From a4262f3ee0feb98d84e0eeb4b86c1575f00e2078 Mon Sep 17 00:00:00 2001
From: Daniel Brooks <db48x@db48x.net>
Date: Mon, 9 Nov 2020 07:03:42 -0800
Subject: [PATCH v2] etc: updates for the guix-daemon SELinux policy
* etc/guix-daemon.cil.in (guix_daemon): Specify more permissions for
guix-daemon to account for daemon updates and newer SELinux.
I can't promise that this is a complete list of everything that guix-daemon
needs, but it's probably most of them. It can search for, install, upgrade,
and remove packages, create virtual machines and containers, update itself,
and so on.
---
etc/guix-daemon.cil.in | 175 ++++++++++++++++++++++++++++++++++++-----
1 file changed, 157 insertions(+), 18 deletions(-)
@@ -1,6 +1,8 @@
; -*- lisp -*-
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2018 Ricardo Wurmus <rekado@elephly.net>
+;;; Copyright © 2020 Daniel Brooks <db48x@db48x.net>
+;;; Copyright © 2020 Marius Bakke <marius@gnu.org>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -21,6 +23,18 @@
;; Intermediate Language (CIL). It refers to types that must be defined in
;; the system's base policy.
+;; If you, like me, need advice about fixing an SELinux policy, I recommend
+;; reading https://danwalsh.livejournal.com/55324.html
+
+;; In particular, you can run semanage permissive -a guix_daemon.guix_daemon_t
+;; to allow guix-daemon to do whatever it wants. SELinux will still check its
+;; permissions, and when it doesn't have permission it will still send an
+;; audit message to your system logs. This lets you know what permissions it
+;; ought to have. Use ausearch --raw to find the permissions violations, then
+;; pipe that to audit2allow to generate an updated policy. You'll still need
+;; to translate that policy into CIL in order to update this file, but that's
+;; fairly straight-forward. Annoying, but easy.
+
(block guix_daemon
;; Require existing types
(typeattributeset cil_gen_require init_t)
@@ -34,14 +48,19 @@
(roletype object_r guix_daemon_t)
(type guix_daemon_conf_t)
(roletype object_r guix_daemon_conf_t)
+ (typeattributeset file_type guix_daemon_conf_t)
(type guix_daemon_exec_t)
(roletype object_r guix_daemon_exec_t)
+ (typeattributeset file_type guix_daemon_exec_t)
(type guix_daemon_socket_t)
(roletype object_r guix_daemon_socket_t)
+ (typeattributeset file_type guix_daemon_socket_t)
(type guix_store_content_t)
(roletype object_r guix_store_content_t)
+ (typeattributeset file_type guix_store_content_t)
(type guix_profiles_t)
(roletype object_r guix_profiles_t)
+ (typeattributeset file_type guix_profiles_t)
;; These types are domains, thereby allowing process rules
(typeattributeset domain (guix_daemon_t guix_daemon_exec_t))
@@ -55,6 +74,30 @@
(typetransition guix_store_content_t guix_daemon_exec_t
process guix_daemon_t)
+ (roletype system_r guix_daemon_t)
+
+ ;; allow init_t to read and execute guix files
+ (allow init_t
+ guix_profiles_t
+ (lnk_file (read)))
+ (allow init_t
+ guix_daemon_exec_t
+ (file (execute)))
+ (allow init_t
+ guix_daemon_t
+ (process (transition)))
+ (allow init_t
+ guix_store_content_t
+ (lnk_file (read)))
+ (allow init_t
+ guix_store_content_t
+ (file (open read execute)))
+
+ ;; guix-daemon needs to know the names of users
+ (allow guix_daemon_t
+ passwd_file_t
+ (file (getattr open read)))
+
;; Permit communication with NSCD
(allow guix_daemon_t
nscd_var_run_t
@@ -71,25 +114,44 @@
(allow guix_daemon_t
nscd_t
(unix_stream_socket (connectto)))
+ (allow guix_daemon_t nscd_t
+ (nscd (getgrp gethost getpwd getserv shmemgrp shmemhost shmempwd shmemserv)))
+
+ ;; permit downloading packages via HTTP(s)
+ (allow guix_daemon_t http_port_t
+ (tcp_socket (name_connect)))
+ (allow guix_daemon_t ftp_port_t
+ (tcp_socket (name_connect)))
+ (allow guix_daemon_t ephemeral_port_t
+ (tcp_socket (name_connect)))
;; Permit logging and temp file access
(allow guix_daemon_t
tmp_t
- (lnk_file (setattr unlink)))
+ (lnk_file (create rename setattr unlink)))
+ (allow guix_daemon_t
+ tmp_t
+ (file (link rename create execute execute_no_trans write unlink setattr map relabelto)))
+ (allow guix_daemon_t
+ tmp_t
+ (fifo_file (open read write create getattr ioctl setattr unlink)))
(allow guix_daemon_t
tmp_t
- (dir (create
- rmdir
+ (dir (create rename
+ rmdir relabelto
add_name remove_name
open read write
getattr setattr
search)))
+ (allow guix_daemon_t
+ tmp_t
+ (sock_file (create getattr setattr unlink write)))
(allow guix_daemon_t
var_log_t
(file (create getattr open write)))
(allow guix_daemon_t
var_log_t
- (dir (getattr write add_name)))
+ (dir (getattr create write add_name)))
(allow guix_daemon_t
var_run_t
(lnk_file (read)))
@@ -100,10 +162,10 @@
;; Spawning processes, execute helpers
(allow guix_daemon_t
self
- (process (fork)))
+ (process (fork execmem setrlimit setpgid setsched)))
(allow guix_daemon_t
guix_daemon_exec_t
- (file (execute execute_no_trans read open)))
+ (file (execute execute_no_trans read open entrypoint map)))
;; TODO: unknown
(allow guix_daemon_t
@@ -119,38 +181,51 @@
;; Build isolation
(allow guix_daemon_t
guix_store_content_t
- (file (mounton)))
+ (file (ioctl mounton)))
(allow guix_store_content_t
fs_t
(filesystem (associate)))
(allow guix_daemon_t
guix_store_content_t
- (dir (mounton)))
+ (dir (read mounton)))
(allow guix_daemon_t
guix_daemon_t
(capability (net_admin
fsetid fowner
chown setuid setgid
dac_override dac_read_search
- sys_chroot)))
+ sys_chroot
+ sys_admin)))
(allow guix_daemon_t
fs_t
(filesystem (unmount)))
+ (allow guix_daemon_t
+ devpts_t
+ (dir (search)))
(allow guix_daemon_t
devpts_t
(filesystem (mount)))
(allow guix_daemon_t
devpts_t
- (chr_file (setattr getattr)))
+ (chr_file (ioctl open read write setattr getattr)))
(allow guix_daemon_t
tmpfs_t
- (filesystem (mount)))
+ (filesystem (getattr mount)))
(allow guix_daemon_t
tmpfs_t
- (dir (getattr)))
+ (file (create open read unlink write)))
+ (allow guix_daemon_t
+ tmpfs_t
+ (dir (getattr add_name remove_name write)))
(allow guix_daemon_t
proc_t
- (filesystem (mount)))
+ (file (getattr open read)))
+ (allow guix_daemon_t
+ proc_t
+ (dir (read)))
+ (allow guix_daemon_t
+ proc_t
+ (filesystem (associate mount)))
(allow guix_daemon_t
null_device_t
(chr_file (getattr open read write)))
@@ -179,7 +254,7 @@
search rename
add_name remove_name
open write
- rmdir)))
+ rmdir relabelfrom)))
(allow guix_daemon_t
guix_store_content_t
(file (create
@@ -189,7 +264,7 @@
link unlink
map
rename
- open read write)))
+ open read write relabelfrom)))
(allow guix_daemon_t
guix_store_content_t
(lnk_file (create
@@ -197,17 +272,23 @@
link unlink
read
rename)))
+ (allow guix_daemon_t
+ guix_store_content_t
+ (fifo_file (create getattr open read unlink write)))
+ (allow guix_daemon_t
+ guix_store_content_t
+ (sock_file (create getattr unlink write)))
;; Access to configuration files and directories
(allow guix_daemon_t
guix_daemon_conf_t
- (dir (search
+ (dir (search create
setattr getattr
add_name remove_name
open read write)))
(allow guix_daemon_t
guix_daemon_conf_t
- (file (create
+ (file (create rename
lock
map
getattr setattr
@@ -216,11 +297,17 @@
(allow guix_daemon_t
guix_daemon_conf_t
(lnk_file (create getattr rename unlink)))
+ (allow guix_daemon_t net_conf_t
+ (file (getattr open read)))
+ (allow guix_daemon_t net_conf_t
+ (lnk_file (read)))
+ (allow guix_daemon_t NetworkManager_var_run_t
+ (dir (search)))
;; Access to profiles
(allow guix_daemon_t
guix_profiles_t
- (dir (getattr setattr read open)))
+ (dir (search getattr setattr read write open create add_name)))
(allow guix_daemon_t
guix_profiles_t
(lnk_file (read getattr)))
@@ -233,6 +320,17 @@
(allow guix_daemon_t
user_home_t
(dir (search)))
+ (allow guix_daemon_t
+ cache_home_t
+ (dir (search)))
+
+ ;; self upgrades
+ (allow guix_daemon_t
+ self
+ (dir (add_name write)))
+ (allow guix_daemon_t
+ self
+ (netlink_route_socket (bind create getattr nlmsg_read read write)))
;; Socket operations
(allow guix_daemon_t
@@ -253,12 +351,53 @@
read write
connect bind accept
getopt setopt)))
+ (allow guix_daemon_t
+ self
+ (tcp_socket (accept listen bind connect create setopt getopt getattr ioctl read write shutdown)))
+ (allow guix_daemon_t
+ unreserved_port_t
+ (tcp_socket (name_bind name_connect accept listen)))
+ (allow guix_daemon_t
+ self
+ (udp_socket (connect getattr bind getopt setopt)))
(allow guix_daemon_t
self
(fifo_file (write read)))
(allow guix_daemon_t
self
(udp_socket (ioctl create)))
+ (allow guix_daemon_t
+ self
+ (unix_stream_socket (connectto)))
+
+ (allow guix_daemon_t
+ node_t
+ (tcp_socket (node_bind)))
+ (allow guix_daemon_t
+ node_t
+ (udp_socket (node_bind)))
+ (allow guix_daemon_t
+ port_t
+ (tcp_socket (name_connect)))
+ (allow guix_daemon_t
+ rtp_media_port_t
+ (udp_socket (name_bind)))
+ (allow guix_daemon_t
+ vnc_port_t
+ (tcp_socket (name_bind)))
+
+ ;; I guess sometimes it needs random numbers
+ (allow guix_daemon_t
+ random_device_t
+ (chr_file (read)))
+
+ ;; guix system vm
+ (allow guix_daemon_t
+ kvm_device_t
+ (chr_file (ioctl open read write)))
+ (allow guix_daemon_t
+ kernel_t
+ (system (ipc_info)))
;; Label file system
(filecon "@guix_sysconfdir@/guix(/.*)?"
--
2.26.2