconfined).  When it tries to access /var/guix (which
*does* have the correct label) it is denied access, because only the
guix-daemon type has been granted access to files of type

So we need to figure out what file that “guix” command corresponds to,
so that we can add a rule to the policy to apply the correct label.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]