etc: Updates for the guix-daemon SELinux policy.

* etc/guix-daemon.cil.in (guix_daemon): Specify more permissions for
guix-daemon to account for daemon updates and newer SELinux.

I can't promise that this is a complete list of everything that guix-daemon
needs, but it's probably most of them. It can search for, install, upgrade,
and remove packages, create virtual machines and containers, update itself,
and so on.

Signed-off-by: Marius Bakke <marius@gnu.org>

etc/guix-daemon.cil.in

@@ -1,6 +1,8 @@
 ; -*- lisp -*-
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2018 Ricardo Wurmus <rekado@elephly.net>
+;;; Copyright © 2020 Daniel Brooks <db48x@db48x.net>
+;;; Copyright © 2020 Marius Bakke <marius@gnu.org>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -21,6 +23,18 @@
 ;; Intermediate Language (CIL).  It refers to types that must be defined in
 ;; the system's base policy.
 
+;; If you, like me, need advice about fixing an SELinux policy, I recommend
+;; reading https://danwalsh.livejournal.com/55324.html
+
+;; In particular, you can run semanage permissive -a guix_daemon.guix_daemon_t
+;; to allow guix-daemon to do whatever it wants. SELinux will still check its
+;; permissions, and when it doesn't have permission it will still send an
+;; audit message to your system logs. This lets you know what permissions it
+;; ought to have. Use ausearch --raw to find the permissions violations, then
+;; pipe that to audit2allow to generate an updated policy. You'll still need
+;; to translate that policy into CIL in order to update this file, but that's
+;; fairly straight-forward. Annoying, but easy.
+
 (block guix_daemon
   ;; Require existing types
   (typeattributeset cil_gen_require init_t)
@@ -34,14 +48,19 @@
   (roletype object_r guix_daemon_t)
   (type guix_daemon_conf_t)
   (roletype object_r guix_daemon_conf_t)
+  (typeattributeset file_type guix_daemon_conf_t)
   (type guix_daemon_exec_t)
   (roletype object_r guix_daemon_exec_t)
+  (typeattributeset file_type guix_daemon_exec_t)
   (type guix_daemon_socket_t)
   (roletype object_r guix_daemon_socket_t)
+  (typeattributeset file_type guix_daemon_socket_t)
   (type guix_store_content_t)
   (roletype object_r guix_store_content_t)
+  (typeattributeset file_type guix_store_content_t)
   (type guix_profiles_t)
   (roletype object_r guix_profiles_t)
+  (typeattributeset file_type guix_profiles_t)
 
   ;; These types are domains, thereby allowing process rules
   (typeattributeset domain (guix_daemon_t guix_daemon_exec_t))
@@ -55,6 +74,30 @@
   (typetransition guix_store_content_t guix_daemon_exec_t
                   process guix_daemon_t)
 
+  (roletype system_r guix_daemon_t)
+
+  ;; allow init_t to read and execute guix files
+  (allow init_t
+         guix_profiles_t
+         (lnk_file (read)))
+  (allow init_t
+         guix_daemon_exec_t
+         (file (execute)))
+  (allow init_t
+         guix_daemon_t
+         (process (transition)))
+  (allow init_t
+         guix_store_content_t
+         (lnk_file (read)))
+  (allow init_t
+         guix_store_content_t
+         (file (open read execute)))
+
+  ;; guix-daemon needs to know the names of users
+  (allow guix_daemon_t
+         passwd_file_t
+         (file (getattr open read)))
+
   ;; Permit communication with NSCD
   (allow guix_daemon_t
          nscd_var_run_t
@@ -71,25 +114,44 @@
   (allow guix_daemon_t
          nscd_t
          (unix_stream_socket (connectto)))
+  (allow guix_daemon_t nscd_t
+         (nscd (getgrp gethost getpwd getserv shmemgrp shmemhost shmempwd shmemserv)))
+
+  ;; permit downloading packages via HTTP(s)
+  (allow guix_daemon_t http_port_t
+         (tcp_socket (name_connect)))
+  (allow guix_daemon_t ftp_port_t
+         (tcp_socket (name_connect)))
+  (allow guix_daemon_t ephemeral_port_t
+         (tcp_socket (name_connect)))
 
   ;; Permit logging and temp file access
   (allow guix_daemon_t
          tmp_t
-         (lnk_file (setattr unlink)))
+         (lnk_file (create rename setattr unlink)))
   (allow guix_daemon_t
          tmp_t
-         (dir (create
+         (file (link rename create execute execute_no_trans write unlink setattr map relabelto)))
-               rmdir
+  (allow guix_daemon_t
+         tmp_t
+         (fifo_file (open read write create getattr ioctl setattr unlink)))
+  (allow guix_daemon_t
+         tmp_t
+         (dir (create rename
+               rmdir relabelto
                add_name remove_name
                open read write
                getattr setattr
                search)))
+  (allow guix_daemon_t
+         tmp_t
+         (sock_file (create getattr setattr unlink write)))
   (allow guix_daemon_t
          var_log_t
          (file (create getattr open write)))
   (allow guix_daemon_t
          var_log_t
-         (dir (getattr write add_name)))
+         (dir (getattr create write add_name)))
   (allow guix_daemon_t
          var_run_t
          (lnk_file (read)))
@@ -100,10 +162,10 @@
   ;; Spawning processes, execute helpers
   (allow guix_daemon_t
          self
-         (process (fork)))
+         (process (fork execmem setrlimit setpgid setsched)))
   (allow guix_daemon_t
          guix_daemon_exec_t
-         (file (execute execute_no_trans read open)))
+         (file (execute execute_no_trans read open entrypoint map)))
 
   ;; TODO: unknown
   (allow guix_daemon_t
@@ -119,38 +181,51 @@
   ;; Build isolation
   (allow guix_daemon_t
          guix_store_content_t
-         (file (mounton)))
+         (file (ioctl mounton)))
   (allow guix_store_content_t
          fs_t
          (filesystem (associate)))
   (allow guix_daemon_t
          guix_store_content_t
-         (dir (mounton)))
+         (dir (read mounton)))
   (allow guix_daemon_t
          guix_daemon_t
          (capability (net_admin
                       fsetid fowner
                       chown setuid setgid
                       dac_override dac_read_search
-                      sys_chroot)))
+                      sys_chroot
+                      sys_admin)))
   (allow guix_daemon_t
          fs_t
          (filesystem (unmount)))
+  (allow guix_daemon_t
+         devpts_t
+         (dir (search)))
   (allow guix_daemon_t
          devpts_t
          (filesystem (mount)))
   (allow guix_daemon_t
          devpts_t
-         (chr_file (setattr getattr)))
+         (chr_file (ioctl open read write setattr getattr)))
   (allow guix_daemon_t
          tmpfs_t
-         (filesystem (mount)))
+         (filesystem (getattr mount)))
   (allow guix_daemon_t
          tmpfs_t
-         (dir (getattr)))
+         (file (create open read unlink write)))
+  (allow guix_daemon_t
+         tmpfs_t
+         (dir (getattr add_name remove_name write)))
   (allow guix_daemon_t
          proc_t
-         (filesystem (mount)))
+         (file (getattr open read)))
+  (allow guix_daemon_t
+         proc_t
+         (dir (read)))
+  (allow guix_daemon_t
+         proc_t
+         (filesystem (associate mount)))
   (allow guix_daemon_t
          null_device_t
          (chr_file (getattr open read write)))
@@ -179,7 +254,7 @@
                search rename
                add_name remove_name
                open write
-               rmdir)))
+               rmdir relabelfrom)))
   (allow guix_daemon_t
          guix_store_content_t
          (file (create
@@ -189,7 +264,7 @@
                 link unlink
                 map
                 rename
-                open read write)))
+                open read write relabelfrom)))
   (allow guix_daemon_t
          guix_store_content_t
          (lnk_file (create
@@ -197,17 +272,23 @@
                     link unlink
                     read
                     rename)))
+  (allow guix_daemon_t
+         guix_store_content_t
+         (fifo_file (create getattr open read unlink write)))
+  (allow guix_daemon_t
+         guix_store_content_t
+         (sock_file (create getattr unlink write)))
 
   ;; Access to configuration files and directories
   (allow guix_daemon_t
          guix_daemon_conf_t
-         (dir (search
+         (dir (search create
                setattr getattr
                add_name remove_name
                open read write)))
   (allow guix_daemon_t
          guix_daemon_conf_t
-         (file (create
+         (file (create rename
                 lock
                 map
                 getattr setattr
@@ -216,11 +297,17 @@
   (allow guix_daemon_t
          guix_daemon_conf_t
          (lnk_file (create getattr rename unlink)))
+  (allow guix_daemon_t net_conf_t
+         (file (getattr open read)))
+  (allow guix_daemon_t net_conf_t
+         (lnk_file (read)))
+  (allow guix_daemon_t NetworkManager_var_run_t
+         (dir (search)))
 
   ;; Access to profiles
   (allow guix_daemon_t
          guix_profiles_t
-         (dir (getattr setattr read open)))
+         (dir (search getattr setattr read write open create add_name)))
   (allow guix_daemon_t
          guix_profiles_t
          (lnk_file (read getattr)))
@@ -233,8 +320,22 @@
   (allow guix_daemon_t
          user_home_t
          (dir (search)))
+  (allow guix_daemon_t
+         cache_home_t
+         (dir (search)))
+
+  ;; self upgrades
+  (allow guix_daemon_t
+         self
+         (dir (add_name write)))
+  (allow guix_daemon_t
+         self
+         (netlink_route_socket (bind create getattr nlmsg_read read write)))
 
   ;; Socket operations
+  (allow guix_daemon_t
+         guix_daemon_socket_t
+         (sock_file (unlink)))
   (allow guix_daemon_t
          init_t
          (fd (use)))
@@ -253,12 +354,53 @@
                               read write
                               connect bind accept
                               getopt setopt)))
+  (allow guix_daemon_t
+         self
+         (tcp_socket (accept listen bind connect create setopt getopt getattr ioctl read write shutdown)))
+  (allow guix_daemon_t
+         unreserved_port_t
+         (tcp_socket (name_bind name_connect accept listen)))
+  (allow guix_daemon_t
+         self
+         (udp_socket (connect getattr bind getopt setopt)))
   (allow guix_daemon_t
          self
          (fifo_file (write read)))
   (allow guix_daemon_t
          self
          (udp_socket (ioctl create)))
+  (allow guix_daemon_t
+         self
+         (unix_stream_socket (connectto)))
+
+  (allow guix_daemon_t
+         node_t
+         (tcp_socket (node_bind)))
+  (allow guix_daemon_t
+         node_t
+         (udp_socket (node_bind)))
+  (allow guix_daemon_t
+         port_t
+         (tcp_socket (name_connect)))
+  (allow guix_daemon_t
+         rtp_media_port_t
+         (udp_socket (name_bind)))
+  (allow guix_daemon_t
+         vnc_port_t
+         (tcp_socket (name_bind)))
+
+  ;; I guess sometimes it needs random numbers
+  (allow guix_daemon_t
+         random_device_t
+         (chr_file (read)))
+
+  ;; guix system vm
+  (allow guix_daemon_t
+         kvm_device_t
+         (chr_file (ioctl open read write)))
+  (allow guix_daemon_t
+         kernel_t
+         (system (ipc_info)))
 
   ;; Label file system
   (filecon "@guix_sysconfdir@/guix(/.*)?"
@@ -277,5 +419,7 @@
            file (system_u object_r guix_daemon_exec_t (low low)))
   (filecon "@storedir@/.+-(guix-.+|profile)/bin/guix-daemon"
            file (system_u object_r guix_daemon_exec_t (low low)))
+  (filecon "@storedir@/[a-z0-9]+-guix-daemon"
+           file (system_u object_r guix_daemon_exec_t (low low)))
   (filecon "@guix_localstatedir@/guix/daemon-socket/socket"
            any (system_u object_r guix_daemon_socket_t (low low))))