diff mbox series

[bug#44549,v2] etc: updates for the guix-daemon SELinux policy

Message ID 87a6vm6s5p.fsf@db48x.net
State Accepted
Headers show
Series [bug#44549,v2] etc: updates for the guix-daemon SELinux policy | expand

Checks

Context Check Description
cbaines/submitting builds success
cbaines/issue success View issue
cbaines/comparison success View comparision
cbaines/git branch success View Git branch
cbaines/applying patch fail View Laminar job

Commit Message

Daniel Brooks Nov. 13, 2020, 12:01 a.m. UTC

diff mbox series

Patch

From a4262f3ee0feb98d84e0eeb4b86c1575f00e2078 Mon Sep 17 00:00:00 2001
From: Daniel Brooks <db48x@db48x.net>
Date: Mon, 9 Nov 2020 07:03:42 -0800
Subject: [PATCH v2] etc: updates for the guix-daemon SELinux policy

* etc/guix-daemon.cil.in (guix_daemon): Specify more permissions for
guix-daemon to account for daemon updates and newer SELinux.

I can't promise that this is a complete list of everything that guix-daemon
needs, but it's probably most of them. It can search for, install, upgrade,
and remove packages, create virtual machines and containers, update itself,
and so on.
---
 etc/guix-daemon.cil.in | 175 ++++++++++++++++++++++++++++++++++++-----
 1 file changed, 157 insertions(+), 18 deletions(-)

diff --git a/etc/guix-daemon.cil.in b/etc/guix-daemon.cil.in
index e0c9113498..5de89eb98e 100644
--- a/etc/guix-daemon.cil.in
+++ b/etc/guix-daemon.cil.in
@@ -1,6 +1,8 @@ 
 ; -*- lisp -*-
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2018 Ricardo Wurmus <rekado@elephly.net>
+;;; Copyright © 2020 Daniel Brooks <db48x@db48x.net>
+;;; Copyright © 2020 Marius Bakke <marius@gnu.org>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -21,6 +23,18 @@ 
 ;; Intermediate Language (CIL).  It refers to types that must be defined in
 ;; the system's base policy.
 
+;; If you, like me, need advice about fixing an SELinux policy, I recommend
+;; reading https://danwalsh.livejournal.com/55324.html
+
+;; In particular, you can run semanage permissive -a guix_daemon.guix_daemon_t
+;; to allow guix-daemon to do whatever it wants. SELinux will still check its
+;; permissions, and when it doesn't have permission it will still send an
+;; audit message to your system logs. This lets you know what permissions it
+;; ought to have. Use ausearch --raw to find the permissions violations, then
+;; pipe that to audit2allow to generate an updated policy. You'll still need
+;; to translate that policy into CIL in order to update this file, but that's
+;; fairly straight-forward. Annoying, but easy.
+
 (block guix_daemon
   ;; Require existing types
   (typeattributeset cil_gen_require init_t)
@@ -34,14 +48,19 @@ 
   (roletype object_r guix_daemon_t)
   (type guix_daemon_conf_t)
   (roletype object_r guix_daemon_conf_t)
+  (typeattributeset file_type guix_daemon_conf_t)
   (type guix_daemon_exec_t)
   (roletype object_r guix_daemon_exec_t)
+  (typeattributeset file_type guix_daemon_exec_t)
   (type guix_daemon_socket_t)
   (roletype object_r guix_daemon_socket_t)
+  (typeattributeset file_type guix_daemon_socket_t)
   (type guix_store_content_t)
   (roletype object_r guix_store_content_t)
+  (typeattributeset file_type guix_store_content_t)
   (type guix_profiles_t)
   (roletype object_r guix_profiles_t)
+  (typeattributeset file_type guix_profiles_t)
 
   ;; These types are domains, thereby allowing process rules
   (typeattributeset domain (guix_daemon_t guix_daemon_exec_t))
@@ -55,6 +74,30 @@ 
   (typetransition guix_store_content_t guix_daemon_exec_t
                   process guix_daemon_t)
 
+  (roletype system_r guix_daemon_t)
+
+  ;; allow init_t to read and execute guix files
+  (allow init_t
+         guix_profiles_t
+         (lnk_file (read)))
+  (allow init_t
+         guix_daemon_exec_t
+         (file (execute)))
+  (allow init_t
+         guix_daemon_t
+         (process (transition)))
+  (allow init_t
+         guix_store_content_t
+         (lnk_file (read)))
+  (allow init_t
+         guix_store_content_t
+         (file (open read execute)))
+
+  ;; guix-daemon needs to know the names of users
+  (allow guix_daemon_t
+         passwd_file_t
+         (file (getattr open read)))
+
   ;; Permit communication with NSCD
   (allow guix_daemon_t
          nscd_var_run_t
@@ -71,25 +114,44 @@ 
   (allow guix_daemon_t
          nscd_t
          (unix_stream_socket (connectto)))
+  (allow guix_daemon_t nscd_t
+         (nscd (getgrp gethost getpwd getserv shmemgrp shmemhost shmempwd shmemserv)))
+
+  ;; permit downloading packages via HTTP(s)
+  (allow guix_daemon_t http_port_t
+         (tcp_socket (name_connect)))
+  (allow guix_daemon_t ftp_port_t
+         (tcp_socket (name_connect)))
+  (allow guix_daemon_t ephemeral_port_t
+         (tcp_socket (name_connect)))
 
   ;; Permit logging and temp file access
   (allow guix_daemon_t
          tmp_t
-         (lnk_file (setattr unlink)))
+         (lnk_file (create rename setattr unlink)))
+  (allow guix_daemon_t
+         tmp_t
+         (file (link rename create execute execute_no_trans write unlink setattr map relabelto)))
+  (allow guix_daemon_t
+         tmp_t
+         (fifo_file (open read write create getattr ioctl setattr unlink)))
   (allow guix_daemon_t
          tmp_t
-         (dir (create
-               rmdir
+         (dir (create rename
+               rmdir relabelto
                add_name remove_name
                open read write
                getattr setattr
                search)))
+  (allow guix_daemon_t
+         tmp_t
+         (sock_file (create getattr setattr unlink write)))
   (allow guix_daemon_t
          var_log_t
          (file (create getattr open write)))
   (allow guix_daemon_t
          var_log_t
-         (dir (getattr write add_name)))
+         (dir (getattr create write add_name)))
   (allow guix_daemon_t
          var_run_t
          (lnk_file (read)))
@@ -100,10 +162,10 @@ 
   ;; Spawning processes, execute helpers
   (allow guix_daemon_t
          self
-         (process (fork)))
+         (process (fork execmem setrlimit setpgid setsched)))
   (allow guix_daemon_t
          guix_daemon_exec_t
-         (file (execute execute_no_trans read open)))
+         (file (execute execute_no_trans read open entrypoint map)))
 
   ;; TODO: unknown
   (allow guix_daemon_t
@@ -119,38 +181,51 @@ 
   ;; Build isolation
   (allow guix_daemon_t
          guix_store_content_t
-         (file (mounton)))
+         (file (ioctl mounton)))
   (allow guix_store_content_t
          fs_t
          (filesystem (associate)))
   (allow guix_daemon_t
          guix_store_content_t
-         (dir (mounton)))
+         (dir (read mounton)))
   (allow guix_daemon_t
          guix_daemon_t
          (capability (net_admin
                       fsetid fowner
                       chown setuid setgid
                       dac_override dac_read_search
-                      sys_chroot)))
+                      sys_chroot
+                      sys_admin)))
   (allow guix_daemon_t
          fs_t
          (filesystem (unmount)))
+  (allow guix_daemon_t
+         devpts_t
+         (dir (search)))
   (allow guix_daemon_t
          devpts_t
          (filesystem (mount)))
   (allow guix_daemon_t
          devpts_t
-         (chr_file (setattr getattr)))
+         (chr_file (ioctl open read write setattr getattr)))
   (allow guix_daemon_t
          tmpfs_t
-         (filesystem (mount)))
+         (filesystem (getattr mount)))
   (allow guix_daemon_t
          tmpfs_t
-         (dir (getattr)))
+         (file (create open read unlink write)))
+  (allow guix_daemon_t
+         tmpfs_t
+         (dir (getattr add_name remove_name write)))
   (allow guix_daemon_t
          proc_t
-         (filesystem (mount)))
+         (file (getattr open read)))
+  (allow guix_daemon_t
+         proc_t
+         (dir (read)))
+  (allow guix_daemon_t
+         proc_t
+         (filesystem (associate mount)))
   (allow guix_daemon_t
          null_device_t
          (chr_file (getattr open read write)))
@@ -179,7 +254,7 @@ 
                search rename
                add_name remove_name
                open write
-               rmdir)))
+               rmdir relabelfrom)))
   (allow guix_daemon_t
          guix_store_content_t
          (file (create
@@ -189,7 +264,7 @@ 
                 link unlink
                 map
                 rename
-                open read write)))
+                open read write relabelfrom)))
   (allow guix_daemon_t
          guix_store_content_t
          (lnk_file (create
@@ -197,17 +272,23 @@ 
                     link unlink
                     read
                     rename)))
+  (allow guix_daemon_t
+         guix_store_content_t
+         (fifo_file (create getattr open read unlink write)))
+  (allow guix_daemon_t
+         guix_store_content_t
+         (sock_file (create getattr unlink write)))
 
   ;; Access to configuration files and directories
   (allow guix_daemon_t
          guix_daemon_conf_t
-         (dir (search
+         (dir (search create
                setattr getattr
                add_name remove_name
                open read write)))
   (allow guix_daemon_t
          guix_daemon_conf_t
-         (file (create
+         (file (create rename
                 lock
                 map
                 getattr setattr
@@ -216,11 +297,17 @@ 
   (allow guix_daemon_t
          guix_daemon_conf_t
          (lnk_file (create getattr rename unlink)))
+  (allow guix_daemon_t net_conf_t
+         (file (getattr open read)))
+  (allow guix_daemon_t net_conf_t
+         (lnk_file (read)))
+  (allow guix_daemon_t NetworkManager_var_run_t
+         (dir (search)))
 
   ;; Access to profiles
   (allow guix_daemon_t
          guix_profiles_t
-         (dir (getattr setattr read open)))
+         (dir (search getattr setattr read write open create add_name)))
   (allow guix_daemon_t
          guix_profiles_t
          (lnk_file (read getattr)))
@@ -233,6 +320,17 @@ 
   (allow guix_daemon_t
          user_home_t
          (dir (search)))
+  (allow guix_daemon_t
+         cache_home_t
+         (dir (search)))
+
+  ;; self upgrades
+  (allow guix_daemon_t
+         self
+         (dir (add_name write)))
+  (allow guix_daemon_t
+         self
+         (netlink_route_socket (bind create getattr nlmsg_read read write)))
 
   ;; Socket operations
   (allow guix_daemon_t
@@ -253,12 +351,53 @@ 
                               read write
                               connect bind accept
                               getopt setopt)))
+  (allow guix_daemon_t
+         self
+         (tcp_socket (accept listen bind connect create setopt getopt getattr ioctl read write shutdown)))
+  (allow guix_daemon_t
+         unreserved_port_t
+         (tcp_socket (name_bind name_connect accept listen)))
+  (allow guix_daemon_t
+         self
+         (udp_socket (connect getattr bind getopt setopt)))
   (allow guix_daemon_t
          self
          (fifo_file (write read)))
   (allow guix_daemon_t
          self
          (udp_socket (ioctl create)))
+  (allow guix_daemon_t
+         self
+         (unix_stream_socket (connectto)))
+
+  (allow guix_daemon_t
+         node_t
+         (tcp_socket (node_bind)))
+  (allow guix_daemon_t
+         node_t
+         (udp_socket (node_bind)))
+  (allow guix_daemon_t
+         port_t
+         (tcp_socket (name_connect)))
+  (allow guix_daemon_t
+         rtp_media_port_t
+         (udp_socket (name_bind)))
+  (allow guix_daemon_t
+         vnc_port_t
+         (tcp_socket (name_bind)))
+
+  ;; I guess sometimes it needs random numbers
+  (allow guix_daemon_t
+         random_device_t
+         (chr_file (read)))
+
+  ;; guix system vm
+  (allow guix_daemon_t
+         kvm_device_t
+         (chr_file (ioctl open read write)))
+  (allow guix_daemon_t
+         kernel_t
+         (system (ipc_info)))
 
   ;; Label file system
   (filecon "@guix_sysconfdir@/guix(/.*)?"
-- 
2.26.2