Commit | Line | Data |
---|---|---|
b617a9fe RW |
1 | ; -*- lisp -*- |
2 | ;;; GNU Guix --- Functional package management for GNU | |
3 | ;;; Copyright © 2018 Ricardo Wurmus <rekado@elephly.net> | |
62343288 DB |
4 | ;;; Copyright © 2020 Daniel Brooks <db48x@db48x.net> |
5 | ;;; Copyright © 2020 Marius Bakke <marius@gnu.org> | |
b617a9fe RW |
6 | ;;; |
7 | ;;; This file is part of GNU Guix. | |
8 | ;;; | |
9 | ;;; GNU Guix is free software; you can redistribute it and/or modify it | |
10 | ;;; under the terms of the GNU General Public License as published by | |
11 | ;;; the Free Software Foundation; either version 3 of the License, or (at | |
12 | ;;; your option) any later version. | |
13 | ;;; | |
14 | ;;; GNU Guix is distributed in the hope that it will be useful, but | |
15 | ;;; WITHOUT ANY WARRANTY; without even the implied warranty of | |
16 | ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
17 | ;;; GNU General Public License for more details. | |
18 | ;;; | |
19 | ;;; You should have received a copy of the GNU General Public License | |
20 | ;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>. | |
21 | ||
22 | ;; This is a specification for SELinux 2.7 written in the SELinux Common | |
23 | ;; Intermediate Language (CIL). It refers to types that must be defined in | |
24 | ;; the system's base policy. | |
25 | ||
62343288 DB |
26 | ;; If you, like me, need advice about fixing an SELinux policy, I recommend |
27 | ;; reading https://danwalsh.livejournal.com/55324.html | |
28 | ||
29 | ;; In particular, you can run semanage permissive -a guix_daemon.guix_daemon_t | |
30 | ;; to allow guix-daemon to do whatever it wants. SELinux will still check its | |
31 | ;; permissions, and when it doesn't have permission it will still send an | |
32 | ;; audit message to your system logs. This lets you know what permissions it | |
33 | ;; ought to have. Use ausearch --raw to find the permissions violations, then | |
34 | ;; pipe that to audit2allow to generate an updated policy. You'll still need | |
35 | ;; to translate that policy into CIL in order to update this file, but that's | |
36 | ;; fairly straight-forward. Annoying, but easy. | |
37 | ||
b617a9fe RW |
38 | (block guix_daemon |
39 | ;; Require existing types | |
40 | (typeattributeset cil_gen_require init_t) | |
41 | (typeattributeset cil_gen_require tmp_t) | |
42 | (typeattributeset cil_gen_require nscd_var_run_t) | |
43 | (typeattributeset cil_gen_require var_log_t) | |
44 | (typeattributeset cil_gen_require domain) | |
45 | ||
46 | ;; Declare own types | |
47 | (type guix_daemon_t) | |
48 | (roletype object_r guix_daemon_t) | |
49 | (type guix_daemon_conf_t) | |
50 | (roletype object_r guix_daemon_conf_t) | |
62343288 | 51 | (typeattributeset file_type guix_daemon_conf_t) |
b617a9fe RW |
52 | (type guix_daemon_exec_t) |
53 | (roletype object_r guix_daemon_exec_t) | |
62343288 | 54 | (typeattributeset file_type guix_daemon_exec_t) |
b617a9fe RW |
55 | (type guix_daemon_socket_t) |
56 | (roletype object_r guix_daemon_socket_t) | |
62343288 | 57 | (typeattributeset file_type guix_daemon_socket_t) |
b617a9fe RW |
58 | (type guix_store_content_t) |
59 | (roletype object_r guix_store_content_t) | |
62343288 | 60 | (typeattributeset file_type guix_store_content_t) |
b617a9fe RW |
61 | (type guix_profiles_t) |
62 | (roletype object_r guix_profiles_t) | |
62343288 | 63 | (typeattributeset file_type guix_profiles_t) |
b617a9fe RW |
64 | |
65 | ;; These types are domains, thereby allowing process rules | |
66 | (typeattributeset domain (guix_daemon_t guix_daemon_exec_t)) | |
67 | ||
68 | (level low (s0)) | |
69 | ||
70 | ;; When a process in init_t or guix_store_content_t spawns a | |
71 | ;; guix_daemon_exec_t process, let it run in the guix_daemon_t context | |
72 | (typetransition init_t guix_daemon_exec_t | |
73 | process guix_daemon_t) | |
74 | (typetransition guix_store_content_t guix_daemon_exec_t | |
75 | process guix_daemon_t) | |
76 | ||
62343288 DB |
77 | (roletype system_r guix_daemon_t) |
78 | ||
79 | ;; allow init_t to read and execute guix files | |
80 | (allow init_t | |
81 | guix_profiles_t | |
82 | (lnk_file (read))) | |
83 | (allow init_t | |
84 | guix_daemon_exec_t | |
85 | (file (execute))) | |
86 | (allow init_t | |
87 | guix_daemon_t | |
88 | (process (transition))) | |
89 | (allow init_t | |
90 | guix_store_content_t | |
91 | (lnk_file (read))) | |
92 | (allow init_t | |
93 | guix_store_content_t | |
94 | (file (open read execute))) | |
95 | ||
96 | ;; guix-daemon needs to know the names of users | |
97 | (allow guix_daemon_t | |
98 | passwd_file_t | |
99 | (file (getattr open read))) | |
100 | ||
b617a9fe RW |
101 | ;; Permit communication with NSCD |
102 | (allow guix_daemon_t | |
103 | nscd_var_run_t | |
104 | (file (map read))) | |
105 | (allow guix_daemon_t | |
106 | nscd_var_run_t | |
107 | (dir (search))) | |
108 | (allow guix_daemon_t | |
109 | nscd_var_run_t | |
110 | (sock_file (write))) | |
111 | (allow guix_daemon_t | |
112 | nscd_t | |
113 | (fd (use))) | |
114 | (allow guix_daemon_t | |
115 | nscd_t | |
116 | (unix_stream_socket (connectto))) | |
62343288 DB |
117 | (allow guix_daemon_t nscd_t |
118 | (nscd (getgrp gethost getpwd getserv shmemgrp shmemhost shmempwd shmemserv))) | |
119 | ||
120 | ;; permit downloading packages via HTTP(s) | |
121 | (allow guix_daemon_t http_port_t | |
122 | (tcp_socket (name_connect))) | |
123 | (allow guix_daemon_t ftp_port_t | |
124 | (tcp_socket (name_connect))) | |
125 | (allow guix_daemon_t ephemeral_port_t | |
126 | (tcp_socket (name_connect))) | |
b617a9fe RW |
127 | |
128 | ;; Permit logging and temp file access | |
129 | (allow guix_daemon_t | |
130 | tmp_t | |
62343288 DB |
131 | (lnk_file (create rename setattr unlink))) |
132 | (allow guix_daemon_t | |
133 | tmp_t | |
134 | (file (link rename create execute execute_no_trans write unlink setattr map relabelto))) | |
135 | (allow guix_daemon_t | |
136 | tmp_t | |
137 | (fifo_file (open read write create getattr ioctl setattr unlink))) | |
b617a9fe RW |
138 | (allow guix_daemon_t |
139 | tmp_t | |
62343288 DB |
140 | (dir (create rename |
141 | rmdir relabelto | |
b617a9fe RW |
142 | add_name remove_name |
143 | open read write | |
144 | getattr setattr | |
145 | search))) | |
62343288 DB |
146 | (allow guix_daemon_t |
147 | tmp_t | |
148 | (sock_file (create getattr setattr unlink write))) | |
b617a9fe RW |
149 | (allow guix_daemon_t |
150 | var_log_t | |
151 | (file (create getattr open write))) | |
152 | (allow guix_daemon_t | |
153 | var_log_t | |
62343288 | 154 | (dir (getattr create write add_name))) |
b617a9fe RW |
155 | (allow guix_daemon_t |
156 | var_run_t | |
157 | (lnk_file (read))) | |
158 | (allow guix_daemon_t | |
159 | var_run_t | |
160 | (dir (search))) | |
161 | ||
162 | ;; Spawning processes, execute helpers | |
163 | (allow guix_daemon_t | |
164 | self | |
62343288 | 165 | (process (fork execmem setrlimit setpgid setsched))) |
b617a9fe RW |
166 | (allow guix_daemon_t |
167 | guix_daemon_exec_t | |
62343288 | 168 | (file (execute execute_no_trans read open entrypoint map))) |
b617a9fe RW |
169 | |
170 | ;; TODO: unknown | |
171 | (allow guix_daemon_t | |
172 | root_t | |
173 | (dir (mounton))) | |
174 | (allow guix_daemon_t | |
175 | fs_t | |
176 | (filesystem (getattr))) | |
177 | (allow guix_daemon_conf_t | |
178 | fs_t | |
179 | (filesystem (associate))) | |
180 | ||
181 | ;; Build isolation | |
182 | (allow guix_daemon_t | |
183 | guix_store_content_t | |
62343288 | 184 | (file (ioctl mounton))) |
b617a9fe RW |
185 | (allow guix_store_content_t |
186 | fs_t | |
187 | (filesystem (associate))) | |
188 | (allow guix_daemon_t | |
189 | guix_store_content_t | |
62343288 | 190 | (dir (read mounton))) |
b617a9fe RW |
191 | (allow guix_daemon_t |
192 | guix_daemon_t | |
193 | (capability (net_admin | |
194 | fsetid fowner | |
195 | chown setuid setgid | |
196 | dac_override dac_read_search | |
62343288 DB |
197 | sys_chroot |
198 | sys_admin))) | |
b617a9fe RW |
199 | (allow guix_daemon_t |
200 | fs_t | |
201 | (filesystem (unmount))) | |
62343288 DB |
202 | (allow guix_daemon_t |
203 | devpts_t | |
204 | (dir (search))) | |
b617a9fe RW |
205 | (allow guix_daemon_t |
206 | devpts_t | |
207 | (filesystem (mount))) | |
208 | (allow guix_daemon_t | |
209 | devpts_t | |
62343288 | 210 | (chr_file (ioctl open read write setattr getattr))) |
b617a9fe RW |
211 | (allow guix_daemon_t |
212 | tmpfs_t | |
62343288 DB |
213 | (filesystem (getattr mount))) |
214 | (allow guix_daemon_t | |
215 | tmpfs_t | |
216 | (file (create open read unlink write))) | |
b617a9fe RW |
217 | (allow guix_daemon_t |
218 | tmpfs_t | |
62343288 | 219 | (dir (getattr add_name remove_name write))) |
b617a9fe RW |
220 | (allow guix_daemon_t |
221 | proc_t | |
62343288 DB |
222 | (file (getattr open read))) |
223 | (allow guix_daemon_t | |
224 | proc_t | |
225 | (dir (read))) | |
226 | (allow guix_daemon_t | |
227 | proc_t | |
228 | (filesystem (associate mount))) | |
b617a9fe RW |
229 | (allow guix_daemon_t |
230 | null_device_t | |
231 | (chr_file (getattr open read write))) | |
232 | (allow guix_daemon_t | |
233 | kvm_device_t | |
234 | (chr_file (getattr))) | |
235 | (allow guix_daemon_t | |
236 | zero_device_t | |
237 | (chr_file (getattr))) | |
238 | (allow guix_daemon_t | |
239 | urandom_device_t | |
240 | (chr_file (getattr))) | |
241 | (allow guix_daemon_t | |
242 | random_device_t | |
243 | (chr_file (getattr))) | |
244 | (allow guix_daemon_t | |
245 | devtty_t | |
246 | (chr_file (getattr))) | |
247 | ||
248 | ;; Access to store items | |
249 | (allow guix_daemon_t | |
250 | guix_store_content_t | |
251 | (dir (reparent | |
252 | create | |
253 | getattr setattr | |
254 | search rename | |
255 | add_name remove_name | |
256 | open write | |
62343288 | 257 | rmdir relabelfrom))) |
b617a9fe RW |
258 | (allow guix_daemon_t |
259 | guix_store_content_t | |
260 | (file (create | |
261 | lock | |
262 | setattr getattr | |
263 | execute execute_no_trans | |
264 | link unlink | |
265 | map | |
266 | rename | |
62343288 | 267 | open read write relabelfrom))) |
b617a9fe RW |
268 | (allow guix_daemon_t |
269 | guix_store_content_t | |
270 | (lnk_file (create | |
271 | getattr setattr | |
272 | link unlink | |
273 | read | |
274 | rename))) | |
62343288 DB |
275 | (allow guix_daemon_t |
276 | guix_store_content_t | |
277 | (fifo_file (create getattr open read unlink write))) | |
278 | (allow guix_daemon_t | |
279 | guix_store_content_t | |
280 | (sock_file (create getattr unlink write))) | |
b617a9fe RW |
281 | |
282 | ;; Access to configuration files and directories | |
283 | (allow guix_daemon_t | |
284 | guix_daemon_conf_t | |
62343288 | 285 | (dir (search create |
b617a9fe RW |
286 | setattr getattr |
287 | add_name remove_name | |
288 | open read write))) | |
289 | (allow guix_daemon_t | |
290 | guix_daemon_conf_t | |
62343288 | 291 | (file (create rename |
b617a9fe RW |
292 | lock |
293 | map | |
294 | getattr setattr | |
295 | unlink | |
296 | open read write))) | |
297 | (allow guix_daemon_t | |
298 | guix_daemon_conf_t | |
299 | (lnk_file (create getattr rename unlink))) | |
62343288 DB |
300 | (allow guix_daemon_t net_conf_t |
301 | (file (getattr open read))) | |
302 | (allow guix_daemon_t net_conf_t | |
303 | (lnk_file (read))) | |
304 | (allow guix_daemon_t NetworkManager_var_run_t | |
305 | (dir (search))) | |
b617a9fe RW |
306 | |
307 | ;; Access to profiles | |
308 | (allow guix_daemon_t | |
309 | guix_profiles_t | |
62343288 | 310 | (dir (search getattr setattr read write open create add_name))) |
b617a9fe RW |
311 | (allow guix_daemon_t |
312 | guix_profiles_t | |
313 | (lnk_file (read getattr))) | |
314 | ||
315 | ;; Access to profile links in the home directory | |
316 | ;; TODO: allow access to profile links *anywhere* on the filesystem | |
317 | (allow guix_daemon_t | |
318 | user_home_t | |
319 | (lnk_file (read getattr))) | |
320 | (allow guix_daemon_t | |
321 | user_home_t | |
322 | (dir (search))) | |
62343288 DB |
323 | (allow guix_daemon_t |
324 | cache_home_t | |
325 | (dir (search))) | |
326 | ||
327 | ;; self upgrades | |
328 | (allow guix_daemon_t | |
329 | self | |
330 | (dir (add_name write))) | |
331 | (allow guix_daemon_t | |
332 | self | |
333 | (netlink_route_socket (bind create getattr nlmsg_read read write))) | |
b617a9fe RW |
334 | |
335 | ;; Socket operations | |
62343288 DB |
336 | (allow guix_daemon_t |
337 | guix_daemon_socket_t | |
338 | (sock_file (unlink))) | |
b617a9fe RW |
339 | (allow guix_daemon_t |
340 | init_t | |
341 | (fd (use))) | |
342 | (allow guix_daemon_t | |
343 | init_t | |
344 | (unix_stream_socket (write))) | |
345 | (allow guix_daemon_t | |
346 | guix_daemon_conf_t | |
347 | (unix_stream_socket (listen))) | |
348 | (allow guix_daemon_t | |
349 | guix_daemon_conf_t | |
350 | (sock_file (create unlink))) | |
351 | (allow guix_daemon_t | |
352 | self | |
353 | (unix_stream_socket (create | |
354 | read write | |
355 | connect bind accept | |
356 | getopt setopt))) | |
62343288 DB |
357 | (allow guix_daemon_t |
358 | self | |
359 | (tcp_socket (accept listen bind connect create setopt getopt getattr ioctl read write shutdown))) | |
360 | (allow guix_daemon_t | |
361 | unreserved_port_t | |
362 | (tcp_socket (name_bind name_connect accept listen))) | |
363 | (allow guix_daemon_t | |
364 | self | |
365 | (udp_socket (connect getattr bind getopt setopt))) | |
b617a9fe RW |
366 | (allow guix_daemon_t |
367 | self | |
368 | (fifo_file (write read))) | |
369 | (allow guix_daemon_t | |
370 | self | |
371 | (udp_socket (ioctl create))) | |
62343288 DB |
372 | (allow guix_daemon_t |
373 | self | |
374 | (unix_stream_socket (connectto))) | |
d64e0261 MB |
375 | (allow guix_daemon_t |
376 | self | |
377 | (unix_dgram_socket (create bind connect sendto read write))) | |
62343288 DB |
378 | |
379 | (allow guix_daemon_t | |
380 | node_t | |
381 | (tcp_socket (node_bind))) | |
382 | (allow guix_daemon_t | |
383 | node_t | |
384 | (udp_socket (node_bind))) | |
385 | (allow guix_daemon_t | |
386 | port_t | |
387 | (tcp_socket (name_connect))) | |
388 | (allow guix_daemon_t | |
389 | rtp_media_port_t | |
390 | (udp_socket (name_bind))) | |
391 | (allow guix_daemon_t | |
392 | vnc_port_t | |
393 | (tcp_socket (name_bind))) | |
394 | ||
395 | ;; I guess sometimes it needs random numbers | |
396 | (allow guix_daemon_t | |
397 | random_device_t | |
398 | (chr_file (read))) | |
399 | ||
400 | ;; guix system vm | |
401 | (allow guix_daemon_t | |
402 | kvm_device_t | |
403 | (chr_file (ioctl open read write))) | |
404 | (allow guix_daemon_t | |
405 | kernel_t | |
406 | (system (ipc_info))) | |
b617a9fe RW |
407 | |
408 | ;; Label file system | |
409 | (filecon "@guix_sysconfdir@/guix(/.*)?" | |
410 | any (system_u object_r guix_daemon_conf_t (low low))) | |
411 | (filecon "@guix_localstatedir@/guix(/.*)?" | |
412 | any (system_u object_r guix_daemon_conf_t (low low))) | |
413 | (filecon "@guix_localstatedir@/guix/profiles(/.*)?" | |
414 | any (system_u object_r guix_profiles_t (low low))) | |
415 | (filecon "/gnu" | |
416 | dir (unconfined_u object_r guix_store_content_t (low low))) | |
417 | (filecon "@storedir@(/.+)?" | |
418 | any (unconfined_u object_r guix_store_content_t (low low))) | |
419 | (filecon "@storedir@/[^/]+/.+" | |
420 | any (unconfined_u object_r guix_store_content_t (low low))) | |
421 | (filecon "@prefix@/bin/guix-daemon" | |
422 | file (system_u object_r guix_daemon_exec_t (low low))) | |
423 | (filecon "@storedir@/.+-(guix-.+|profile)/bin/guix-daemon" | |
424 | file (system_u object_r guix_daemon_exec_t (low low))) | |
62343288 DB |
425 | (filecon "@storedir@/[a-z0-9]+-guix-daemon" |
426 | file (system_u object_r guix_daemon_exec_t (low low))) | |
b617a9fe RW |
427 | (filecon "@guix_localstatedir@/guix/daemon-socket/socket" |
428 | any (system_u object_r guix_daemon_socket_t (low low)))) |