Commit | Line | Data |
---|---|---|
b617a9fe RW |
1 | ; -*- lisp -*- |
2 | ;;; GNU Guix --- Functional package management for GNU | |
3 | ;;; Copyright © 2018 Ricardo Wurmus <rekado@elephly.net> | |
62343288 DB |
4 | ;;; Copyright © 2020 Daniel Brooks <db48x@db48x.net> |
5 | ;;; Copyright © 2020 Marius Bakke <marius@gnu.org> | |
b617a9fe RW |
6 | ;;; |
7 | ;;; This file is part of GNU Guix. | |
8 | ;;; | |
9 | ;;; GNU Guix is free software; you can redistribute it and/or modify it | |
10 | ;;; under the terms of the GNU General Public License as published by | |
11 | ;;; the Free Software Foundation; either version 3 of the License, or (at | |
12 | ;;; your option) any later version. | |
13 | ;;; | |
14 | ;;; GNU Guix is distributed in the hope that it will be useful, but | |
15 | ;;; WITHOUT ANY WARRANTY; without even the implied warranty of | |
16 | ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
17 | ;;; GNU General Public License for more details. | |
18 | ;;; | |
19 | ;;; You should have received a copy of the GNU General Public License | |
20 | ;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>. | |
21 | ||
22 | ;; This is a specification for SELinux 2.7 written in the SELinux Common | |
23 | ;; Intermediate Language (CIL). It refers to types that must be defined in | |
24 | ;; the system's base policy. | |
25 | ||
62343288 DB |
26 | ;; If you, like me, need advice about fixing an SELinux policy, I recommend |
27 | ;; reading https://danwalsh.livejournal.com/55324.html | |
28 | ||
29 | ;; In particular, you can run semanage permissive -a guix_daemon.guix_daemon_t | |
30 | ;; to allow guix-daemon to do whatever it wants. SELinux will still check its | |
31 | ;; permissions, and when it doesn't have permission it will still send an | |
32 | ;; audit message to your system logs. This lets you know what permissions it | |
33 | ;; ought to have. Use ausearch --raw to find the permissions violations, then | |
34 | ;; pipe that to audit2allow to generate an updated policy. You'll still need | |
35 | ;; to translate that policy into CIL in order to update this file, but that's | |
36 | ;; fairly straight-forward. Annoying, but easy. | |
37 | ||
b617a9fe RW |
38 | (block guix_daemon |
39 | ;; Require existing types | |
40 | (typeattributeset cil_gen_require init_t) | |
41 | (typeattributeset cil_gen_require tmp_t) | |
42 | (typeattributeset cil_gen_require nscd_var_run_t) | |
43 | (typeattributeset cil_gen_require var_log_t) | |
44 | (typeattributeset cil_gen_require domain) | |
45 | ||
46 | ;; Declare own types | |
47 | (type guix_daemon_t) | |
48 | (roletype object_r guix_daemon_t) | |
49 | (type guix_daemon_conf_t) | |
50 | (roletype object_r guix_daemon_conf_t) | |
62343288 | 51 | (typeattributeset file_type guix_daemon_conf_t) |
b617a9fe RW |
52 | (type guix_daemon_exec_t) |
53 | (roletype object_r guix_daemon_exec_t) | |
62343288 | 54 | (typeattributeset file_type guix_daemon_exec_t) |
b617a9fe RW |
55 | (type guix_daemon_socket_t) |
56 | (roletype object_r guix_daemon_socket_t) | |
62343288 | 57 | (typeattributeset file_type guix_daemon_socket_t) |
b617a9fe RW |
58 | (type guix_store_content_t) |
59 | (roletype object_r guix_store_content_t) | |
62343288 | 60 | (typeattributeset file_type guix_store_content_t) |
b617a9fe RW |
61 | (type guix_profiles_t) |
62 | (roletype object_r guix_profiles_t) | |
62343288 | 63 | (typeattributeset file_type guix_profiles_t) |
b617a9fe RW |
64 | |
65 | ;; These types are domains, thereby allowing process rules | |
66 | (typeattributeset domain (guix_daemon_t guix_daemon_exec_t)) | |
67 | ||
68 | (level low (s0)) | |
69 | ||
70 | ;; When a process in init_t or guix_store_content_t spawns a | |
71 | ;; guix_daemon_exec_t process, let it run in the guix_daemon_t context | |
72 | (typetransition init_t guix_daemon_exec_t | |
73 | process guix_daemon_t) | |
74 | (typetransition guix_store_content_t guix_daemon_exec_t | |
75 | process guix_daemon_t) | |
76 | ||
62343288 DB |
77 | (roletype system_r guix_daemon_t) |
78 | ||
79 | ;; allow init_t to read and execute guix files | |
80 | (allow init_t | |
81 | guix_profiles_t | |
82 | (lnk_file (read))) | |
83 | (allow init_t | |
84 | guix_daemon_exec_t | |
85 | (file (execute))) | |
86 | (allow init_t | |
87 | guix_daemon_t | |
88 | (process (transition))) | |
89 | (allow init_t | |
90 | guix_store_content_t | |
91 | (lnk_file (read))) | |
92 | (allow init_t | |
93 | guix_store_content_t | |
94 | (file (open read execute))) | |
95 | ||
96 | ;; guix-daemon needs to know the names of users | |
97 | (allow guix_daemon_t | |
98 | passwd_file_t | |
99 | (file (getattr open read))) | |
100 | ||
b617a9fe RW |
101 | ;; Permit communication with NSCD |
102 | (allow guix_daemon_t | |
103 | nscd_var_run_t | |
104 | (file (map read))) | |
105 | (allow guix_daemon_t | |
106 | nscd_var_run_t | |
107 | (dir (search))) | |
108 | (allow guix_daemon_t | |
109 | nscd_var_run_t | |
110 | (sock_file (write))) | |
111 | (allow guix_daemon_t | |
112 | nscd_t | |
113 | (fd (use))) | |
114 | (allow guix_daemon_t | |
115 | nscd_t | |
116 | (unix_stream_socket (connectto))) | |
62343288 DB |
117 | (allow guix_daemon_t nscd_t |
118 | (nscd (getgrp gethost getpwd getserv shmemgrp shmemhost shmempwd shmemserv))) | |
119 | ||
120 | ;; permit downloading packages via HTTP(s) | |
121 | (allow guix_daemon_t http_port_t | |
122 | (tcp_socket (name_connect))) | |
123 | (allow guix_daemon_t ftp_port_t | |
124 | (tcp_socket (name_connect))) | |
125 | (allow guix_daemon_t ephemeral_port_t | |
126 | (tcp_socket (name_connect))) | |
b617a9fe RW |
127 | |
128 | ;; Permit logging and temp file access | |
129 | (allow guix_daemon_t | |
130 | tmp_t | |
62343288 DB |
131 | (lnk_file (create rename setattr unlink))) |
132 | (allow guix_daemon_t | |
133 | tmp_t | |
18076323 MB |
134 | (file (link |
135 | rename create execute execute_no_trans write | |
136 | unlink setattr map relabelto relabelfrom))) | |
62343288 DB |
137 | (allow guix_daemon_t |
138 | tmp_t | |
139 | (fifo_file (open read write create getattr ioctl setattr unlink))) | |
b617a9fe RW |
140 | (allow guix_daemon_t |
141 | tmp_t | |
62343288 | 142 | (dir (create rename |
18076323 | 143 | rmdir relabelto relabelfrom reparent |
b617a9fe RW |
144 | add_name remove_name |
145 | open read write | |
146 | getattr setattr | |
147 | search))) | |
62343288 DB |
148 | (allow guix_daemon_t |
149 | tmp_t | |
150 | (sock_file (create getattr setattr unlink write))) | |
b617a9fe RW |
151 | (allow guix_daemon_t |
152 | var_log_t | |
153 | (file (create getattr open write))) | |
154 | (allow guix_daemon_t | |
155 | var_log_t | |
62343288 | 156 | (dir (getattr create write add_name))) |
b617a9fe RW |
157 | (allow guix_daemon_t |
158 | var_run_t | |
159 | (lnk_file (read))) | |
160 | (allow guix_daemon_t | |
161 | var_run_t | |
162 | (dir (search))) | |
163 | ||
164 | ;; Spawning processes, execute helpers | |
165 | (allow guix_daemon_t | |
166 | self | |
62343288 | 167 | (process (fork execmem setrlimit setpgid setsched))) |
b617a9fe RW |
168 | (allow guix_daemon_t |
169 | guix_daemon_exec_t | |
d677f3d6 MB |
170 | (file (execute |
171 | execute_no_trans read write open entrypoint map | |
172 | getattr link unlink))) | |
b617a9fe RW |
173 | |
174 | ;; TODO: unknown | |
175 | (allow guix_daemon_t | |
176 | root_t | |
177 | (dir (mounton))) | |
178 | (allow guix_daemon_t | |
179 | fs_t | |
180 | (filesystem (getattr))) | |
181 | (allow guix_daemon_conf_t | |
182 | fs_t | |
183 | (filesystem (associate))) | |
184 | ||
185 | ;; Build isolation | |
186 | (allow guix_daemon_t | |
187 | guix_store_content_t | |
62343288 | 188 | (file (ioctl mounton))) |
b617a9fe RW |
189 | (allow guix_store_content_t |
190 | fs_t | |
191 | (filesystem (associate))) | |
192 | (allow guix_daemon_t | |
193 | guix_store_content_t | |
62343288 | 194 | (dir (read mounton))) |
b617a9fe RW |
195 | (allow guix_daemon_t |
196 | guix_daemon_t | |
197 | (capability (net_admin | |
198 | fsetid fowner | |
199 | chown setuid setgid | |
200 | dac_override dac_read_search | |
62343288 DB |
201 | sys_chroot |
202 | sys_admin))) | |
b617a9fe RW |
203 | (allow guix_daemon_t |
204 | fs_t | |
205 | (filesystem (unmount))) | |
62343288 DB |
206 | (allow guix_daemon_t |
207 | devpts_t | |
208 | (dir (search))) | |
b617a9fe RW |
209 | (allow guix_daemon_t |
210 | devpts_t | |
211 | (filesystem (mount))) | |
212 | (allow guix_daemon_t | |
213 | devpts_t | |
62343288 | 214 | (chr_file (ioctl open read write setattr getattr))) |
b617a9fe RW |
215 | (allow guix_daemon_t |
216 | tmpfs_t | |
62343288 DB |
217 | (filesystem (getattr mount))) |
218 | (allow guix_daemon_t | |
219 | tmpfs_t | |
220 | (file (create open read unlink write))) | |
b617a9fe RW |
221 | (allow guix_daemon_t |
222 | tmpfs_t | |
62343288 | 223 | (dir (getattr add_name remove_name write))) |
b617a9fe RW |
224 | (allow guix_daemon_t |
225 | proc_t | |
62343288 DB |
226 | (file (getattr open read))) |
227 | (allow guix_daemon_t | |
228 | proc_t | |
229 | (dir (read))) | |
230 | (allow guix_daemon_t | |
231 | proc_t | |
232 | (filesystem (associate mount))) | |
b617a9fe RW |
233 | (allow guix_daemon_t |
234 | null_device_t | |
235 | (chr_file (getattr open read write))) | |
236 | (allow guix_daemon_t | |
237 | kvm_device_t | |
238 | (chr_file (getattr))) | |
239 | (allow guix_daemon_t | |
240 | zero_device_t | |
241 | (chr_file (getattr))) | |
242 | (allow guix_daemon_t | |
243 | urandom_device_t | |
244 | (chr_file (getattr))) | |
245 | (allow guix_daemon_t | |
246 | random_device_t | |
247 | (chr_file (getattr))) | |
248 | (allow guix_daemon_t | |
249 | devtty_t | |
250 | (chr_file (getattr))) | |
251 | ||
252 | ;; Access to store items | |
253 | (allow guix_daemon_t | |
254 | guix_store_content_t | |
255 | (dir (reparent | |
256 | create | |
257 | getattr setattr | |
258 | search rename | |
259 | add_name remove_name | |
260 | open write | |
62343288 | 261 | rmdir relabelfrom))) |
b617a9fe RW |
262 | (allow guix_daemon_t |
263 | guix_store_content_t | |
264 | (file (create | |
265 | lock | |
266 | setattr getattr | |
267 | execute execute_no_trans | |
268 | link unlink | |
269 | map | |
270 | rename | |
402ebffe | 271 | append |
62343288 | 272 | open read write relabelfrom))) |
b617a9fe RW |
273 | (allow guix_daemon_t |
274 | guix_store_content_t | |
275 | (lnk_file (create | |
276 | getattr setattr | |
277 | link unlink | |
278 | read | |
279 | rename))) | |
62343288 DB |
280 | (allow guix_daemon_t |
281 | guix_store_content_t | |
282 | (fifo_file (create getattr open read unlink write))) | |
283 | (allow guix_daemon_t | |
284 | guix_store_content_t | |
402ebffe | 285 | (sock_file (create getattr setattr unlink write))) |
b617a9fe RW |
286 | |
287 | ;; Access to configuration files and directories | |
288 | (allow guix_daemon_t | |
289 | guix_daemon_conf_t | |
62343288 | 290 | (dir (search create |
b617a9fe RW |
291 | setattr getattr |
292 | add_name remove_name | |
293 | open read write))) | |
294 | (allow guix_daemon_t | |
295 | guix_daemon_conf_t | |
62343288 | 296 | (file (create rename |
b617a9fe RW |
297 | lock |
298 | map | |
299 | getattr setattr | |
300 | unlink | |
301 | open read write))) | |
302 | (allow guix_daemon_t | |
303 | guix_daemon_conf_t | |
304 | (lnk_file (create getattr rename unlink))) | |
62343288 DB |
305 | (allow guix_daemon_t net_conf_t |
306 | (file (getattr open read))) | |
307 | (allow guix_daemon_t net_conf_t | |
308 | (lnk_file (read))) | |
309 | (allow guix_daemon_t NetworkManager_var_run_t | |
310 | (dir (search))) | |
b617a9fe RW |
311 | |
312 | ;; Access to profiles | |
313 | (allow guix_daemon_t | |
314 | guix_profiles_t | |
62343288 | 315 | (dir (search getattr setattr read write open create add_name))) |
b617a9fe RW |
316 | (allow guix_daemon_t |
317 | guix_profiles_t | |
318 | (lnk_file (read getattr))) | |
319 | ||
320 | ;; Access to profile links in the home directory | |
321 | ;; TODO: allow access to profile links *anywhere* on the filesystem | |
322 | (allow guix_daemon_t | |
323 | user_home_t | |
324 | (lnk_file (read getattr))) | |
325 | (allow guix_daemon_t | |
326 | user_home_t | |
327 | (dir (search))) | |
62343288 DB |
328 | (allow guix_daemon_t |
329 | cache_home_t | |
330 | (dir (search))) | |
331 | ||
332 | ;; self upgrades | |
333 | (allow guix_daemon_t | |
334 | self | |
335 | (dir (add_name write))) | |
336 | (allow guix_daemon_t | |
337 | self | |
18076323 | 338 | (netlink_route_socket (bind create getattr nlmsg_read read write getopt))) |
b617a9fe RW |
339 | |
340 | ;; Socket operations | |
62343288 DB |
341 | (allow guix_daemon_t |
342 | guix_daemon_socket_t | |
343 | (sock_file (unlink))) | |
b617a9fe RW |
344 | (allow guix_daemon_t |
345 | init_t | |
346 | (fd (use))) | |
347 | (allow guix_daemon_t | |
348 | init_t | |
349 | (unix_stream_socket (write))) | |
350 | (allow guix_daemon_t | |
351 | guix_daemon_conf_t | |
352 | (unix_stream_socket (listen))) | |
353 | (allow guix_daemon_t | |
354 | guix_daemon_conf_t | |
355 | (sock_file (create unlink))) | |
356 | (allow guix_daemon_t | |
357 | self | |
358 | (unix_stream_socket (create | |
359 | read write | |
360 | connect bind accept | |
361 | getopt setopt))) | |
62343288 DB |
362 | (allow guix_daemon_t |
363 | self | |
364 | (tcp_socket (accept listen bind connect create setopt getopt getattr ioctl read write shutdown))) | |
365 | (allow guix_daemon_t | |
366 | unreserved_port_t | |
367 | (tcp_socket (name_bind name_connect accept listen))) | |
368 | (allow guix_daemon_t | |
369 | self | |
402ebffe | 370 | (udp_socket (connect getattr bind getopt setopt read write))) |
b617a9fe RW |
371 | (allow guix_daemon_t |
372 | self | |
373 | (fifo_file (write read))) | |
374 | (allow guix_daemon_t | |
375 | self | |
376 | (udp_socket (ioctl create))) | |
62343288 DB |
377 | (allow guix_daemon_t |
378 | self | |
379 | (unix_stream_socket (connectto))) | |
d64e0261 MB |
380 | (allow guix_daemon_t |
381 | self | |
382 | (unix_dgram_socket (create bind connect sendto read write))) | |
62343288 | 383 | |
18076323 MB |
384 | ;; For some esoteric build jobs (i.e. running PostgreSQL, etc). |
385 | (allow guix_daemon_t | |
386 | self | |
387 | (capability (kill))) | |
62343288 DB |
388 | (allow guix_daemon_t |
389 | node_t | |
390 | (tcp_socket (node_bind))) | |
391 | (allow guix_daemon_t | |
392 | node_t | |
393 | (udp_socket (node_bind))) | |
394 | (allow guix_daemon_t | |
395 | port_t | |
396 | (tcp_socket (name_connect))) | |
402ebffe MB |
397 | (allow guix_daemon_t |
398 | tmpfs_t | |
18076323 MB |
399 | (file (map read write link getattr))) |
400 | (allow guix_daemon_t | |
401 | usermodehelper_t | |
402 | (file (read))) | |
402ebffe MB |
403 | (allow guix_daemon_t |
404 | hugetlbfs_t | |
405 | (file (map read write))) | |
18076323 MB |
406 | (allow guix_daemon_t |
407 | proc_net_t | |
408 | (file (read))) | |
402ebffe MB |
409 | (allow guix_daemon_t |
410 | postgresql_port_t | |
411 | (tcp_socket (name_connect name_bind))) | |
62343288 DB |
412 | (allow guix_daemon_t |
413 | rtp_media_port_t | |
414 | (udp_socket (name_bind))) | |
415 | (allow guix_daemon_t | |
416 | vnc_port_t | |
417 | (tcp_socket (name_bind))) | |
418 | ||
419 | ;; I guess sometimes it needs random numbers | |
420 | (allow guix_daemon_t | |
421 | random_device_t | |
422 | (chr_file (read))) | |
423 | ||
424 | ;; guix system vm | |
425 | (allow guix_daemon_t | |
426 | kvm_device_t | |
427 | (chr_file (ioctl open read write))) | |
428 | (allow guix_daemon_t | |
429 | kernel_t | |
430 | (system (ipc_info))) | |
b617a9fe RW |
431 | |
432 | ;; Label file system | |
433 | (filecon "@guix_sysconfdir@/guix(/.*)?" | |
434 | any (system_u object_r guix_daemon_conf_t (low low))) | |
435 | (filecon "@guix_localstatedir@/guix(/.*)?" | |
436 | any (system_u object_r guix_daemon_conf_t (low low))) | |
437 | (filecon "@guix_localstatedir@/guix/profiles(/.*)?" | |
438 | any (system_u object_r guix_profiles_t (low low))) | |
439 | (filecon "/gnu" | |
440 | dir (unconfined_u object_r guix_store_content_t (low low))) | |
441 | (filecon "@storedir@(/.+)?" | |
442 | any (unconfined_u object_r guix_store_content_t (low low))) | |
443 | (filecon "@storedir@/[^/]+/.+" | |
444 | any (unconfined_u object_r guix_store_content_t (low low))) | |
445 | (filecon "@prefix@/bin/guix-daemon" | |
446 | file (system_u object_r guix_daemon_exec_t (low low))) | |
447 | (filecon "@storedir@/.+-(guix-.+|profile)/bin/guix-daemon" | |
448 | file (system_u object_r guix_daemon_exec_t (low low))) | |
62343288 DB |
449 | (filecon "@storedir@/[a-z0-9]+-guix-daemon" |
450 | file (system_u object_r guix_daemon_exec_t (low low))) | |
b617a9fe RW |
451 | (filecon "@guix_localstatedir@/guix/daemon-socket/socket" |
452 | any (system_u object_r guix_daemon_socket_t (low low)))) |