[jackhill/guix/guix.git] / etc / guix-daemon.cil.in

; -*- lisp -*-
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2018 Ricardo Wurmus <rekado@elephly.net>
;;; Copyright © 2020 Daniel Brooks <db48x@db48x.net>
;;; Copyright © 2020 Marius Bakke <marius@gnu.org>
;;;
;;; This file is part of GNU Guix.
;;;
;;; GNU Guix is free software; you can redistribute it and/or modify it
;;; under the terms of the GNU General Public License as published by
;;; the Free Software Foundation; either version 3 of the License, or (at
;;; your option) any later version.
;;;
;;; GNU Guix is distributed in the hope that it will be useful, but
;;; WITHOUT ANY WARRANTY; without even the implied warranty of
;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
;;; GNU General Public License for more details.
;;;
;;; You should have received a copy of the GNU General Public License
;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.

;; This is a specification for SELinux 2.7 written in the SELinux Common
;; Intermediate Language (CIL).  It refers to types that must be defined in
;; the system's base policy.

;; If you, like me, need advice about fixing an SELinux policy, I recommend
;; reading https://danwalsh.livejournal.com/55324.html

;; In particular, you can run semanage permissive -a guix_daemon.guix_daemon_t
;; to allow guix-daemon to do whatever it wants. SELinux will still check its
;; permissions, and when it doesn't have permission it will still send an
;; audit message to your system logs. This lets you know what permissions it
;; ought to have. Use ausearch --raw to find the permissions violations, then
;; pipe that to audit2allow to generate an updated policy. You'll still need
;; to translate that policy into CIL in order to update this file, but that's
;; fairly straight-forward. Annoying, but easy.

(block guix_daemon
  ;; Require existing types
  (typeattributeset cil_gen_require init_t)
  (typeattributeset cil_gen_require tmp_t)
  (typeattributeset cil_gen_require nscd_var_run_t)
  (typeattributeset cil_gen_require var_log_t)
  (typeattributeset cil_gen_require domain)

  ;; Declare own types
  (type guix_daemon_t)
  (roletype object_r guix_daemon_t)
  (type guix_daemon_conf_t)
  (roletype object_r guix_daemon_conf_t)
  (typeattributeset file_type guix_daemon_conf_t)
  (type guix_daemon_exec_t)
  (roletype object_r guix_daemon_exec_t)
  (typeattributeset file_type guix_daemon_exec_t)
  (type guix_daemon_socket_t)
  (roletype object_r guix_daemon_socket_t)
  (typeattributeset file_type guix_daemon_socket_t)
  (type guix_store_content_t)
  (roletype object_r guix_store_content_t)
  (typeattributeset file_type guix_store_content_t)
  (type guix_profiles_t)
  (roletype object_r guix_profiles_t)
  (typeattributeset file_type guix_profiles_t)

  ;; These types are domains, thereby allowing process rules
  (typeattributeset domain (guix_daemon_t guix_daemon_exec_t))

  (level low (s0))

  ;; When a process in init_t or guix_store_content_t spawns a
  ;; guix_daemon_exec_t process, let it run in the guix_daemon_t context
  (typetransition init_t guix_daemon_exec_t
                  process guix_daemon_t)
  (typetransition guix_store_content_t guix_daemon_exec_t
                  process guix_daemon_t)

  (roletype system_r guix_daemon_t)

  ;; allow init_t to read and execute guix files
  (allow init_t
         guix_profiles_t
         (lnk_file (read)))
  (allow init_t
         guix_daemon_exec_t
         (file (execute)))
  (allow init_t
         guix_daemon_t
         (process (transition)))
  (allow init_t
         guix_store_content_t
         (lnk_file (read)))
  (allow init_t
         guix_store_content_t
         (file (open read execute)))

  ;; guix-daemon needs to know the names of users
  (allow guix_daemon_t
         passwd_file_t
         (file (getattr open read)))

  ;; Permit communication with NSCD
  (allow guix_daemon_t
         nscd_var_run_t
         (file (map read)))
  (allow guix_daemon_t
         nscd_var_run_t
         (dir (search)))
  (allow guix_daemon_t
         nscd_var_run_t
         (sock_file (write)))
  (allow guix_daemon_t
         nscd_t
         (fd (use)))
  (allow guix_daemon_t
         nscd_t
         (unix_stream_socket (connectto)))
  (allow guix_daemon_t nscd_t
         (nscd (getgrp gethost getpwd getserv shmemgrp shmemhost shmempwd shmemserv)))

  ;; permit downloading packages via HTTP(s)
  (allow guix_daemon_t http_port_t
         (tcp_socket (name_connect)))
  (allow guix_daemon_t ftp_port_t
         (tcp_socket (name_connect)))
  (allow guix_daemon_t ephemeral_port_t
         (tcp_socket (name_connect)))

  ;; Permit logging and temp file access
  (allow guix_daemon_t
         tmp_t
         (lnk_file (create rename setattr unlink)))
  (allow guix_daemon_t
         tmp_t
         (file (link
                rename create execute execute_no_trans write
                unlink setattr map relabelto relabelfrom)))
  (allow guix_daemon_t
         tmp_t
         (fifo_file (open read write create getattr ioctl setattr unlink)))
  (allow guix_daemon_t
         tmp_t
         (dir (create rename
               rmdir relabelto relabelfrom reparent
               add_name remove_name
               open read write
               getattr setattr
               search)))
  (allow guix_daemon_t
         tmp_t
         (sock_file (create getattr setattr unlink write)))
  (allow guix_daemon_t
         var_log_t
         (file (create getattr open write)))
  (allow guix_daemon_t
         var_log_t
         (dir (getattr create write add_name)))
  (allow guix_daemon_t
         var_run_t
         (lnk_file (read)))
  (allow guix_daemon_t
         var_run_t
         (dir (search)))

  ;; Spawning processes, execute helpers
  (allow guix_daemon_t
         self
         (process (fork execmem setrlimit setpgid setsched)))
  (allow guix_daemon_t
         guix_daemon_exec_t
         (file (execute
                execute_no_trans read write open entrypoint map
                getattr link unlink)))

  ;; TODO: unknown
  (allow guix_daemon_t
         root_t
         (dir (mounton)))
  (allow guix_daemon_t
         fs_t
         (filesystem (getattr)))
  (allow guix_daemon_conf_t
         fs_t
         (filesystem (associate)))

  ;; Build isolation
  (allow guix_daemon_t
         guix_store_content_t
         (file (ioctl mounton)))
  (allow guix_store_content_t
         fs_t
         (filesystem (associate)))
  (allow guix_daemon_t
         guix_store_content_t
         (dir (read mounton)))
  (allow guix_daemon_t
         guix_daemon_t
         (capability (net_admin
                      fsetid fowner
                      chown setuid setgid
                      dac_override dac_read_search
                      sys_chroot
                      sys_admin)))
  (allow guix_daemon_t
         fs_t
         (filesystem (unmount)))
  (allow guix_daemon_t
         devpts_t
         (dir (search)))
  (allow guix_daemon_t
         devpts_t
         (filesystem (mount)))
  (allow guix_daemon_t
         devpts_t
         (chr_file (ioctl open read write setattr getattr)))
  (allow guix_daemon_t
         tmpfs_t
         (filesystem (getattr mount)))
  (allow guix_daemon_t
         tmpfs_t
         (file (create open read unlink write)))
  (allow guix_daemon_t
         tmpfs_t
         (dir (getattr add_name remove_name write)))
  (allow guix_daemon_t
         proc_t
         (file (getattr open read)))
  (allow guix_daemon_t
         proc_t
         (dir (read)))
  (allow guix_daemon_t
         proc_t
         (filesystem (associate mount)))
  (allow guix_daemon_t
         null_device_t
         (chr_file (getattr open read write)))
  (allow guix_daemon_t
         kvm_device_t
         (chr_file (getattr)))
  (allow guix_daemon_t
         zero_device_t
         (chr_file (getattr)))
  (allow guix_daemon_t
         urandom_device_t
         (chr_file (getattr)))
  (allow guix_daemon_t
         random_device_t
         (chr_file (getattr)))
  (allow guix_daemon_t
         devtty_t
         (chr_file (getattr)))

  ;; Access to store items
  (allow guix_daemon_t
         guix_store_content_t
         (dir (reparent
               create
               getattr setattr
               search rename
               add_name remove_name
               open write
               rmdir relabelfrom)))
  (allow guix_daemon_t
         guix_store_content_t
         (file (create
                lock
                setattr getattr
                execute execute_no_trans
                link unlink
                map
                rename
                append
                open read write relabelfrom)))
  (allow guix_daemon_t
         guix_store_content_t
         (lnk_file (create
                    getattr setattr
                    link unlink
                    read
                    rename)))
  (allow guix_daemon_t
         guix_store_content_t
         (fifo_file (create getattr open read unlink write)))
  (allow guix_daemon_t
         guix_store_content_t
         (sock_file (create getattr setattr unlink write)))

  ;; Access to configuration files and directories
  (allow guix_daemon_t
         guix_daemon_conf_t
         (dir (search create
               setattr getattr
               add_name remove_name
               open read write)))
  (allow guix_daemon_t
         guix_daemon_conf_t
         (file (create rename
                lock
                map
                getattr setattr
                unlink
                open read write)))
  (allow guix_daemon_t
         guix_daemon_conf_t
         (lnk_file (create getattr rename unlink)))
  (allow guix_daemon_t net_conf_t
         (file (getattr open read)))
  (allow guix_daemon_t net_conf_t
         (lnk_file (read)))
  (allow guix_daemon_t NetworkManager_var_run_t
         (dir (search)))

  ;; Access to profiles
  (allow guix_daemon_t
         guix_profiles_t
         (dir (search getattr setattr read write open create add_name)))
  (allow guix_daemon_t
         guix_profiles_t
         (lnk_file (read getattr)))

  ;; Access to profile links in the home directory
  ;; TODO: allow access to profile links *anywhere* on the filesystem
  (allow guix_daemon_t
         user_home_t
         (lnk_file (read getattr)))
  (allow guix_daemon_t
         user_home_t
         (dir (search)))
  (allow guix_daemon_t
         cache_home_t
         (dir (search)))

  ;; self upgrades
  (allow guix_daemon_t
         self
         (dir (add_name write)))
  (allow guix_daemon_t
         self
         (netlink_route_socket (bind create getattr nlmsg_read read write getopt)))

  ;; Socket operations
  (allow guix_daemon_t
         guix_daemon_socket_t
         (sock_file (unlink)))
  (allow guix_daemon_t
         init_t
         (fd (use)))
  (allow guix_daemon_t
         init_t
         (unix_stream_socket (write)))
  (allow guix_daemon_t
         guix_daemon_conf_t
         (unix_stream_socket (listen)))
  (allow guix_daemon_t
         guix_daemon_conf_t
         (sock_file (create unlink)))
  (allow guix_daemon_t
         self
         (unix_stream_socket (create
                              read write
                              connect bind accept
                              getopt setopt)))
  (allow guix_daemon_t
         self
         (tcp_socket (accept listen bind connect create setopt getopt getattr ioctl read write shutdown)))
  (allow guix_daemon_t
         unreserved_port_t
         (tcp_socket (name_bind name_connect accept listen)))
  (allow guix_daemon_t
         self
         (udp_socket (connect getattr bind getopt setopt read write)))
  (allow guix_daemon_t
         self
         (fifo_file (write read)))
  (allow guix_daemon_t
         self
         (udp_socket (ioctl create)))
  (allow guix_daemon_t
         self
         (unix_stream_socket (connectto)))
  (allow guix_daemon_t
         self
         (unix_dgram_socket (create bind connect sendto read write)))

  ;; For some esoteric build jobs (i.e. running PostgreSQL, etc).
  (allow guix_daemon_t
         self
         (capability (kill)))
  (allow guix_daemon_t
         node_t
         (tcp_socket (node_bind)))
  (allow guix_daemon_t
         node_t
         (udp_socket (node_bind)))
  (allow guix_daemon_t
         port_t
         (tcp_socket (name_connect)))
  (allow guix_daemon_t
         tmpfs_t
         (file (map read write link getattr)))
  (allow guix_daemon_t
         usermodehelper_t
         (file (read)))
  (allow guix_daemon_t
         hugetlbfs_t
         (file (map read write)))
  (allow guix_daemon_t
         proc_net_t
         (file (read)))
  (allow guix_daemon_t
         postgresql_port_t
         (tcp_socket (name_connect name_bind)))
  (allow guix_daemon_t
         rtp_media_port_t
         (udp_socket (name_bind)))
  (allow guix_daemon_t
         vnc_port_t
         (tcp_socket (name_bind)))

  ;; I guess sometimes it needs random numbers
  (allow guix_daemon_t
         random_device_t
         (chr_file (read)))

  ;; guix system vm
  (allow guix_daemon_t
         kvm_device_t
         (chr_file (ioctl open read write)))
  (allow guix_daemon_t
         kernel_t
         (system (ipc_info)))

  ;; Label file system
  (filecon "@guix_sysconfdir@/guix(/.*)?"
           any (system_u object_r guix_daemon_conf_t (low low)))
  (filecon "@guix_localstatedir@/guix(/.*)?"
           any (system_u object_r guix_daemon_conf_t (low low)))
  (filecon "@guix_localstatedir@/guix/profiles(/.*)?"
           any (system_u object_r guix_profiles_t (low low)))
  (filecon "/gnu"
           dir (unconfined_u object_r guix_store_content_t (low low)))
  (filecon "@storedir@(/.+)?"
           any (unconfined_u object_r guix_store_content_t (low low)))
  (filecon "@storedir@/[^/]+/.+"
           any (unconfined_u object_r guix_store_content_t (low low)))
  (filecon "@prefix@/bin/guix-daemon"
           file (system_u object_r guix_daemon_exec_t (low low)))
  (filecon "@storedir@/.+-(guix-.+|profile)/bin/guix-daemon"
           file (system_u object_r guix_daemon_exec_t (low low)))
  (filecon "@storedir@/[a-z0-9]+-guix-daemon"
           file (system_u object_r guix_daemon_exec_t (low low)))
  (filecon "@guix_localstatedir@/guix/daemon-socket/socket"
           any (system_u object_r guix_daemon_socket_t (low low))))
Commit	Line	Data
b617a9fe RW	1	; -- lisp --
	2	;;; GNU Guix --- Functional package management for GNU
	3	;;; Copyright © 2018 Ricardo Wurmus <rekado@elephly.net>
62343288 DB	4	;;; Copyright © 2020 Daniel Brooks <db48x@db48x.net>
62343288 DB	5	;;; Copyright © 2020 Marius Bakke <marius@gnu.org>
b617a9fe RW	6	;;;
	7	;;; This file is part of GNU Guix.
	8	;;;
	9	;;; GNU Guix is free software; you can redistribute it and/or modify it
	10	;;; under the terms of the GNU General Public License as published by
	11	;;; the Free Software Foundation; either version 3 of the License, or (at
	12	;;; your option) any later version.
	13	;;;
	14	;;; GNU Guix is distributed in the hope that it will be useful, but
	15	;;; WITHOUT ANY WARRANTY; without even the implied warranty of
	16	;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	17	;;; GNU General Public License for more details.
	18	;;;
	19	;;; You should have received a copy of the GNU General Public License
	20	;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
	21
	22	;; This is a specification for SELinux 2.7 written in the SELinux Common
	23	;; Intermediate Language (CIL). It refers to types that must be defined in
	24	;; the system's base policy.
	25
62343288 DB	26	;; If you, like me, need advice about fixing an SELinux policy, I recommend
	27	;; reading https://danwalsh.livejournal.com/55324.html
	28
	29	;; In particular, you can run semanage permissive -a guix_daemon.guix_daemon_t
	30	;; to allow guix-daemon to do whatever it wants. SELinux will still check its
	31	;; permissions, and when it doesn't have permission it will still send an
	32	;; audit message to your system logs. This lets you know what permissions it
	33	;; ought to have. Use ausearch --raw to find the permissions violations, then
	34	;; pipe that to audit2allow to generate an updated policy. You'll still need
	35	;; to translate that policy into CIL in order to update this file, but that's
	36	;; fairly straight-forward. Annoying, but easy.
	37
b617a9fe RW	38	(block guix_daemon
	39	;; Require existing types
	40	(typeattributeset cil_gen_require init_t)
	41	(typeattributeset cil_gen_require tmp_t)
	42	(typeattributeset cil_gen_require nscd_var_run_t)
	43	(typeattributeset cil_gen_require var_log_t)
	44	(typeattributeset cil_gen_require domain)
	45
	46	;; Declare own types
	47	(type guix_daemon_t)
	48	(roletype object_r guix_daemon_t)
	49	(type guix_daemon_conf_t)
	50	(roletype object_r guix_daemon_conf_t)
62343288	51	(typeattributeset file_type guix_daemon_conf_t)
b617a9fe RW	52	(type guix_daemon_exec_t)
b617a9fe RW	53	(roletype object_r guix_daemon_exec_t)
62343288	54	(typeattributeset file_type guix_daemon_exec_t)
b617a9fe RW	55	(type guix_daemon_socket_t)
b617a9fe RW	56	(roletype object_r guix_daemon_socket_t)
62343288	57	(typeattributeset file_type guix_daemon_socket_t)
b617a9fe RW	58	(type guix_store_content_t)
b617a9fe RW	59	(roletype object_r guix_store_content_t)
62343288	60	(typeattributeset file_type guix_store_content_t)
b617a9fe RW	61	(type guix_profiles_t)
b617a9fe RW	62	(roletype object_r guix_profiles_t)
62343288	63	(typeattributeset file_type guix_profiles_t)
b617a9fe RW	64
	65	;; These types are domains, thereby allowing process rules
	66	(typeattributeset domain (guix_daemon_t guix_daemon_exec_t))
	67
	68	(level low (s0))
	69
	70	;; When a process in init_t or guix_store_content_t spawns a
	71	;; guix_daemon_exec_t process, let it run in the guix_daemon_t context
	72	(typetransition init_t guix_daemon_exec_t
	73	process guix_daemon_t)
	74	(typetransition guix_store_content_t guix_daemon_exec_t
	75	process guix_daemon_t)
	76
62343288 DB	77	(roletype system_r guix_daemon_t)
	78
	79	;; allow init_t to read and execute guix files
	80	(allow init_t
	81	guix_profiles_t
	82	(lnk_file (read)))
	83	(allow init_t
	84	guix_daemon_exec_t
	85	(file (execute)))
	86	(allow init_t
	87	guix_daemon_t
	88	(process (transition)))
	89	(allow init_t
	90	guix_store_content_t
	91	(lnk_file (read)))
	92	(allow init_t
	93	guix_store_content_t
	94	(file (open read execute)))
	95
	96	;; guix-daemon needs to know the names of users
	97	(allow guix_daemon_t
	98	passwd_file_t
	99	(file (getattr open read)))
	100
b617a9fe RW	101	;; Permit communication with NSCD
	102	(allow guix_daemon_t
	103	nscd_var_run_t
	104	(file (map read)))
	105	(allow guix_daemon_t
	106	nscd_var_run_t
	107	(dir (search)))
	108	(allow guix_daemon_t
	109	nscd_var_run_t
	110	(sock_file (write)))
	111	(allow guix_daemon_t
	112	nscd_t
	113	(fd (use)))
	114	(allow guix_daemon_t
	115	nscd_t
	116	(unix_stream_socket (connectto)))
62343288 DB	117	(allow guix_daemon_t nscd_t
	118	(nscd (getgrp gethost getpwd getserv shmemgrp shmemhost shmempwd shmemserv)))
	119
	120	;; permit downloading packages via HTTP(s)
	121	(allow guix_daemon_t http_port_t
	122	(tcp_socket (name_connect)))
	123	(allow guix_daemon_t ftp_port_t
	124	(tcp_socket (name_connect)))
	125	(allow guix_daemon_t ephemeral_port_t
	126	(tcp_socket (name_connect)))
b617a9fe RW	127
	128	;; Permit logging and temp file access
	129	(allow guix_daemon_t
	130	tmp_t
62343288 DB	131	(lnk_file (create rename setattr unlink)))
	132	(allow guix_daemon_t
	133	tmp_t
18076323 MB	134	(file (link
	135	rename create execute execute_no_trans write
	136	unlink setattr map relabelto relabelfrom)))
62343288 DB	137	(allow guix_daemon_t
	138	tmp_t
	139	(fifo_file (open read write create getattr ioctl setattr unlink)))
b617a9fe RW	140	(allow guix_daemon_t
b617a9fe RW	141	tmp_t
62343288	142	(dir (create rename
18076323	143	rmdir relabelto relabelfrom reparent
b617a9fe RW	144	add_name remove_name
	145	open read write
	146	getattr setattr
	147	search)))
62343288 DB	148	(allow guix_daemon_t
	149	tmp_t
	150	(sock_file (create getattr setattr unlink write)))
b617a9fe RW	151	(allow guix_daemon_t
	152	var_log_t
	153	(file (create getattr open write)))
	154	(allow guix_daemon_t
	155	var_log_t
62343288	156	(dir (getattr create write add_name)))
b617a9fe RW	157	(allow guix_daemon_t
	158	var_run_t
	159	(lnk_file (read)))
	160	(allow guix_daemon_t
	161	var_run_t
	162	(dir (search)))
	163
	164	;; Spawning processes, execute helpers
	165	(allow guix_daemon_t
	166	self
62343288	167	(process (fork execmem setrlimit setpgid setsched)))
b617a9fe RW	168	(allow guix_daemon_t
b617a9fe RW	169	guix_daemon_exec_t
d677f3d6 MB	170	(file (execute
	171	execute_no_trans read write open entrypoint map
	172	getattr link unlink)))
b617a9fe RW	173
	174	;; TODO: unknown
	175	(allow guix_daemon_t
	176	root_t
	177	(dir (mounton)))
	178	(allow guix_daemon_t
	179	fs_t
	180	(filesystem (getattr)))
	181	(allow guix_daemon_conf_t
	182	fs_t
	183	(filesystem (associate)))
	184
	185	;; Build isolation
	186	(allow guix_daemon_t
	187	guix_store_content_t
62343288	188	(file (ioctl mounton)))
b617a9fe RW	189	(allow guix_store_content_t
	190	fs_t
	191	(filesystem (associate)))
	192	(allow guix_daemon_t
	193	guix_store_content_t
62343288	194	(dir (read mounton)))
b617a9fe RW	195	(allow guix_daemon_t
	196	guix_daemon_t
	197	(capability (net_admin
	198	fsetid fowner
	199	chown setuid setgid
	200	dac_override dac_read_search
62343288 DB	201	sys_chroot
62343288 DB	202	sys_admin)))
b617a9fe RW	203	(allow guix_daemon_t
	204	fs_t
	205	(filesystem (unmount)))
62343288 DB	206	(allow guix_daemon_t
	207	devpts_t
	208	(dir (search)))
b617a9fe RW	209	(allow guix_daemon_t
	210	devpts_t
	211	(filesystem (mount)))
	212	(allow guix_daemon_t
	213	devpts_t
62343288	214	(chr_file (ioctl open read write setattr getattr)))
b617a9fe RW	215	(allow guix_daemon_t
b617a9fe RW	216	tmpfs_t
62343288 DB	217	(filesystem (getattr mount)))
	218	(allow guix_daemon_t
	219	tmpfs_t
	220	(file (create open read unlink write)))
b617a9fe RW	221	(allow guix_daemon_t
b617a9fe RW	222	tmpfs_t
62343288	223	(dir (getattr add_name remove_name write)))
b617a9fe RW	224	(allow guix_daemon_t
b617a9fe RW	225	proc_t
62343288 DB	226	(file (getattr open read)))
	227	(allow guix_daemon_t
	228	proc_t
	229	(dir (read)))
	230	(allow guix_daemon_t
	231	proc_t
	232	(filesystem (associate mount)))
b617a9fe RW	233	(allow guix_daemon_t
	234	null_device_t
	235	(chr_file (getattr open read write)))
	236	(allow guix_daemon_t
	237	kvm_device_t
	238	(chr_file (getattr)))
	239	(allow guix_daemon_t
	240	zero_device_t
	241	(chr_file (getattr)))
	242	(allow guix_daemon_t
	243	urandom_device_t
	244	(chr_file (getattr)))
	245	(allow guix_daemon_t
	246	random_device_t
	247	(chr_file (getattr)))
	248	(allow guix_daemon_t
	249	devtty_t
	250	(chr_file (getattr)))
	251
	252	;; Access to store items
	253	(allow guix_daemon_t
	254	guix_store_content_t
	255	(dir (reparent
	256	create
	257	getattr setattr
	258	search rename
	259	add_name remove_name
	260	open write
62343288	261	rmdir relabelfrom)))
b617a9fe RW	262	(allow guix_daemon_t
	263	guix_store_content_t
	264	(file (create
	265	lock
	266	setattr getattr
	267	execute execute_no_trans
	268	link unlink
	269	map
	270	rename
402ebffe	271	append
62343288	272	open read write relabelfrom)))
b617a9fe RW	273	(allow guix_daemon_t
	274	guix_store_content_t
	275	(lnk_file (create
	276	getattr setattr
	277	link unlink
	278	read
	279	rename)))
62343288 DB	280	(allow guix_daemon_t
	281	guix_store_content_t
	282	(fifo_file (create getattr open read unlink write)))
	283	(allow guix_daemon_t
	284	guix_store_content_t
402ebffe	285	(sock_file (create getattr setattr unlink write)))
b617a9fe RW	286
	287	;; Access to configuration files and directories
	288	(allow guix_daemon_t
	289	guix_daemon_conf_t
62343288	290	(dir (search create
b617a9fe RW	291	setattr getattr
	292	add_name remove_name
	293	open read write)))
	294	(allow guix_daemon_t
	295	guix_daemon_conf_t
62343288	296	(file (create rename
b617a9fe RW	297	lock
	298	map
	299	getattr setattr
	300	unlink
	301	open read write)))
	302	(allow guix_daemon_t
	303	guix_daemon_conf_t
	304	(lnk_file (create getattr rename unlink)))
62343288 DB	305	(allow guix_daemon_t net_conf_t
	306	(file (getattr open read)))
	307	(allow guix_daemon_t net_conf_t
	308	(lnk_file (read)))
	309	(allow guix_daemon_t NetworkManager_var_run_t
	310	(dir (search)))
b617a9fe RW	311
	312	;; Access to profiles
	313	(allow guix_daemon_t
	314	guix_profiles_t
62343288	315	(dir (search getattr setattr read write open create add_name)))
b617a9fe RW	316	(allow guix_daemon_t
	317	guix_profiles_t
	318	(lnk_file (read getattr)))
	319
	320	;; Access to profile links in the home directory
	321	;; TODO: allow access to profile links anywhere on the filesystem
	322	(allow guix_daemon_t
	323	user_home_t
	324	(lnk_file (read getattr)))
	325	(allow guix_daemon_t
	326	user_home_t
	327	(dir (search)))
62343288 DB	328	(allow guix_daemon_t
	329	cache_home_t
	330	(dir (search)))
	331
	332	;; self upgrades
	333	(allow guix_daemon_t
	334	self
	335	(dir (add_name write)))
	336	(allow guix_daemon_t
	337	self
18076323	338	(netlink_route_socket (bind create getattr nlmsg_read read write getopt)))
b617a9fe RW	339
b617a9fe RW	340	;; Socket operations
62343288 DB	341	(allow guix_daemon_t
	342	guix_daemon_socket_t
	343	(sock_file (unlink)))
b617a9fe RW	344	(allow guix_daemon_t
	345	init_t
	346	(fd (use)))
	347	(allow guix_daemon_t
	348	init_t
	349	(unix_stream_socket (write)))
	350	(allow guix_daemon_t
	351	guix_daemon_conf_t
	352	(unix_stream_socket (listen)))
	353	(allow guix_daemon_t
	354	guix_daemon_conf_t
	355	(sock_file (create unlink)))
	356	(allow guix_daemon_t
	357	self
	358	(unix_stream_socket (create
	359	read write
	360	connect bind accept
	361	getopt setopt)))
62343288 DB	362	(allow guix_daemon_t
	363	self
	364	(tcp_socket (accept listen bind connect create setopt getopt getattr ioctl read write shutdown)))
	365	(allow guix_daemon_t
	366	unreserved_port_t
	367	(tcp_socket (name_bind name_connect accept listen)))
	368	(allow guix_daemon_t
	369	self
402ebffe	370	(udp_socket (connect getattr bind getopt setopt read write)))
b617a9fe RW	371	(allow guix_daemon_t
	372	self
	373	(fifo_file (write read)))
	374	(allow guix_daemon_t
	375	self
	376	(udp_socket (ioctl create)))
62343288 DB	377	(allow guix_daemon_t
	378	self
	379	(unix_stream_socket (connectto)))
d64e0261 MB	380	(allow guix_daemon_t
	381	self
	382	(unix_dgram_socket (create bind connect sendto read write)))
62343288	383
18076323 MB	384	;; For some esoteric build jobs (i.e. running PostgreSQL, etc).
	385	(allow guix_daemon_t
	386	self
	387	(capability (kill)))
62343288 DB	388	(allow guix_daemon_t
	389	node_t
	390	(tcp_socket (node_bind)))
	391	(allow guix_daemon_t
	392	node_t
	393	(udp_socket (node_bind)))
	394	(allow guix_daemon_t
	395	port_t
	396	(tcp_socket (name_connect)))
402ebffe MB	397	(allow guix_daemon_t
402ebffe MB	398	tmpfs_t
18076323 MB	399	(file (map read write link getattr)))
	400	(allow guix_daemon_t
	401	usermodehelper_t
	402	(file (read)))
402ebffe MB	403	(allow guix_daemon_t
	404	hugetlbfs_t
	405	(file (map read write)))
18076323 MB	406	(allow guix_daemon_t
	407	proc_net_t
	408	(file (read)))
402ebffe MB	409	(allow guix_daemon_t
	410	postgresql_port_t
	411	(tcp_socket (name_connect name_bind)))
62343288 DB	412	(allow guix_daemon_t
	413	rtp_media_port_t
	414	(udp_socket (name_bind)))
	415	(allow guix_daemon_t
	416	vnc_port_t
	417	(tcp_socket (name_bind)))
	418
	419	;; I guess sometimes it needs random numbers
	420	(allow guix_daemon_t
	421	random_device_t
	422	(chr_file (read)))
	423
	424	;; guix system vm
	425	(allow guix_daemon_t
	426	kvm_device_t
	427	(chr_file (ioctl open read write)))
	428	(allow guix_daemon_t
	429	kernel_t
	430	(system (ipc_info)))
b617a9fe RW	431
	432	;; Label file system
	433	(filecon "@guix_sysconfdir@/guix(/.*)?"
	434	any (system_u object_r guix_daemon_conf_t (low low)))
	435	(filecon "@guix_localstatedir@/guix(/.*)?"
	436	any (system_u object_r guix_daemon_conf_t (low low)))
	437	(filecon "@guix_localstatedir@/guix/profiles(/.*)?"
	438	any (system_u object_r guix_profiles_t (low low)))
	439	(filecon "/gnu"
	440	dir (unconfined_u object_r guix_store_content_t (low low)))
	441	(filecon "@storedir@(/.+)?"
	442	any (unconfined_u object_r guix_store_content_t (low low)))
	443	(filecon "@storedir@/[^/]+/.+"
	444	any (unconfined_u object_r guix_store_content_t (low low)))
	445	(filecon "@prefix@/bin/guix-daemon"
	446	file (system_u object_r guix_daemon_exec_t (low low)))
	447	(filecon "@storedir@/.+-(guix-.+\|profile)/bin/guix-daemon"
	448	file (system_u object_r guix_daemon_exec_t (low low)))
62343288 DB	449	(filecon "@storedir@/[a-z0-9]+-guix-daemon"
62343288 DB	450	file (system_u object_r guix_daemon_exec_t (low low)))
b617a9fe RW	451	(filecon "@guix_localstatedir@/guix/daemon-socket/socket"
b617a9fe RW	452	any (system_u object_r guix_daemon_socket_t (low low))))