From b617a9fe239ea645c816d6afcb81d5476f760d84 Mon Sep 17 00:00:00 2001 From: Ricardo Wurmus Date: Thu, 25 Jan 2018 15:21:07 +0100 Subject: etc: Add SELinux policy for the daemon. * etc/guix-daemon.cil.in: New file. * Makefile.am (dist_selinux_policy_DATA): Define it. * configure.ac: Handle --with-selinux-policy-dir. * doc/guix.texi (SELinux Support): New section. --- etc/guix-daemon.cil.in | 285 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 285 insertions(+) create mode 100644 etc/guix-daemon.cil.in (limited to 'etc') diff --git a/etc/guix-daemon.cil.in b/etc/guix-daemon.cil.in new file mode 100644 index 0000000000..c0c82d8fbb --- /dev/null +++ b/etc/guix-daemon.cil.in @@ -0,0 +1,285 @@ +; -*- lisp -*- +;;; GNU Guix --- Functional package management for GNU +;;; Copyright © 2018 Ricardo Wurmus +;;; +;;; This file is part of GNU Guix. +;;; +;;; GNU Guix is free software; you can redistribute it and/or modify it +;;; under the terms of the GNU General Public License as published by +;;; the Free Software Foundation; either version 3 of the License, or (at +;;; your option) any later version. +;;; +;;; GNU Guix is distributed in the hope that it will be useful, but +;;; WITHOUT ANY WARRANTY; without even the implied warranty of +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;;; GNU General Public License for more details. +;;; +;;; You should have received a copy of the GNU General Public License +;;; along with GNU Guix. If not, see . + +;; This is a specification for SELinux 2.7 written in the SELinux Common +;; Intermediate Language (CIL). It refers to types that must be defined in +;; the system's base policy. + +(block guix_daemon + ;; Require existing types + (typeattributeset cil_gen_require init_t) + (typeattributeset cil_gen_require tmp_t) + (typeattributeset cil_gen_require nscd_var_run_t) + (typeattributeset cil_gen_require var_log_t) + (typeattributeset cil_gen_require domain) + + ;; Declare own types + (type guix_daemon_t) + (roletype object_r guix_daemon_t) + (type guix_daemon_conf_t) + (roletype object_r guix_daemon_conf_t) + (type guix_daemon_exec_t) + (roletype object_r guix_daemon_exec_t) + (type guix_daemon_socket_t) + (roletype object_r guix_daemon_socket_t) + (type guix_store_content_t) + (roletype object_r guix_store_content_t) + (type guix_profiles_t) + (roletype object_r guix_profiles_t) + + ;; These types are domains, thereby allowing process rules + (typeattributeset domain (guix_daemon_t guix_daemon_exec_t)) + + (level low (s0)) + + ;; When a process in init_t or guix_store_content_t spawns a + ;; guix_daemon_exec_t process, let it run in the guix_daemon_t context + (typetransition init_t guix_daemon_exec_t + process guix_daemon_t) + (typetransition guix_store_content_t guix_daemon_exec_t + process guix_daemon_t) + + ;; Permit communication with NSCD + (allow guix_daemon_t + nscd_var_run_t + (file (map read))) + (allow guix_daemon_t + nscd_var_run_t + (dir (search))) + (allow guix_daemon_t + nscd_var_run_t + (sock_file (write))) + (allow guix_daemon_t + nscd_t + (fd (use))) + (allow guix_daemon_t + nscd_t + (unix_stream_socket (connectto))) + + ;; Permit logging and temp file access + (allow guix_daemon_t + tmp_t + (lnk_file (setattr unlink))) + (allow guix_daemon_t + tmp_t + (dir (create + rmdir + add_name remove_name + open read write + getattr setattr + search))) + (allow guix_daemon_t + var_log_t + (file (create getattr open write))) + (allow guix_daemon_t + var_log_t + (dir (getattr write add_name))) + (allow guix_daemon_t + var_run_t + (lnk_file (read))) + (allow guix_daemon_t + var_run_t + (dir (search))) + + ;; Spawning processes, execute helpers + (allow guix_daemon_t + self + (process (fork))) + (allow guix_daemon_t + guix_daemon_exec_t + (file (execute execute_no_trans read open))) + + ;; TODO: unknown + (allow guix_daemon_t + root_t + (dir (mounton))) + (allow guix_daemon_t + fs_t + (filesystem (getattr))) + (allow guix_daemon_conf_t + fs_t + (filesystem (associate))) + + ;; Build isolation + (allow guix_daemon_t + guix_store_content_t + (file (mounton))) + (allow guix_store_content_t + fs_t + (filesystem (associate))) + (allow guix_daemon_t + guix_store_content_t + (dir (mounton))) + (allow guix_daemon_t + guix_daemon_t + (capability (net_admin + fsetid fowner + chown setuid setgid + dac_override dac_read_search + sys_chroot))) + (allow guix_daemon_t + fs_t + (filesystem (unmount))) + (allow guix_daemon_t + devpts_t + (filesystem (mount))) + (allow guix_daemon_t + devpts_t + (chr_file (setattr getattr))) + (allow guix_daemon_t + tmpfs_t + (filesystem (mount))) + (allow guix_daemon_t + tmpfs_t + (dir (getattr))) + (allow guix_daemon_t + proc_t + (filesystem (mount))) + (allow guix_daemon_t + null_device_t + (chr_file (getattr open read write))) + (allow guix_daemon_t + kvm_device_t + (chr_file (getattr))) + (allow guix_daemon_t + zero_device_t + (chr_file (getattr))) + (allow guix_daemon_t + urandom_device_t + (chr_file (getattr))) + (allow guix_daemon_t + random_device_t + (chr_file (getattr))) + (allow guix_daemon_t + devtty_t + (chr_file (getattr))) + + ;; Access to store items + (allow guix_daemon_t + guix_store_content_t + (dir (reparent + create + getattr setattr + search rename + add_name remove_name + open write + rmdir))) + (allow guix_daemon_t + guix_store_content_t + (file (create + lock + setattr getattr + execute execute_no_trans + link unlink + map + rename + open read write))) + (allow guix_daemon_t + guix_store_content_t + (lnk_file (create + getattr setattr + link unlink + read + rename))) + + ;; Access to configuration files and directories + (allow guix_daemon_t + guix_daemon_conf_t + (dir (search + setattr getattr + add_name remove_name + open read write))) + (allow guix_daemon_t + guix_daemon_conf_t + (file (create + lock + map + getattr setattr + unlink + open read write))) + (allow guix_daemon_t + guix_daemon_conf_t + (lnk_file (create getattr rename unlink))) + + ;; Access to profiles + (allow guix_daemon_t + guix_profiles_t + (dir (getattr setattr read open))) + (allow guix_daemon_t + guix_profiles_t + (lnk_file (read getattr))) + + ;; Access to profile links in the home directory + ;; TODO: allow access to profile links *anywhere* on the filesystem + (allow guix_daemon_t + user_home_t + (lnk_file (read getattr))) + (allow guix_daemon_t + user_home_t + (dir (search))) + + ;; Socket operations + (allow guix_daemon_t + init_t + (fd (use))) + (allow guix_daemon_t + init_t + (unix_stream_socket (write))) + (allow guix_daemon_t + guix_daemon_conf_t + (unix_stream_socket (listen))) + (allow guix_daemon_t + guix_daemon_conf_t + (sock_file (create unlink))) + (allow guix_daemon_t + self + (unix_stream_socket (create + read write + connect bind accept + getopt setopt))) + (allow guix_daemon_t + self + (fifo_file (write read))) + (allow guix_daemon_t + self + (udp_socket (ioctl create))) + + ;; Label file system + (filecon "@guix_sysconfdir@/guix(/.*)?" + any (system_u object_r guix_daemon_conf_t (low low))) + (filecon "@guix_localstatedir@/guix(/.*)?" + any (system_u object_r guix_daemon_conf_t (low low))) + (filecon "@guix_localstatedir@/guix/profiles(/.*)?" + any (system_u object_r guix_profiles_t (low low))) + (filecon "/gnu" + dir (unconfined_u object_r guix_store_content_t (low low))) + (filecon "@storedir@(/.+)?" + any (unconfined_u object_r guix_store_content_t (low low))) + (filecon "@storedir@/[^/]+/.+" + any (unconfined_u object_r guix_store_content_t (low low))) + (filecon "@prefix@/bin/guix-daemon" + file (system_u object_r guix_daemon_exec_t (low low))) + (filecon "@storedir@/.+-(guix-.+|profile)/bin/guix-daemon" + file (system_u object_r guix_daemon_exec_t (low low))) + (filecon "@storedir@/.+-(guix-.+|profile)/libexec/guix-authenticate" + file (system_u object_r guix_daemon_exec_t (low low))) + (filecon "@storedir@/.+-(guix-.+|profile)/libexec/guix/(.*)?" + any (system_u object_r guix_daemon_exec_t (low low))) + (filecon "@guix_localstatedir@/guix/daemon-socket/socket" + any (system_u object_r guix_daemon_socket_t (low low)))) -- cgit v1.2.3