2 ;;; GNU Guix --- Functional package management for GNU
3 ;;; Copyright © 2018 Ricardo Wurmus <rekado@elephly.net>
4 ;;; Copyright © 2020 Daniel Brooks <db48x@db48x.net>
5 ;;; Copyright © 2020 Marius Bakke <marius@gnu.org>
7 ;;; This file is part of GNU Guix.
9 ;;; GNU Guix is free software; you can redistribute it and/or modify it
10 ;;; under the terms of the GNU General Public License as published by
11 ;;; the Free Software Foundation; either version 3 of the License, or (at
12 ;;; your option) any later version.
14 ;;; GNU Guix is distributed in the hope that it will be useful, but
15 ;;; WITHOUT ANY WARRANTY; without even the implied warranty of
16 ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 ;;; GNU General Public License for more details.
19 ;;; You should have received a copy of the GNU General Public License
20 ;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
22 ;; This is a specification for SELinux 2.7 written in the SELinux Common
23 ;; Intermediate Language (CIL). It refers to types that must be defined in
24 ;; the system's base policy.
26 ;; If you, like me, need advice about fixing an SELinux policy, I recommend
27 ;; reading https://danwalsh.livejournal.com/55324.html
29 ;; In particular, you can run semanage permissive -a guix_daemon.guix_daemon_t
30 ;; to allow guix-daemon to do whatever it wants. SELinux will still check its
31 ;; permissions, and when it doesn't have permission it will still send an
32 ;; audit message to your system logs. This lets you know what permissions it
33 ;; ought to have. Use ausearch --raw to find the permissions violations, then
34 ;; pipe that to audit2allow to generate an updated policy. You'll still need
35 ;; to translate that policy into CIL in order to update this file, but that's
36 ;; fairly straight-forward. Annoying, but easy.
39 ;; Require existing types
40 (typeattributeset cil_gen_require init_t)
41 (typeattributeset cil_gen_require tmp_t)
42 (typeattributeset cil_gen_require nscd_var_run_t)
43 (typeattributeset cil_gen_require var_log_t)
44 (typeattributeset cil_gen_require domain)
48 (roletype object_r guix_daemon_t)
49 (type guix_daemon_conf_t)
50 (roletype object_r guix_daemon_conf_t)
51 (typeattributeset file_type guix_daemon_conf_t)
52 (type guix_daemon_exec_t)
53 (roletype object_r guix_daemon_exec_t)
54 (typeattributeset file_type guix_daemon_exec_t)
55 (type guix_daemon_socket_t)
56 (roletype object_r guix_daemon_socket_t)
57 (typeattributeset file_type guix_daemon_socket_t)
58 (type guix_store_content_t)
59 (roletype object_r guix_store_content_t)
60 (typeattributeset file_type guix_store_content_t)
61 (type guix_profiles_t)
62 (roletype object_r guix_profiles_t)
63 (typeattributeset file_type guix_profiles_t)
65 ;; These types are domains, thereby allowing process rules
66 (typeattributeset domain (guix_daemon_t guix_daemon_exec_t))
70 ;; When a process in init_t or guix_store_content_t spawns a
71 ;; guix_daemon_exec_t process, let it run in the guix_daemon_t context
72 (typetransition init_t guix_daemon_exec_t
73 process guix_daemon_t)
74 (typetransition guix_store_content_t guix_daemon_exec_t
75 process guix_daemon_t)
77 (roletype system_r guix_daemon_t)
79 ;; allow init_t to read and execute guix files
88 (process (transition)))
94 (file (open read execute)))
96 ;; guix-daemon needs to know the names of users
99 (file (getattr open read)))
101 ;; Permit communication with NSCD
116 (unix_stream_socket (connectto)))
117 (allow guix_daemon_t nscd_t
118 (nscd (getgrp gethost getpwd getserv shmemgrp shmemhost shmempwd shmemserv)))
120 ;; permit downloading packages via HTTP(s)
121 (allow guix_daemon_t http_port_t
122 (tcp_socket (name_connect)))
123 (allow guix_daemon_t ftp_port_t
124 (tcp_socket (name_connect)))
125 (allow guix_daemon_t ephemeral_port_t
126 (tcp_socket (name_connect)))
128 ;; Permit logging and temp file access
131 (lnk_file (create rename setattr unlink)))
135 rename create execute execute_no_trans write
136 unlink setattr map relabelto relabelfrom)))
139 (fifo_file (open read write create getattr ioctl setattr unlink)))
143 rmdir relabelto relabelfrom reparent
150 (sock_file (create getattr setattr unlink write)))
153 (file (create getattr open write)))
156 (dir (getattr create write add_name)))
164 ;; Spawning processes, execute helpers
167 (process (fork execmem setrlimit setpgid setsched)))
171 execute_no_trans read write open entrypoint map
172 getattr link unlink)))
180 (filesystem (getattr)))
181 (allow guix_daemon_conf_t
183 (filesystem (associate)))
188 (file (ioctl mounton)))
189 (allow guix_store_content_t
191 (filesystem (associate)))
194 (dir (read mounton)))
197 (capability (net_admin
200 dac_override dac_read_search
205 (filesystem (unmount)))
211 (filesystem (mount)))
214 (chr_file (ioctl open read write setattr getattr)))
217 (filesystem (getattr mount)))
220 (file (create open read unlink write)))
223 (dir (getattr add_name remove_name write)))
226 (file (getattr open read)))
232 (filesystem (associate mount)))
235 (chr_file (getattr open read write)))
238 (chr_file (getattr)))
241 (chr_file (getattr)))
244 (chr_file (getattr)))
247 (chr_file (getattr)))
250 (chr_file (getattr)))
252 ;; Access to store items
267 execute execute_no_trans
272 open read write relabelfrom)))
282 (fifo_file (create getattr open read unlink write)))
285 (sock_file (create getattr setattr unlink write)))
287 ;; Access to configuration files and directories
304 (lnk_file (create getattr rename unlink)))
305 (allow guix_daemon_t net_conf_t
306 (file (getattr open read)))
307 (allow guix_daemon_t net_conf_t
309 (allow guix_daemon_t NetworkManager_var_run_t
312 ;; Access to profiles
315 (dir (search getattr setattr read write open create add_name)))
318 (lnk_file (read getattr)))
320 ;; Access to profile links in the home directory
321 ;; TODO: allow access to profile links *anywhere* on the filesystem
324 (lnk_file (read getattr)))
335 (dir (add_name write)))
338 (netlink_route_socket (bind create getattr nlmsg_read read write getopt)))
343 (sock_file (unlink)))
349 (unix_stream_socket (write)))
352 (unix_stream_socket (listen)))
355 (sock_file (create unlink)))
358 (unix_stream_socket (create
364 (tcp_socket (accept listen bind connect create setopt getopt getattr ioctl read write shutdown)))
367 (tcp_socket (name_bind name_connect accept listen)))
370 (udp_socket (connect getattr bind getopt setopt read write)))
373 (fifo_file (write read)))
376 (udp_socket (ioctl create)))
379 (unix_stream_socket (connectto)))
382 (unix_dgram_socket (create bind connect sendto read write)))
384 ;; For some esoteric build jobs (i.e. running PostgreSQL, etc).
390 (tcp_socket (node_bind)))
393 (udp_socket (node_bind)))
396 (tcp_socket (name_connect)))
399 (file (map read write link getattr)))
405 (file (map read write)))
411 (tcp_socket (name_connect name_bind)))
414 (udp_socket (name_bind)))
417 (tcp_socket (name_bind)))
419 ;; I guess sometimes it needs random numbers
427 (chr_file (ioctl open read write)))
433 (filecon "@guix_sysconfdir@/guix(/.*)?"
434 any (system_u object_r guix_daemon_conf_t (low low)))
435 (filecon "@guix_localstatedir@/guix(/.*)?"
436 any (system_u object_r guix_daemon_conf_t (low low)))
437 (filecon "@guix_localstatedir@/guix/profiles(/.*)?"
438 any (system_u object_r guix_profiles_t (low low)))
440 dir (unconfined_u object_r guix_store_content_t (low low)))
441 (filecon "@storedir@(/.+)?"
442 any (unconfined_u object_r guix_store_content_t (low low)))
443 (filecon "@storedir@/[^/]+/.+"
444 any (unconfined_u object_r guix_store_content_t (low low)))
445 (filecon "@prefix@/bin/guix-daemon"
446 file (system_u object_r guix_daemon_exec_t (low low)))
447 (filecon "@storedir@/.+-(guix-.+|profile)/bin/guix-daemon"
448 file (system_u object_r guix_daemon_exec_t (low low)))
449 (filecon "@storedir@/[a-z0-9]+-guix-daemon"
450 file (system_u object_r guix_daemon_exec_t (low low)))
451 (filecon "@guix_localstatedir@/guix/daemon-socket/socket"
452 any (system_u object_r guix_daemon_socket_t (low low))))