aboutsummaryrefslogtreecommitdiff
path: root/etc
diff options
context:
space:
mode:
Diffstat (limited to 'etc')
-rw-r--r--etc/guix-daemon.cil.in285
1 files changed, 285 insertions, 0 deletions
diff --git a/etc/guix-daemon.cil.in b/etc/guix-daemon.cil.in
new file mode 100644
index 0000000000..c0c82d8fbb
--- /dev/null
+++ b/etc/guix-daemon.cil.in
@@ -0,0 +1,285 @@
+; -*- lisp -*-
+;;; GNU Guix --- Functional package management for GNU
+;;; Copyright © 2018 Ricardo Wurmus <rekado@elephly.net>
+;;;
+;;; This file is part of GNU Guix.
+;;;
+;;; GNU Guix is free software; you can redistribute it and/or modify it
+;;; under the terms of the GNU General Public License as published by
+;;; the Free Software Foundation; either version 3 of the License, or (at
+;;; your option) any later version.
+;;;
+;;; GNU Guix is distributed in the hope that it will be useful, but
+;;; WITHOUT ANY WARRANTY; without even the implied warranty of
+;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+;;; GNU General Public License for more details.
+;;;
+;;; You should have received a copy of the GNU General Public License
+;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
+
+;; This is a specification for SELinux 2.7 written in the SELinux Common
+;; Intermediate Language (CIL). It refers to types that must be defined in
+;; the system's base policy.
+
+(block guix_daemon
+ ;; Require existing types
+ (typeattributeset cil_gen_require init_t)
+ (typeattributeset cil_gen_require tmp_t)
+ (typeattributeset cil_gen_require nscd_var_run_t)
+ (typeattributeset cil_gen_require var_log_t)
+ (typeattributeset cil_gen_require domain)
+
+ ;; Declare own types
+ (type guix_daemon_t)
+ (roletype object_r guix_daemon_t)
+ (type guix_daemon_conf_t)
+ (roletype object_r guix_daemon_conf_t)
+ (type guix_daemon_exec_t)
+ (roletype object_r guix_daemon_exec_t)
+ (type guix_daemon_socket_t)
+ (roletype object_r guix_daemon_socket_t)
+ (type guix_store_content_t)
+ (roletype object_r guix_store_content_t)
+ (type guix_profiles_t)
+ (roletype object_r guix_profiles_t)
+
+ ;; These types are domains, thereby allowing process rules
+ (typeattributeset domain (guix_daemon_t guix_daemon_exec_t))
+
+ (level low (s0))
+
+ ;; When a process in init_t or guix_store_content_t spawns a
+ ;; guix_daemon_exec_t process, let it run in the guix_daemon_t context
+ (typetransition init_t guix_daemon_exec_t
+ process guix_daemon_t)
+ (typetransition guix_store_content_t guix_daemon_exec_t
+ process guix_daemon_t)
+
+ ;; Permit communication with NSCD
+ (allow guix_daemon_t
+ nscd_var_run_t
+ (file (map read)))
+ (allow guix_daemon_t
+ nscd_var_run_t
+ (dir (search)))
+ (allow guix_daemon_t
+ nscd_var_run_t
+ (sock_file (write)))
+ (allow guix_daemon_t
+ nscd_t
+ (fd (use)))
+ (allow guix_daemon_t
+ nscd_t
+ (unix_stream_socket (connectto)))
+
+ ;; Permit logging and temp file access
+ (allow guix_daemon_t
+ tmp_t
+ (lnk_file (setattr unlink)))
+ (allow guix_daemon_t
+ tmp_t
+ (dir (create
+ rmdir
+ add_name remove_name
+ open read write
+ getattr setattr
+ search)))
+ (allow guix_daemon_t
+ var_log_t
+ (file (create getattr open write)))
+ (allow guix_daemon_t
+ var_log_t
+ (dir (getattr write add_name)))
+ (allow guix_daemon_t
+ var_run_t
+ (lnk_file (read)))
+ (allow guix_daemon_t
+ var_run_t
+ (dir (search)))
+
+ ;; Spawning processes, execute helpers
+ (allow guix_daemon_t
+ self
+ (process (fork)))
+ (allow guix_daemon_t
+ guix_daemon_exec_t
+ (file (execute execute_no_trans read open)))
+
+ ;; TODO: unknown
+ (allow guix_daemon_t
+ root_t
+ (dir (mounton)))
+ (allow guix_daemon_t
+ fs_t
+ (filesystem (getattr)))
+ (allow guix_daemon_conf_t
+ fs_t
+ (filesystem (associate)))
+
+ ;; Build isolation
+ (allow guix_daemon_t
+ guix_store_content_t
+ (file (mounton)))
+ (allow guix_store_content_t
+ fs_t
+ (filesystem (associate)))
+ (allow guix_daemon_t
+ guix_store_content_t
+ (dir (mounton)))
+ (allow guix_daemon_t
+ guix_daemon_t
+ (capability (net_admin
+ fsetid fowner
+ chown setuid setgid
+ dac_override dac_read_search
+ sys_chroot)))
+ (allow guix_daemon_t
+ fs_t
+ (filesystem (unmount)))
+ (allow guix_daemon_t
+ devpts_t
+ (filesystem (mount)))
+ (allow guix_daemon_t
+ devpts_t
+ (chr_file (setattr getattr)))
+ (allow guix_daemon_t
+ tmpfs_t
+ (filesystem (mount)))
+ (allow guix_daemon_t
+ tmpfs_t
+ (dir (getattr)))
+ (allow guix_daemon_t
+ proc_t
+ (filesystem (mount)))
+ (allow guix_daemon_t
+ null_device_t
+ (chr_file (getattr open read write)))
+ (allow guix_daemon_t
+ kvm_device_t
+ (chr_file (getattr)))
+ (allow guix_daemon_t
+ zero_device_t
+ (chr_file (getattr)))
+ (allow guix_daemon_t
+ urandom_device_t
+ (chr_file (getattr)))
+ (allow guix_daemon_t
+ random_device_t
+ (chr_file (getattr)))
+ (allow guix_daemon_t
+ devtty_t
+ (chr_file (getattr)))
+
+ ;; Access to store items
+ (allow guix_daemon_t
+ guix_store_content_t
+ (dir (reparent
+ create
+ getattr setattr
+ search rename
+ add_name remove_name
+ open write
+ rmdir)))
+ (allow guix_daemon_t
+ guix_store_content_t
+ (file (create
+ lock
+ setattr getattr
+ execute execute_no_trans
+ link unlink
+ map
+ rename
+ open read write)))
+ (allow guix_daemon_t
+ guix_store_content_t
+ (lnk_file (create
+ getattr setattr
+ link unlink
+ read
+ rename)))
+
+ ;; Access to configuration files and directories
+ (allow guix_daemon_t
+ guix_daemon_conf_t
+ (dir (search
+ setattr getattr
+ add_name remove_name
+ open read write)))
+ (allow guix_daemon_t
+ guix_daemon_conf_t
+ (file (create
+ lock
+ map
+ getattr setattr
+ unlink
+ open read write)))
+ (allow guix_daemon_t
+ guix_daemon_conf_t
+ (lnk_file (create getattr rename unlink)))
+
+ ;; Access to profiles
+ (allow guix_daemon_t
+ guix_profiles_t
+ (dir (getattr setattr read open)))
+ (allow guix_daemon_t
+ guix_profiles_t
+ (lnk_file (read getattr)))
+
+ ;; Access to profile links in the home directory
+ ;; TODO: allow access to profile links *anywhere* on the filesystem
+ (allow guix_daemon_t
+ user_home_t
+ (lnk_file (read getattr)))
+ (allow guix_daemon_t
+ user_home_t
+ (dir (search)))
+
+ ;; Socket operations
+ (allow guix_daemon_t
+ init_t
+ (fd (use)))
+ (allow guix_daemon_t
+ init_t
+ (unix_stream_socket (write)))
+ (allow guix_daemon_t
+ guix_daemon_conf_t
+ (unix_stream_socket (listen)))
+ (allow guix_daemon_t
+ guix_daemon_conf_t
+ (sock_file (create unlink)))
+ (allow guix_daemon_t
+ self
+ (unix_stream_socket (create
+ read write
+ connect bind accept
+ getopt setopt)))
+ (allow guix_daemon_t
+ self
+ (fifo_file (write read)))
+ (allow guix_daemon_t
+ self
+ (udp_socket (ioctl create)))
+
+ ;; Label file system
+ (filecon "@guix_sysconfdir@/guix(/.*)?"
+ any (system_u object_r guix_daemon_conf_t (low low)))
+ (filecon "@guix_localstatedir@/guix(/.*)?"
+ any (system_u object_r guix_daemon_conf_t (low low)))
+ (filecon "@guix_localstatedir@/guix/profiles(/.*)?"
+ any (system_u object_r guix_profiles_t (low low)))
+ (filecon "/gnu"
+ dir (unconfined_u object_r guix_store_content_t (low low)))
+ (filecon "@storedir@(/.+)?"
+ any (unconfined_u object_r guix_store_content_t (low low)))
+ (filecon "@storedir@/[^/]+/.+"
+ any (unconfined_u object_r guix_store_content_t (low low)))
+ (filecon "@prefix@/bin/guix-daemon"
+ file (system_u object_r guix_daemon_exec_t (low low)))
+ (filecon "@storedir@/.+-(guix-.+|profile)/bin/guix-daemon"
+ file (system_u object_r guix_daemon_exec_t (low low)))
+ (filecon "@storedir@/.+-(guix-.+|profile)/libexec/guix-authenticate"
+ file (system_u object_r guix_daemon_exec_t (low low)))
+ (filecon "@storedir@/.+-(guix-.+|profile)/libexec/guix/(.*)?"
+ any (system_u object_r guix_daemon_exec_t (low low)))
+ (filecon "@guix_localstatedir@/guix/daemon-socket/socket"
+ any (system_u object_r guix_daemon_socket_t (low low))))