2 ;;; GNU Guix --- Functional package management for GNU
3 ;;; Copyright © 2018 Ricardo Wurmus <rekado@elephly.net>
4 ;;; Copyright © 2020 Daniel Brooks <db48x@db48x.net>
5 ;;; Copyright © 2020 Marius Bakke <marius@gnu.org>
7 ;;; This file is part of GNU Guix.
9 ;;; GNU Guix is free software; you can redistribute it and/or modify it
10 ;;; under the terms of the GNU General Public License as published by
11 ;;; the Free Software Foundation; either version 3 of the License, or (at
12 ;;; your option) any later version.
14 ;;; GNU Guix is distributed in the hope that it will be useful, but
15 ;;; WITHOUT ANY WARRANTY; without even the implied warranty of
16 ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 ;;; GNU General Public License for more details.
19 ;;; You should have received a copy of the GNU General Public License
20 ;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
22 ;; This is a specification for SELinux 2.7 written in the SELinux Common
23 ;; Intermediate Language (CIL). It refers to types that must be defined in
24 ;; the system's base policy.
26 ;; If you, like me, need advice about fixing an SELinux policy, I recommend
27 ;; reading https://danwalsh.livejournal.com/55324.html
29 ;; In particular, you can run semanage permissive -a guix_daemon.guix_daemon_t
30 ;; to allow guix-daemon to do whatever it wants. SELinux will still check its
31 ;; permissions, and when it doesn't have permission it will still send an
32 ;; audit message to your system logs. This lets you know what permissions it
33 ;; ought to have. Use ausearch --raw to find the permissions violations, then
34 ;; pipe that to audit2allow to generate an updated policy. You'll still need
35 ;; to translate that policy into CIL in order to update this file, but that's
36 ;; fairly straight-forward. Annoying, but easy.
39 ;; Require existing types
40 (typeattributeset cil_gen_require init_t)
41 (typeattributeset cil_gen_require tmp_t)
42 (typeattributeset cil_gen_require nscd_var_run_t)
43 (typeattributeset cil_gen_require var_log_t)
44 (typeattributeset cil_gen_require domain)
48 (roletype object_r guix_daemon_t)
49 (type guix_daemon_conf_t)
50 (roletype object_r guix_daemon_conf_t)
51 (typeattributeset file_type guix_daemon_conf_t)
52 (type guix_daemon_exec_t)
53 (roletype object_r guix_daemon_exec_t)
54 (typeattributeset file_type guix_daemon_exec_t)
55 (type guix_daemon_socket_t)
56 (roletype object_r guix_daemon_socket_t)
57 (typeattributeset file_type guix_daemon_socket_t)
58 (type guix_store_content_t)
59 (roletype object_r guix_store_content_t)
60 (typeattributeset file_type guix_store_content_t)
61 (type guix_profiles_t)
62 (roletype object_r guix_profiles_t)
63 (typeattributeset file_type guix_profiles_t)
65 ;; These types are domains, thereby allowing process rules
66 (typeattributeset domain (guix_daemon_t guix_daemon_exec_t))
70 ;; When a process in init_t or guix_store_content_t spawns a
71 ;; guix_daemon_exec_t process, let it run in the guix_daemon_t context
72 (typetransition init_t guix_daemon_exec_t
73 process guix_daemon_t)
74 (typetransition guix_store_content_t guix_daemon_exec_t
75 process guix_daemon_t)
77 (roletype system_r guix_daemon_t)
79 ;; allow init_t to read and execute guix files
88 (process (transition)))
94 (file (open read execute)))
96 ;; guix-daemon needs to know the names of users
99 (file (getattr open read)))
101 ;; Permit communication with NSCD
116 (unix_stream_socket (connectto)))
117 (allow guix_daemon_t nscd_t
118 (nscd (getgrp gethost getpwd getserv shmemgrp shmemhost shmempwd shmemserv)))
120 ;; permit downloading packages via HTTP(s)
121 (allow guix_daemon_t http_port_t
122 (tcp_socket (name_connect)))
123 (allow guix_daemon_t ftp_port_t
124 (tcp_socket (name_connect)))
125 (allow guix_daemon_t ephemeral_port_t
126 (tcp_socket (name_connect)))
128 ;; Permit logging and temp file access
131 (lnk_file (create rename setattr unlink)))
135 rename create execute execute_no_trans write
136 unlink setattr map relabelto relabelfrom)))
139 (fifo_file (open read write create getattr ioctl setattr unlink)))
143 rmdir relabelto relabelfrom reparent
150 (sock_file (create getattr setattr unlink write)))
153 (file (create getattr open write)))
156 (dir (getattr create write add_name)))
164 ;; Spawning processes, execute helpers
167 (process (fork execmem setrlimit setpgid setsched)))
170 (file (execute execute_no_trans read open entrypoint map)))
178 (filesystem (getattr)))
179 (allow guix_daemon_conf_t
181 (filesystem (associate)))
186 (file (ioctl mounton)))
187 (allow guix_store_content_t
189 (filesystem (associate)))
192 (dir (read mounton)))
195 (capability (net_admin
198 dac_override dac_read_search
203 (filesystem (unmount)))
209 (filesystem (mount)))
212 (chr_file (ioctl open read write setattr getattr)))
215 (filesystem (getattr mount)))
218 (file (create open read unlink write)))
221 (dir (getattr add_name remove_name write)))
224 (file (getattr open read)))
230 (filesystem (associate mount)))
233 (chr_file (getattr open read write)))
236 (chr_file (getattr)))
239 (chr_file (getattr)))
242 (chr_file (getattr)))
245 (chr_file (getattr)))
248 (chr_file (getattr)))
250 ;; Access to store items
265 execute execute_no_trans
270 open read write relabelfrom)))
280 (fifo_file (create getattr open read unlink write)))
283 (sock_file (create getattr setattr unlink write)))
285 ;; Access to configuration files and directories
302 (lnk_file (create getattr rename unlink)))
303 (allow guix_daemon_t net_conf_t
304 (file (getattr open read)))
305 (allow guix_daemon_t net_conf_t
307 (allow guix_daemon_t NetworkManager_var_run_t
310 ;; Access to profiles
313 (dir (search getattr setattr read write open create add_name)))
316 (lnk_file (read getattr)))
318 ;; Access to profile links in the home directory
319 ;; TODO: allow access to profile links *anywhere* on the filesystem
322 (lnk_file (read getattr)))
333 (dir (add_name write)))
336 (netlink_route_socket (bind create getattr nlmsg_read read write getopt)))
341 (sock_file (unlink)))
347 (unix_stream_socket (write)))
350 (unix_stream_socket (listen)))
353 (sock_file (create unlink)))
356 (unix_stream_socket (create
362 (tcp_socket (accept listen bind connect create setopt getopt getattr ioctl read write shutdown)))
365 (tcp_socket (name_bind name_connect accept listen)))
368 (udp_socket (connect getattr bind getopt setopt read write)))
371 (fifo_file (write read)))
374 (udp_socket (ioctl create)))
377 (unix_stream_socket (connectto)))
380 (unix_dgram_socket (create bind connect sendto read write)))
382 ;; For some esoteric build jobs (i.e. running PostgreSQL, etc).
388 (tcp_socket (node_bind)))
391 (udp_socket (node_bind)))
394 (tcp_socket (name_connect)))
397 (file (map read write link getattr)))
403 (file (map read write)))
409 (tcp_socket (name_connect name_bind)))
412 (udp_socket (name_bind)))
415 (tcp_socket (name_bind)))
417 ;; I guess sometimes it needs random numbers
425 (chr_file (ioctl open read write)))
431 (filecon "@guix_sysconfdir@/guix(/.*)?"
432 any (system_u object_r guix_daemon_conf_t (low low)))
433 (filecon "@guix_localstatedir@/guix(/.*)?"
434 any (system_u object_r guix_daemon_conf_t (low low)))
435 (filecon "@guix_localstatedir@/guix/profiles(/.*)?"
436 any (system_u object_r guix_profiles_t (low low)))
438 dir (unconfined_u object_r guix_store_content_t (low low)))
439 (filecon "@storedir@(/.+)?"
440 any (unconfined_u object_r guix_store_content_t (low low)))
441 (filecon "@storedir@/[^/]+/.+"
442 any (unconfined_u object_r guix_store_content_t (low low)))
443 (filecon "@prefix@/bin/guix-daemon"
444 file (system_u object_r guix_daemon_exec_t (low low)))
445 (filecon "@storedir@/.+-(guix-.+|profile)/bin/guix-daemon"
446 file (system_u object_r guix_daemon_exec_t (low low)))
447 (filecon "@storedir@/[a-z0-9]+-guix-daemon"
448 file (system_u object_r guix_daemon_exec_t (low low)))
449 (filecon "@guix_localstatedir@/guix/daemon-socket/socket"
450 any (system_u object_r guix_daemon_socket_t (low low))))