1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
|
; -*- lisp -*-
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2018, 2022 Ricardo Wurmus <rekado@elephly.net>
;;; Copyright © 2020 Daniel Brooks <db48x@db48x.net>
;;; Copyright © 2020 Marius Bakke <marius@gnu.org>
;;;
;;; This file is part of GNU Guix.
;;;
;;; GNU Guix is free software; you can redistribute it and/or modify it
;;; under the terms of the GNU General Public License as published by
;;; the Free Software Foundation; either version 3 of the License, or (at
;;; your option) any later version.
;;;
;;; GNU Guix is distributed in the hope that it will be useful, but
;;; WITHOUT ANY WARRANTY; without even the implied warranty of
;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
;;; GNU General Public License for more details.
;;;
;;; You should have received a copy of the GNU General Public License
;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
;; This is a specification for SELinux 2.7 written in the SELinux Common
;; Intermediate Language (CIL). It refers to types that must be defined in
;; the system's base policy.
;; If you, like me, need advice about fixing an SELinux policy, I recommend
;; reading https://danwalsh.livejournal.com/55324.html
;; In particular, you can run semanage permissive -a guix_daemon.guix_daemon_t
;; to allow guix-daemon to do whatever it wants. SELinux will still check its
;; permissions, and when it doesn't have permission it will still send an
;; audit message to your system logs. This lets you know what permissions it
;; ought to have. Use ausearch --raw to find the permissions violations, then
;; pipe that to audit2allow to generate an updated policy. You'll still need
;; to translate that policy into CIL in order to update this file, but that's
;; fairly straight-forward. Annoying, but easy.
(block guix_daemon
;; Require existing types
(typeattributeset cil_gen_require domain)
(typeattributeset cil_gen_require init_t)
(typeattributeset cil_gen_require init_var_run_t)
(typeattributeset cil_gen_require nscd_var_run_t)
(typeattributeset cil_gen_require system_dbusd_var_run_t)
(typeattributeset cil_gen_require tmp_t)
(typeattributeset cil_gen_require var_log_t)
;; Declare own types
(type guix_daemon_t)
(roletype object_r guix_daemon_t)
(type guix_daemon_conf_t)
(roletype object_r guix_daemon_conf_t)
(typeattributeset file_type guix_daemon_conf_t)
(type guix_daemon_exec_t)
(roletype object_r guix_daemon_exec_t)
(typeattributeset file_type guix_daemon_exec_t)
(type guix_daemon_socket_t)
(roletype object_r guix_daemon_socket_t)
(typeattributeset file_type guix_daemon_socket_t)
(type guix_store_content_t)
(roletype object_r guix_store_content_t)
(typeattributeset file_type guix_store_content_t)
(type guix_profiles_t)
(roletype object_r guix_profiles_t)
(typeattributeset file_type guix_profiles_t)
;; These types are domains, thereby allowing process rules
(typeattributeset domain (guix_daemon_t guix_daemon_exec_t))
(level low (s0))
;; When a process in init_t or guix_store_content_t spawns a
;; guix_daemon_exec_t process, let it run in the guix_daemon_t context
(typetransition init_t guix_daemon_exec_t
process guix_daemon_t)
(typetransition guix_store_content_t guix_daemon_exec_t
process guix_daemon_t)
(roletype system_r guix_daemon_t)
;; allow init_t to read and execute guix files
(allow init_t
guix_profiles_t
(lnk_file (read)))
(allow init_t
guix_daemon_exec_t
(file (execute)))
(allow init_t
guix_daemon_t
(process (transition)))
(allow init_t
guix_store_content_t
(lnk_file (read)))
(allow init_t
guix_store_content_t
(file (open read execute)))
;; guix-daemon needs to know the names of users
(allow guix_daemon_t
passwd_file_t
(file (getattr open read)))
;; Permit communication with NSCD
(allow guix_daemon_t
nscd_var_run_t
(file (map read)))
(allow guix_daemon_t
nscd_var_run_t
(dir (search)))
(allow guix_daemon_t
nscd_var_run_t
(sock_file (write)))
(allow guix_daemon_t
nscd_t
(fd (use)))
(allow guix_daemon_t
nscd_t
(unix_stream_socket (connectto)))
(allow guix_daemon_t nscd_t
(nscd (getgrp gethost getpwd getserv shmemgrp shmemhost shmempwd shmemserv)))
;; permit downloading packages via HTTP(s)
(allow guix_daemon_t http_port_t
(tcp_socket (name_connect)))
(allow guix_daemon_t ftp_port_t
(tcp_socket (name_connect)))
(allow guix_daemon_t ephemeral_port_t
(tcp_socket (name_connect)))
;; Permit logging and temp file access
(allow guix_daemon_t
tmp_t
(lnk_file (create rename setattr unlink)))
(allow guix_daemon_t
tmp_t
(file (link
rename create execute execute_no_trans write
unlink setattr map relabelto relabelfrom)))
(allow guix_daemon_t
tmp_t
(fifo_file (open read write create getattr ioctl setattr unlink)))
(allow guix_daemon_t
tmp_t
(dir (create rename
rmdir relabelto relabelfrom reparent
add_name remove_name
open read write
getattr setattr
search)))
(allow guix_daemon_t
tmp_t
(sock_file (create getattr setattr unlink write)))
(allow guix_daemon_t
var_log_t
(file (create getattr open write)))
(allow guix_daemon_t
var_log_t
(dir (getattr create write add_name)))
(allow guix_daemon_t
var_run_t
(lnk_file (read)))
(allow guix_daemon_t
var_run_t
(dir (search)))
;; Spawning processes, execute helpers
(allow guix_daemon_t
self
(process (fork execmem setrlimit setpgid setsched)))
(allow guix_daemon_t
guix_daemon_exec_t
(file (execute
execute_no_trans read write open entrypoint map
getattr link unlink)))
;; TODO: unknown
(allow guix_daemon_t
root_t
(dir (mounton)))
(allow guix_daemon_t
fs_t
(filesystem (getattr)))
(allow guix_daemon_conf_t
fs_t
(filesystem (associate)))
;; Build isolation
(allow guix_daemon_t
guix_store_content_t
(file (ioctl mounton)))
(allow guix_store_content_t
fs_t
(filesystem (associate)))
(allow guix_daemon_t
guix_store_content_t
(dir (read mounton)))
(allow guix_daemon_t
guix_daemon_t
(capability (net_admin
fsetid fowner
chown setuid setgid
dac_override dac_read_search
sys_chroot
sys_admin)))
(allow guix_daemon_t
fs_t
(filesystem (unmount)))
(allow guix_daemon_t
devpts_t
(dir (search)))
(allow guix_daemon_t
devpts_t
(filesystem (mount)))
(allow guix_daemon_t
devpts_t
(chr_file (ioctl open read write setattr getattr)))
(allow guix_daemon_t
tmpfs_t
(filesystem (getattr mount)))
(allow guix_daemon_t
tmpfs_t
(file (create open read unlink write)))
(allow guix_daemon_t
tmpfs_t
(dir (getattr add_name remove_name write)))
(allow guix_daemon_t
proc_t
(file (getattr open read)))
(allow guix_daemon_t
proc_t
(dir (read)))
(allow guix_daemon_t
proc_t
(filesystem (associate mount)))
(allow guix_daemon_t
null_device_t
(chr_file (getattr open read write)))
(allow guix_daemon_t
kvm_device_t
(chr_file (getattr)))
(allow guix_daemon_t
zero_device_t
(chr_file (getattr)))
(allow guix_daemon_t
urandom_device_t
(chr_file (getattr)))
(allow guix_daemon_t
random_device_t
(chr_file (getattr)))
(allow guix_daemon_t
devtty_t
(chr_file (getattr)))
;; Access to store items
(allow guix_daemon_t
guix_store_content_t
(dir (reparent
create
getattr setattr
search rename
add_name remove_name
open write
rmdir relabelfrom)))
(allow guix_daemon_t
guix_store_content_t
(file (create
lock
setattr getattr
execute execute_no_trans
link unlink
map
rename
append
open read write relabelfrom)))
(allow guix_daemon_t
guix_store_content_t
(lnk_file (create
getattr setattr
link unlink
read
rename)))
(allow guix_daemon_t
guix_store_content_t
(fifo_file (create getattr open read unlink write)))
(allow guix_daemon_t
guix_store_content_t
(sock_file (create getattr setattr unlink write)))
;; Access to run state directories
(allow guix_daemon_t
system_dbusd_var_run_t
(dir (search)))
(allow guix_daemon_t
init_var_run_t
(dir (search)))
;; Access to configuration files and directories
(allow guix_daemon_t
guix_daemon_conf_t
(dir (search create
setattr getattr
add_name remove_name
open read write)))
(allow guix_daemon_t
guix_daemon_conf_t
(file (create rename
lock
map
getattr setattr
unlink
open read write)))
(allow guix_daemon_t
guix_daemon_conf_t
(lnk_file (create getattr rename unlink read)))
(allow guix_daemon_t net_conf_t
(file (getattr open read)))
(allow guix_daemon_t net_conf_t
(lnk_file (read)))
(allow guix_daemon_t NetworkManager_var_run_t
(dir (search)))
;; Access to profiles
(allow guix_daemon_t
guix_profiles_t
(dir (search getattr setattr read write open create add_name)))
(allow guix_daemon_t
guix_profiles_t
(lnk_file (read getattr)))
;; Access to profile links in the home directory
;; TODO: allow access to profile links *anywhere* on the filesystem
(allow guix_daemon_t
user_home_t
(lnk_file (read getattr)))
(allow guix_daemon_t
user_home_t
(dir (search)))
(allow guix_daemon_t
cache_home_t
(dir (search)))
(allow guix_daemon_t
cache_home_t
(lnk_file (getattr read)))
;; self upgrades
(allow guix_daemon_t
self
(dir (add_name write)))
(allow guix_daemon_t
self
(netlink_route_socket (bind create getattr nlmsg_read read write getopt)))
;; Socket operations
(allow guix_daemon_t
guix_daemon_socket_t
(sock_file (unlink write)))
(allow guix_daemon_t
init_t
(fd (use)))
(allow guix_daemon_t
init_t
(unix_stream_socket (write)))
(allow guix_daemon_t
guix_daemon_conf_t
(unix_stream_socket (listen)))
(allow guix_daemon_t
guix_daemon_conf_t
(sock_file (create unlink write)))
(allow guix_daemon_t
self
(unix_stream_socket (create
read write
connect bind accept
getopt setopt)))
(allow guix_daemon_t
self
(tcp_socket (accept listen bind connect create setopt getopt getattr ioctl read write shutdown)))
(allow guix_daemon_t
unreserved_port_t
(tcp_socket (name_bind name_connect accept listen)))
(allow guix_daemon_t
self
(udp_socket (connect getattr bind getopt setopt read write)))
(allow guix_daemon_t
self
(fifo_file (write read)))
(allow guix_daemon_t
self
(udp_socket (ioctl create)))
(allow guix_daemon_t
self
(unix_stream_socket (connectto)))
(allow guix_daemon_t
self
(unix_dgram_socket (create bind connect sendto read write)))
;; For some esoteric build jobs (i.e. running PostgreSQL, etc).
(allow guix_daemon_t
self
(capability (kill)))
(allow guix_daemon_t
node_t
(tcp_socket (node_bind)))
(allow guix_daemon_t
node_t
(udp_socket (node_bind)))
(allow guix_daemon_t
port_t
(tcp_socket (name_connect)))
(allow guix_daemon_t
tmpfs_t
(file (map read write link getattr)))
(allow guix_daemon_t
usermodehelper_t
(file (read)))
(allow guix_daemon_t
hugetlbfs_t
(file (map read write)))
(allow guix_daemon_t
proc_net_t
(file (read)))
(allow guix_daemon_t
postgresql_port_t
(tcp_socket (name_connect name_bind)))
(allow guix_daemon_t
rtp_media_port_t
(udp_socket (name_bind)))
(allow guix_daemon_t
vnc_port_t
(tcp_socket (name_bind)))
;; I guess sometimes it needs random numbers
(allow guix_daemon_t
random_device_t
(chr_file (read)))
;; guix system vm
(allow guix_daemon_t
kvm_device_t
(chr_file (ioctl open read write)))
(allow guix_daemon_t
kernel_t
(system (ipc_info)))
;; Label file system
(filecon "@guix_sysconfdir@/guix(/.*)?"
any (system_u object_r guix_daemon_conf_t (low low)))
(filecon "@guix_localstatedir@/guix(/.*)?"
any (system_u object_r guix_daemon_conf_t (low low)))
(filecon "@guix_localstatedir@/guix/profiles(/.*)?"
any (system_u object_r guix_profiles_t (low low)))
(filecon "/gnu"
dir (unconfined_u object_r guix_store_content_t (low low)))
(filecon "@storedir@(/.+)?"
any (unconfined_u object_r guix_store_content_t (low low)))
(filecon "@storedir@/[^/]+/.+"
any (unconfined_u object_r guix_store_content_t (low low)))
(filecon "@prefix@/bin/guix-daemon"
file (system_u object_r guix_daemon_exec_t (low low)))
(filecon "@guix_localstatedir@/guix/profiles/per-user/[^/]+/current-guix/bin/guix-daemon"
file (system_u object_r guix_daemon_exec_t (low low)))
(filecon "@storedir@/.+-(guix-.+|profile)/bin/guix-daemon"
file (system_u object_r guix_daemon_exec_t (low low)))
(filecon "@storedir@/[a-z0-9]+-guix-daemon"
file (system_u object_r guix_daemon_exec_t (low low)))
(filecon "@guix_localstatedir@/guix/daemon-socket/socket"
any (system_u object_r guix_daemon_socket_t (low low))))
|