[jackhill/guix/guix.git] / etc / guix-daemon.cil.in

; -*- lisp -*-
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2018 Ricardo Wurmus <rekado@elephly.net>
;;;
;;; This file is part of GNU Guix.
;;;
;;; GNU Guix is free software; you can redistribute it and/or modify it
;;; under the terms of the GNU General Public License as published by
;;; the Free Software Foundation; either version 3 of the License, or (at
;;; your option) any later version.
;;;
;;; GNU Guix is distributed in the hope that it will be useful, but
;;; WITHOUT ANY WARRANTY; without even the implied warranty of
;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
;;; GNU General Public License for more details.
;;;
;;; You should have received a copy of the GNU General Public License
;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.

;; This is a specification for SELinux 2.7 written in the SELinux Common
;; Intermediate Language (CIL).  It refers to types that must be defined in
;; the system's base policy.

(block guix_daemon
  ;; Require existing types
  (typeattributeset cil_gen_require init_t)
  (typeattributeset cil_gen_require tmp_t)
  (typeattributeset cil_gen_require nscd_var_run_t)
  (typeattributeset cil_gen_require var_log_t)
  (typeattributeset cil_gen_require domain)

  ;; Declare own types
  (type guix_daemon_t)
  (roletype object_r guix_daemon_t)
  (type guix_daemon_conf_t)
  (roletype object_r guix_daemon_conf_t)
  (type guix_daemon_exec_t)
  (roletype object_r guix_daemon_exec_t)
  (type guix_daemon_socket_t)
  (roletype object_r guix_daemon_socket_t)
  (type guix_store_content_t)
  (roletype object_r guix_store_content_t)
  (type guix_profiles_t)
  (roletype object_r guix_profiles_t)

  ;; These types are domains, thereby allowing process rules
  (typeattributeset domain (guix_daemon_t guix_daemon_exec_t))

  (level low (s0))

  ;; When a process in init_t or guix_store_content_t spawns a
  ;; guix_daemon_exec_t process, let it run in the guix_daemon_t context
  (typetransition init_t guix_daemon_exec_t
                  process guix_daemon_t)
  (typetransition guix_store_content_t guix_daemon_exec_t
                  process guix_daemon_t)

  ;; Permit communication with NSCD
  (allow guix_daemon_t
         nscd_var_run_t
         (file (map read)))
  (allow guix_daemon_t
         nscd_var_run_t
         (dir (search)))
  (allow guix_daemon_t
         nscd_var_run_t
         (sock_file (write)))
  (allow guix_daemon_t
         nscd_t
         (fd (use)))
  (allow guix_daemon_t
         nscd_t
         (unix_stream_socket (connectto)))

  ;; Permit logging and temp file access
  (allow guix_daemon_t
         tmp_t
         (lnk_file (setattr unlink)))
  (allow guix_daemon_t
         tmp_t
         (dir (create
               rmdir
               add_name remove_name
               open read write
               getattr setattr
               search)))
  (allow guix_daemon_t
         var_log_t
         (file (create getattr open write)))
  (allow guix_daemon_t
         var_log_t
         (dir (getattr write add_name)))
  (allow guix_daemon_t
         var_run_t
         (lnk_file (read)))
  (allow guix_daemon_t
         var_run_t
         (dir (search)))

  ;; Spawning processes, execute helpers
  (allow guix_daemon_t
         self
         (process (fork)))
  (allow guix_daemon_t
         guix_daemon_exec_t
         (file (execute execute_no_trans read open)))

  ;; TODO: unknown
  (allow guix_daemon_t
         root_t
         (dir (mounton)))
  (allow guix_daemon_t
         fs_t
         (filesystem (getattr)))
  (allow guix_daemon_conf_t
         fs_t
         (filesystem (associate)))

  ;; Build isolation
  (allow guix_daemon_t
         guix_store_content_t
         (file (mounton)))
  (allow guix_store_content_t
         fs_t
         (filesystem (associate)))
  (allow guix_daemon_t
         guix_store_content_t
         (dir (mounton)))
  (allow guix_daemon_t
         guix_daemon_t
         (capability (net_admin
                      fsetid fowner
                      chown setuid setgid
                      dac_override dac_read_search
                      sys_chroot)))
  (allow guix_daemon_t
         fs_t
         (filesystem (unmount)))
  (allow guix_daemon_t
         devpts_t
         (filesystem (mount)))
  (allow guix_daemon_t
         devpts_t
         (chr_file (setattr getattr)))
  (allow guix_daemon_t
         tmpfs_t
         (filesystem (mount)))
  (allow guix_daemon_t
         tmpfs_t
         (dir (getattr)))
  (allow guix_daemon_t
         proc_t
         (filesystem (mount)))
  (allow guix_daemon_t
         null_device_t
         (chr_file (getattr open read write)))
  (allow guix_daemon_t
         kvm_device_t
         (chr_file (getattr)))
  (allow guix_daemon_t
         zero_device_t
         (chr_file (getattr)))
  (allow guix_daemon_t
         urandom_device_t
         (chr_file (getattr)))
  (allow guix_daemon_t
         random_device_t
         (chr_file (getattr)))
  (allow guix_daemon_t
         devtty_t
         (chr_file (getattr)))

  ;; Access to store items
  (allow guix_daemon_t
         guix_store_content_t
         (dir (reparent
               create
               getattr setattr
               search rename
               add_name remove_name
               open write
               rmdir)))
  (allow guix_daemon_t
         guix_store_content_t
         (file (create
                lock
                setattr getattr
                execute execute_no_trans
                link unlink
                map
                rename
                open read write)))
  (allow guix_daemon_t
         guix_store_content_t
         (lnk_file (create
                    getattr setattr
                    link unlink
                    read
                    rename)))

  ;; Access to configuration files and directories
  (allow guix_daemon_t
         guix_daemon_conf_t
         (dir (search
               setattr getattr
               add_name remove_name
               open read write)))
  (allow guix_daemon_t
         guix_daemon_conf_t
         (file (create
                lock
                map
                getattr setattr
                unlink
                open read write)))
  (allow guix_daemon_t
         guix_daemon_conf_t
         (lnk_file (create getattr rename unlink)))

  ;; Access to profiles
  (allow guix_daemon_t
         guix_profiles_t
         (dir (getattr setattr read open)))
  (allow guix_daemon_t
         guix_profiles_t
         (lnk_file (read getattr)))

  ;; Access to profile links in the home directory
  ;; TODO: allow access to profile links *anywhere* on the filesystem
  (allow guix_daemon_t
         user_home_t
         (lnk_file (read getattr)))
  (allow guix_daemon_t
         user_home_t
         (dir (search)))

  ;; Socket operations
  (allow guix_daemon_t
         init_t
         (fd (use)))
  (allow guix_daemon_t
         init_t
         (unix_stream_socket (write)))
  (allow guix_daemon_t
         guix_daemon_conf_t
         (unix_stream_socket (listen)))
  (allow guix_daemon_t
         guix_daemon_conf_t
         (sock_file (create unlink)))
  (allow guix_daemon_t
         self
         (unix_stream_socket (create
                              read write
                              connect bind accept
                              getopt setopt)))
  (allow guix_daemon_t
         self
         (fifo_file (write read)))
  (allow guix_daemon_t
         self
         (udp_socket (ioctl create)))

  ;; Label file system
  (filecon "@guix_sysconfdir@/guix(/.*)?"
           any (system_u object_r guix_daemon_conf_t (low low)))
  (filecon "@guix_localstatedir@/guix(/.*)?"
           any (system_u object_r guix_daemon_conf_t (low low)))
  (filecon "@guix_localstatedir@/guix/profiles(/.*)?"
           any (system_u object_r guix_profiles_t (low low)))
  (filecon "/gnu"
           dir (unconfined_u object_r guix_store_content_t (low low)))
  (filecon "@storedir@(/.+)?"
           any (unconfined_u object_r guix_store_content_t (low low)))
  (filecon "@storedir@/[^/]+/.+"
           any (unconfined_u object_r guix_store_content_t (low low)))
  (filecon "@prefix@/bin/guix-daemon"
           file (system_u object_r guix_daemon_exec_t (low low)))
  (filecon "@storedir@/.+-(guix-.+|profile)/bin/guix-daemon"
           file (system_u object_r guix_daemon_exec_t (low low)))
  (filecon "@guix_localstatedir@/guix/daemon-socket/socket"
           any (system_u object_r guix_daemon_socket_t (low low))))
Commit	Line	Data
b617a9fe RW	1	; -- lisp --
	2	;;; GNU Guix --- Functional package management for GNU
	3	;;; Copyright © 2018 Ricardo Wurmus <rekado@elephly.net>
	4	;;;
	5	;;; This file is part of GNU Guix.
	6	;;;
	7	;;; GNU Guix is free software; you can redistribute it and/or modify it
	8	;;; under the terms of the GNU General Public License as published by
	9	;;; the Free Software Foundation; either version 3 of the License, or (at
	10	;;; your option) any later version.
	11	;;;
	12	;;; GNU Guix is distributed in the hope that it will be useful, but
	13	;;; WITHOUT ANY WARRANTY; without even the implied warranty of
	14	;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	15	;;; GNU General Public License for more details.
	16	;;;
	17	;;; You should have received a copy of the GNU General Public License
	18	;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
	19
	20	;; This is a specification for SELinux 2.7 written in the SELinux Common
	21	;; Intermediate Language (CIL). It refers to types that must be defined in
	22	;; the system's base policy.
	23
	24	(block guix_daemon
	25	;; Require existing types
	26	(typeattributeset cil_gen_require init_t)
	27	(typeattributeset cil_gen_require tmp_t)
	28	(typeattributeset cil_gen_require nscd_var_run_t)
	29	(typeattributeset cil_gen_require var_log_t)
	30	(typeattributeset cil_gen_require domain)
	31
	32	;; Declare own types
	33	(type guix_daemon_t)
	34	(roletype object_r guix_daemon_t)
	35	(type guix_daemon_conf_t)
	36	(roletype object_r guix_daemon_conf_t)
	37	(type guix_daemon_exec_t)
	38	(roletype object_r guix_daemon_exec_t)
	39	(type guix_daemon_socket_t)
	40	(roletype object_r guix_daemon_socket_t)
	41	(type guix_store_content_t)
	42	(roletype object_r guix_store_content_t)
	43	(type guix_profiles_t)
	44	(roletype object_r guix_profiles_t)
	45
	46	;; These types are domains, thereby allowing process rules
	47	(typeattributeset domain (guix_daemon_t guix_daemon_exec_t))
	48
	49	(level low (s0))
	50
	51	;; When a process in init_t or guix_store_content_t spawns a
	52	;; guix_daemon_exec_t process, let it run in the guix_daemon_t context
	53	(typetransition init_t guix_daemon_exec_t
	54	process guix_daemon_t)
	55	(typetransition guix_store_content_t guix_daemon_exec_t
	56	process guix_daemon_t)
	57
	58	;; Permit communication with NSCD
	59	(allow guix_daemon_t
	60	nscd_var_run_t
	61	(file (map read)))
	62	(allow guix_daemon_t
	63	nscd_var_run_t
	64	(dir (search)))
65	(allow guix_daemon_t
66	nscd_var_run_t
67	(sock_file (write)))
68	(allow guix_daemon_t
69	nscd_t
70	(fd (use)))
71	(allow guix_daemon_t
72	nscd_t
73	(unix_stream_socket (connectto)))
74
75	;; Permit logging and temp file access
76	(allow guix_daemon_t
77	tmp_t
78	(lnk_file (setattr unlink)))
79	(allow guix_daemon_t
80	tmp_t
81	(dir (create
82	rmdir
83	add_name remove_name
84	open read write
85	getattr setattr
86	search)))
87	(allow guix_daemon_t
88	var_log_t
89	(file (create getattr open write)))
90	(allow guix_daemon_t
91	var_log_t
92	(dir (getattr write add_name)))
93	(allow guix_daemon_t
94	var_run_t
95	(lnk_file (read)))
96	(allow guix_daemon_t
97	var_run_t
98	(dir (search)))
99
100	;; Spawning processes, execute helpers
101	(allow guix_daemon_t
102	self
103	(process (fork)))
104	(allow guix_daemon_t
105	guix_daemon_exec_t
106	(file (execute execute_no_trans read open)))
107
108	;; TODO: unknown
109	(allow guix_daemon_t
110	root_t
111	(dir (mounton)))
112	(allow guix_daemon_t
113	fs_t
114	(filesystem (getattr)))
115	(allow guix_daemon_conf_t
116	fs_t
117	(filesystem (associate)))
118
119	;; Build isolation
120	(allow guix_daemon_t
121	guix_store_content_t
122	(file (mounton)))
123	(allow guix_store_content_t
124	fs_t
125	(filesystem (associate)))
126	(allow guix_daemon_t
127	guix_store_content_t
128	(dir (mounton)))
129	(allow guix_daemon_t
130	guix_daemon_t
131	(capability (net_admin
132	fsetid fowner
133	chown setuid setgid
134	dac_override dac_read_search
135	sys_chroot)))
136	(allow guix_daemon_t
137	fs_t
138	(filesystem (unmount)))
139	(allow guix_daemon_t
140	devpts_t
141	(filesystem (mount)))
142	(allow guix_daemon_t
143	devpts_t
144	(chr_file (setattr getattr)))
145	(allow guix_daemon_t
146	tmpfs_t
147	(filesystem (mount)))
148	(allow guix_daemon_t
149	tmpfs_t
150	(dir (getattr)))
151	(allow guix_daemon_t
152	proc_t
153	(filesystem (mount)))
154	(allow guix_daemon_t
155	null_device_t
156	(chr_file (getattr open read write)))
157	(allow guix_daemon_t
158	kvm_device_t
159	(chr_file (getattr)))
160	(allow guix_daemon_t
161	zero_device_t
162	(chr_file (getattr)))
163	(allow guix_daemon_t
164	urandom_device_t
165	(chr_file (getattr)))
166	(allow guix_daemon_t
167	random_device_t
168	(chr_file (getattr)))
169	(allow guix_daemon_t
170	devtty_t
171	(chr_file (getattr)))
172
173	;; Access to store items
174	(allow guix_daemon_t
175	guix_store_content_t
176	(dir (reparent
177	create
178	getattr setattr
179	search rename
180	add_name remove_name
181	open write
182	rmdir)))
183	(allow guix_daemon_t
184	guix_store_content_t
185	(file (create
186	lock
187	setattr getattr
188	execute execute_no_trans
189	link unlink
190	map
191	rename
192	open read write)))
193	(allow guix_daemon_t
194	guix_store_content_t
195	(lnk_file (create
196	getattr setattr
197	link unlink
198	read
199	rename)))
200
201	;; Access to configuration files and directories
202	(allow guix_daemon_t
203	guix_daemon_conf_t
204	(dir (search
205	setattr getattr
206	add_name remove_name
207	open read write)))
208	(allow guix_daemon_t
209	guix_daemon_conf_t
210	(file (create
211	lock
212	map
213	getattr setattr
214	unlink
215	open read write)))
216	(allow guix_daemon_t
217	guix_daemon_conf_t
218	(lnk_file (create getattr rename unlink)))
219
220	;; Access to profiles
221	(allow guix_daemon_t
222	guix_profiles_t
223	(dir (getattr setattr read open)))
224	(allow guix_daemon_t
225	guix_profiles_t
226	(lnk_file (read getattr)))
227
228	;; Access to profile links in the home directory
229	;; TODO: allow access to profile links anywhere on the filesystem
230	(allow guix_daemon_t
231	user_home_t
232	(lnk_file (read getattr)))
233	(allow guix_daemon_t
234	user_home_t
235	(dir (search)))
236
237	;; Socket operations
238	(allow guix_daemon_t
239	init_t
240	(fd (use)))
241	(allow guix_daemon_t
242	init_t
243	(unix_stream_socket (write)))
244	(allow guix_daemon_t
245	guix_daemon_conf_t
246	(unix_stream_socket (listen)))
247	(allow guix_daemon_t
248	guix_daemon_conf_t
249	(sock_file (create unlink)))
250	(allow guix_daemon_t
251	self
252	(unix_stream_socket (create
253	read write
254	connect bind accept
255	getopt setopt)))
256	(allow guix_daemon_t
257	self
258	(fifo_file (write read)))
259	(allow guix_daemon_t
260	self
261	(udp_socket (ioctl create)))
262
263	;; Label file system
264	(filecon "@guix_sysconfdir@/guix(/.*)?"
265	any (system_u object_r guix_daemon_conf_t (low low)))
266	(filecon "@guix_localstatedir@/guix(/.*)?"
267	any (system_u object_r guix_daemon_conf_t (low low)))
268	(filecon "@guix_localstatedir@/guix/profiles(/.*)?"
269	any (system_u object_r guix_profiles_t (low low)))
270	(filecon "/gnu"
271	dir (unconfined_u object_r guix_store_content_t (low low)))
272	(filecon "@storedir@(/.+)?"
273	any (unconfined_u object_r guix_store_content_t (low low)))
274	(filecon "@storedir@/[^/]+/.+"
275	any (unconfined_u object_r guix_store_content_t (low low)))
276	(filecon "@prefix@/bin/guix-daemon"
277	file (system_u object_r guix_daemon_exec_t (low low)))
278	(filecon "@storedir@/.+-(guix-.+\|profile)/bin/guix-daemon"
279	file (system_u object_r guix_daemon_exec_t (low low)))
b617a9fe RW	280	(filecon "@guix_localstatedir@/guix/daemon-socket/socket"
b617a9fe RW	281	any (system_u object_r guix_daemon_socket_t (low low))))