Commit | Line | Data |
---|---|---|
b617a9fe RW |
1 | ; -*- lisp -*- |
2 | ;;; GNU Guix --- Functional package management for GNU | |
3 | ;;; Copyright © 2018 Ricardo Wurmus <rekado@elephly.net> | |
4 | ;;; | |
5 | ;;; This file is part of GNU Guix. | |
6 | ;;; | |
7 | ;;; GNU Guix is free software; you can redistribute it and/or modify it | |
8 | ;;; under the terms of the GNU General Public License as published by | |
9 | ;;; the Free Software Foundation; either version 3 of the License, or (at | |
10 | ;;; your option) any later version. | |
11 | ;;; | |
12 | ;;; GNU Guix is distributed in the hope that it will be useful, but | |
13 | ;;; WITHOUT ANY WARRANTY; without even the implied warranty of | |
14 | ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
15 | ;;; GNU General Public License for more details. | |
16 | ;;; | |
17 | ;;; You should have received a copy of the GNU General Public License | |
18 | ;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>. | |
19 | ||
20 | ;; This is a specification for SELinux 2.7 written in the SELinux Common | |
21 | ;; Intermediate Language (CIL). It refers to types that must be defined in | |
22 | ;; the system's base policy. | |
23 | ||
24 | (block guix_daemon | |
25 | ;; Require existing types | |
26 | (typeattributeset cil_gen_require init_t) | |
27 | (typeattributeset cil_gen_require tmp_t) | |
28 | (typeattributeset cil_gen_require nscd_var_run_t) | |
29 | (typeattributeset cil_gen_require var_log_t) | |
30 | (typeattributeset cil_gen_require domain) | |
31 | ||
32 | ;; Declare own types | |
33 | (type guix_daemon_t) | |
34 | (roletype object_r guix_daemon_t) | |
35 | (type guix_daemon_conf_t) | |
36 | (roletype object_r guix_daemon_conf_t) | |
37 | (type guix_daemon_exec_t) | |
38 | (roletype object_r guix_daemon_exec_t) | |
39 | (type guix_daemon_socket_t) | |
40 | (roletype object_r guix_daemon_socket_t) | |
41 | (type guix_store_content_t) | |
42 | (roletype object_r guix_store_content_t) | |
43 | (type guix_profiles_t) | |
44 | (roletype object_r guix_profiles_t) | |
45 | ||
46 | ;; These types are domains, thereby allowing process rules | |
47 | (typeattributeset domain (guix_daemon_t guix_daemon_exec_t)) | |
48 | ||
49 | (level low (s0)) | |
50 | ||
51 | ;; When a process in init_t or guix_store_content_t spawns a | |
52 | ;; guix_daemon_exec_t process, let it run in the guix_daemon_t context | |
53 | (typetransition init_t guix_daemon_exec_t | |
54 | process guix_daemon_t) | |
55 | (typetransition guix_store_content_t guix_daemon_exec_t | |
56 | process guix_daemon_t) | |
57 | ||
58 | ;; Permit communication with NSCD | |
59 | (allow guix_daemon_t | |
60 | nscd_var_run_t | |
61 | (file (map read))) | |
62 | (allow guix_daemon_t | |
63 | nscd_var_run_t | |
64 | (dir (search))) | |
65 | (allow guix_daemon_t | |
66 | nscd_var_run_t | |
67 | (sock_file (write))) | |
68 | (allow guix_daemon_t | |
69 | nscd_t | |
70 | (fd (use))) | |
71 | (allow guix_daemon_t | |
72 | nscd_t | |
73 | (unix_stream_socket (connectto))) | |
74 | ||
75 | ;; Permit logging and temp file access | |
76 | (allow guix_daemon_t | |
77 | tmp_t | |
78 | (lnk_file (setattr unlink))) | |
79 | (allow guix_daemon_t | |
80 | tmp_t | |
81 | (dir (create | |
82 | rmdir | |
83 | add_name remove_name | |
84 | open read write | |
85 | getattr setattr | |
86 | search))) | |
87 | (allow guix_daemon_t | |
88 | var_log_t | |
89 | (file (create getattr open write))) | |
90 | (allow guix_daemon_t | |
91 | var_log_t | |
92 | (dir (getattr write add_name))) | |
93 | (allow guix_daemon_t | |
94 | var_run_t | |
95 | (lnk_file (read))) | |
96 | (allow guix_daemon_t | |
97 | var_run_t | |
98 | (dir (search))) | |
99 | ||
100 | ;; Spawning processes, execute helpers | |
101 | (allow guix_daemon_t | |
102 | self | |
103 | (process (fork))) | |
104 | (allow guix_daemon_t | |
105 | guix_daemon_exec_t | |
106 | (file (execute execute_no_trans read open))) | |
107 | ||
108 | ;; TODO: unknown | |
109 | (allow guix_daemon_t | |
110 | root_t | |
111 | (dir (mounton))) | |
112 | (allow guix_daemon_t | |
113 | fs_t | |
114 | (filesystem (getattr))) | |
115 | (allow guix_daemon_conf_t | |
116 | fs_t | |
117 | (filesystem (associate))) | |
118 | ||
119 | ;; Build isolation | |
120 | (allow guix_daemon_t | |
121 | guix_store_content_t | |
122 | (file (mounton))) | |
123 | (allow guix_store_content_t | |
124 | fs_t | |
125 | (filesystem (associate))) | |
126 | (allow guix_daemon_t | |
127 | guix_store_content_t | |
128 | (dir (mounton))) | |
129 | (allow guix_daemon_t | |
130 | guix_daemon_t | |
131 | (capability (net_admin | |
132 | fsetid fowner | |
133 | chown setuid setgid | |
134 | dac_override dac_read_search | |
135 | sys_chroot))) | |
136 | (allow guix_daemon_t | |
137 | fs_t | |
138 | (filesystem (unmount))) | |
139 | (allow guix_daemon_t | |
140 | devpts_t | |
141 | (filesystem (mount))) | |
142 | (allow guix_daemon_t | |
143 | devpts_t | |
144 | (chr_file (setattr getattr))) | |
145 | (allow guix_daemon_t | |
146 | tmpfs_t | |
147 | (filesystem (mount))) | |
148 | (allow guix_daemon_t | |
149 | tmpfs_t | |
150 | (dir (getattr))) | |
151 | (allow guix_daemon_t | |
152 | proc_t | |
153 | (filesystem (mount))) | |
154 | (allow guix_daemon_t | |
155 | null_device_t | |
156 | (chr_file (getattr open read write))) | |
157 | (allow guix_daemon_t | |
158 | kvm_device_t | |
159 | (chr_file (getattr))) | |
160 | (allow guix_daemon_t | |
161 | zero_device_t | |
162 | (chr_file (getattr))) | |
163 | (allow guix_daemon_t | |
164 | urandom_device_t | |
165 | (chr_file (getattr))) | |
166 | (allow guix_daemon_t | |
167 | random_device_t | |
168 | (chr_file (getattr))) | |
169 | (allow guix_daemon_t | |
170 | devtty_t | |
171 | (chr_file (getattr))) | |
172 | ||
173 | ;; Access to store items | |
174 | (allow guix_daemon_t | |
175 | guix_store_content_t | |
176 | (dir (reparent | |
177 | create | |
178 | getattr setattr | |
179 | search rename | |
180 | add_name remove_name | |
181 | open write | |
182 | rmdir))) | |
183 | (allow guix_daemon_t | |
184 | guix_store_content_t | |
185 | (file (create | |
186 | lock | |
187 | setattr getattr | |
188 | execute execute_no_trans | |
189 | link unlink | |
190 | map | |
191 | rename | |
192 | open read write))) | |
193 | (allow guix_daemon_t | |
194 | guix_store_content_t | |
195 | (lnk_file (create | |
196 | getattr setattr | |
197 | link unlink | |
198 | read | |
199 | rename))) | |
200 | ||
201 | ;; Access to configuration files and directories | |
202 | (allow guix_daemon_t | |
203 | guix_daemon_conf_t | |
204 | (dir (search | |
205 | setattr getattr | |
206 | add_name remove_name | |
207 | open read write))) | |
208 | (allow guix_daemon_t | |
209 | guix_daemon_conf_t | |
210 | (file (create | |
211 | lock | |
212 | map | |
213 | getattr setattr | |
214 | unlink | |
215 | open read write))) | |
216 | (allow guix_daemon_t | |
217 | guix_daemon_conf_t | |
218 | (lnk_file (create getattr rename unlink))) | |
219 | ||
220 | ;; Access to profiles | |
221 | (allow guix_daemon_t | |
222 | guix_profiles_t | |
223 | (dir (getattr setattr read open))) | |
224 | (allow guix_daemon_t | |
225 | guix_profiles_t | |
226 | (lnk_file (read getattr))) | |
227 | ||
228 | ;; Access to profile links in the home directory | |
229 | ;; TODO: allow access to profile links *anywhere* on the filesystem | |
230 | (allow guix_daemon_t | |
231 | user_home_t | |
232 | (lnk_file (read getattr))) | |
233 | (allow guix_daemon_t | |
234 | user_home_t | |
235 | (dir (search))) | |
236 | ||
237 | ;; Socket operations | |
238 | (allow guix_daemon_t | |
239 | init_t | |
240 | (fd (use))) | |
241 | (allow guix_daemon_t | |
242 | init_t | |
243 | (unix_stream_socket (write))) | |
244 | (allow guix_daemon_t | |
245 | guix_daemon_conf_t | |
246 | (unix_stream_socket (listen))) | |
247 | (allow guix_daemon_t | |
248 | guix_daemon_conf_t | |
249 | (sock_file (create unlink))) | |
250 | (allow guix_daemon_t | |
251 | self | |
252 | (unix_stream_socket (create | |
253 | read write | |
254 | connect bind accept | |
255 | getopt setopt))) | |
256 | (allow guix_daemon_t | |
257 | self | |
258 | (fifo_file (write read))) | |
259 | (allow guix_daemon_t | |
260 | self | |
261 | (udp_socket (ioctl create))) | |
262 | ||
263 | ;; Label file system | |
264 | (filecon "@guix_sysconfdir@/guix(/.*)?" | |
265 | any (system_u object_r guix_daemon_conf_t (low low))) | |
266 | (filecon "@guix_localstatedir@/guix(/.*)?" | |
267 | any (system_u object_r guix_daemon_conf_t (low low))) | |
268 | (filecon "@guix_localstatedir@/guix/profiles(/.*)?" | |
269 | any (system_u object_r guix_profiles_t (low low))) | |
270 | (filecon "/gnu" | |
271 | dir (unconfined_u object_r guix_store_content_t (low low))) | |
272 | (filecon "@storedir@(/.+)?" | |
273 | any (unconfined_u object_r guix_store_content_t (low low))) | |
274 | (filecon "@storedir@/[^/]+/.+" | |
275 | any (unconfined_u object_r guix_store_content_t (low low))) | |
276 | (filecon "@prefix@/bin/guix-daemon" | |
277 | file (system_u object_r guix_daemon_exec_t (low low))) | |
278 | (filecon "@storedir@/.+-(guix-.+|profile)/bin/guix-daemon" | |
279 | file (system_u object_r guix_daemon_exec_t (low low))) | |
280 | (filecon "@storedir@/.+-(guix-.+|profile)/libexec/guix-authenticate" | |
281 | file (system_u object_r guix_daemon_exec_t (low low))) | |
282 | (filecon "@storedir@/.+-(guix-.+|profile)/libexec/guix/(.*)?" | |
283 | any (system_u object_r guix_daemon_exec_t (low low))) | |
284 | (filecon "@guix_localstatedir@/guix/daemon-socket/socket" | |
285 | any (system_u object_r guix_daemon_socket_t (low low)))) |