etc: Updates for the guix-daemon SELinux policy.
* etc/guix-daemon.cil.in (guix_daemon): Specify more permissions for guix-daemon to account for daemon updates and newer SELinux. I can't promise that this is a complete list of everything that guix-daemon needs, but it's probably most of them. It can search for, install, upgrade, and remove packages, create virtual machines and containers, update itself, and so on. Signed-off-by: Marius Bakke <marius@gnu.org>
This commit is contained in:
parent
c6e8f40f2c
commit
62343288ef
1 changed files with 162 additions and 18 deletions
|
@ -1,6 +1,8 @@
|
||||||
; -*- lisp -*-
|
; -*- lisp -*-
|
||||||
;;; GNU Guix --- Functional package management for GNU
|
;;; GNU Guix --- Functional package management for GNU
|
||||||
;;; Copyright © 2018 Ricardo Wurmus <rekado@elephly.net>
|
;;; Copyright © 2018 Ricardo Wurmus <rekado@elephly.net>
|
||||||
|
;;; Copyright © 2020 Daniel Brooks <db48x@db48x.net>
|
||||||
|
;;; Copyright © 2020 Marius Bakke <marius@gnu.org>
|
||||||
;;;
|
;;;
|
||||||
;;; This file is part of GNU Guix.
|
;;; This file is part of GNU Guix.
|
||||||
;;;
|
;;;
|
||||||
|
@ -21,6 +23,18 @@
|
||||||
;; Intermediate Language (CIL). It refers to types that must be defined in
|
;; Intermediate Language (CIL). It refers to types that must be defined in
|
||||||
;; the system's base policy.
|
;; the system's base policy.
|
||||||
|
|
||||||
|
;; If you, like me, need advice about fixing an SELinux policy, I recommend
|
||||||
|
;; reading https://danwalsh.livejournal.com/55324.html
|
||||||
|
|
||||||
|
;; In particular, you can run semanage permissive -a guix_daemon.guix_daemon_t
|
||||||
|
;; to allow guix-daemon to do whatever it wants. SELinux will still check its
|
||||||
|
;; permissions, and when it doesn't have permission it will still send an
|
||||||
|
;; audit message to your system logs. This lets you know what permissions it
|
||||||
|
;; ought to have. Use ausearch --raw to find the permissions violations, then
|
||||||
|
;; pipe that to audit2allow to generate an updated policy. You'll still need
|
||||||
|
;; to translate that policy into CIL in order to update this file, but that's
|
||||||
|
;; fairly straight-forward. Annoying, but easy.
|
||||||
|
|
||||||
(block guix_daemon
|
(block guix_daemon
|
||||||
;; Require existing types
|
;; Require existing types
|
||||||
(typeattributeset cil_gen_require init_t)
|
(typeattributeset cil_gen_require init_t)
|
||||||
|
@ -34,14 +48,19 @@
|
||||||
(roletype object_r guix_daemon_t)
|
(roletype object_r guix_daemon_t)
|
||||||
(type guix_daemon_conf_t)
|
(type guix_daemon_conf_t)
|
||||||
(roletype object_r guix_daemon_conf_t)
|
(roletype object_r guix_daemon_conf_t)
|
||||||
|
(typeattributeset file_type guix_daemon_conf_t)
|
||||||
(type guix_daemon_exec_t)
|
(type guix_daemon_exec_t)
|
||||||
(roletype object_r guix_daemon_exec_t)
|
(roletype object_r guix_daemon_exec_t)
|
||||||
|
(typeattributeset file_type guix_daemon_exec_t)
|
||||||
(type guix_daemon_socket_t)
|
(type guix_daemon_socket_t)
|
||||||
(roletype object_r guix_daemon_socket_t)
|
(roletype object_r guix_daemon_socket_t)
|
||||||
|
(typeattributeset file_type guix_daemon_socket_t)
|
||||||
(type guix_store_content_t)
|
(type guix_store_content_t)
|
||||||
(roletype object_r guix_store_content_t)
|
(roletype object_r guix_store_content_t)
|
||||||
|
(typeattributeset file_type guix_store_content_t)
|
||||||
(type guix_profiles_t)
|
(type guix_profiles_t)
|
||||||
(roletype object_r guix_profiles_t)
|
(roletype object_r guix_profiles_t)
|
||||||
|
(typeattributeset file_type guix_profiles_t)
|
||||||
|
|
||||||
;; These types are domains, thereby allowing process rules
|
;; These types are domains, thereby allowing process rules
|
||||||
(typeattributeset domain (guix_daemon_t guix_daemon_exec_t))
|
(typeattributeset domain (guix_daemon_t guix_daemon_exec_t))
|
||||||
|
@ -55,6 +74,30 @@
|
||||||
(typetransition guix_store_content_t guix_daemon_exec_t
|
(typetransition guix_store_content_t guix_daemon_exec_t
|
||||||
process guix_daemon_t)
|
process guix_daemon_t)
|
||||||
|
|
||||||
|
(roletype system_r guix_daemon_t)
|
||||||
|
|
||||||
|
;; allow init_t to read and execute guix files
|
||||||
|
(allow init_t
|
||||||
|
guix_profiles_t
|
||||||
|
(lnk_file (read)))
|
||||||
|
(allow init_t
|
||||||
|
guix_daemon_exec_t
|
||||||
|
(file (execute)))
|
||||||
|
(allow init_t
|
||||||
|
guix_daemon_t
|
||||||
|
(process (transition)))
|
||||||
|
(allow init_t
|
||||||
|
guix_store_content_t
|
||||||
|
(lnk_file (read)))
|
||||||
|
(allow init_t
|
||||||
|
guix_store_content_t
|
||||||
|
(file (open read execute)))
|
||||||
|
|
||||||
|
;; guix-daemon needs to know the names of users
|
||||||
|
(allow guix_daemon_t
|
||||||
|
passwd_file_t
|
||||||
|
(file (getattr open read)))
|
||||||
|
|
||||||
;; Permit communication with NSCD
|
;; Permit communication with NSCD
|
||||||
(allow guix_daemon_t
|
(allow guix_daemon_t
|
||||||
nscd_var_run_t
|
nscd_var_run_t
|
||||||
|
@ -71,25 +114,44 @@
|
||||||
(allow guix_daemon_t
|
(allow guix_daemon_t
|
||||||
nscd_t
|
nscd_t
|
||||||
(unix_stream_socket (connectto)))
|
(unix_stream_socket (connectto)))
|
||||||
|
(allow guix_daemon_t nscd_t
|
||||||
|
(nscd (getgrp gethost getpwd getserv shmemgrp shmemhost shmempwd shmemserv)))
|
||||||
|
|
||||||
|
;; permit downloading packages via HTTP(s)
|
||||||
|
(allow guix_daemon_t http_port_t
|
||||||
|
(tcp_socket (name_connect)))
|
||||||
|
(allow guix_daemon_t ftp_port_t
|
||||||
|
(tcp_socket (name_connect)))
|
||||||
|
(allow guix_daemon_t ephemeral_port_t
|
||||||
|
(tcp_socket (name_connect)))
|
||||||
|
|
||||||
;; Permit logging and temp file access
|
;; Permit logging and temp file access
|
||||||
(allow guix_daemon_t
|
(allow guix_daemon_t
|
||||||
tmp_t
|
tmp_t
|
||||||
(lnk_file (setattr unlink)))
|
(lnk_file (create rename setattr unlink)))
|
||||||
(allow guix_daemon_t
|
(allow guix_daemon_t
|
||||||
tmp_t
|
tmp_t
|
||||||
(dir (create
|
(file (link rename create execute execute_no_trans write unlink setattr map relabelto)))
|
||||||
rmdir
|
(allow guix_daemon_t
|
||||||
|
tmp_t
|
||||||
|
(fifo_file (open read write create getattr ioctl setattr unlink)))
|
||||||
|
(allow guix_daemon_t
|
||||||
|
tmp_t
|
||||||
|
(dir (create rename
|
||||||
|
rmdir relabelto
|
||||||
add_name remove_name
|
add_name remove_name
|
||||||
open read write
|
open read write
|
||||||
getattr setattr
|
getattr setattr
|
||||||
search)))
|
search)))
|
||||||
|
(allow guix_daemon_t
|
||||||
|
tmp_t
|
||||||
|
(sock_file (create getattr setattr unlink write)))
|
||||||
(allow guix_daemon_t
|
(allow guix_daemon_t
|
||||||
var_log_t
|
var_log_t
|
||||||
(file (create getattr open write)))
|
(file (create getattr open write)))
|
||||||
(allow guix_daemon_t
|
(allow guix_daemon_t
|
||||||
var_log_t
|
var_log_t
|
||||||
(dir (getattr write add_name)))
|
(dir (getattr create write add_name)))
|
||||||
(allow guix_daemon_t
|
(allow guix_daemon_t
|
||||||
var_run_t
|
var_run_t
|
||||||
(lnk_file (read)))
|
(lnk_file (read)))
|
||||||
|
@ -100,10 +162,10 @@
|
||||||
;; Spawning processes, execute helpers
|
;; Spawning processes, execute helpers
|
||||||
(allow guix_daemon_t
|
(allow guix_daemon_t
|
||||||
self
|
self
|
||||||
(process (fork)))
|
(process (fork execmem setrlimit setpgid setsched)))
|
||||||
(allow guix_daemon_t
|
(allow guix_daemon_t
|
||||||
guix_daemon_exec_t
|
guix_daemon_exec_t
|
||||||
(file (execute execute_no_trans read open)))
|
(file (execute execute_no_trans read open entrypoint map)))
|
||||||
|
|
||||||
;; TODO: unknown
|
;; TODO: unknown
|
||||||
(allow guix_daemon_t
|
(allow guix_daemon_t
|
||||||
|
@ -119,38 +181,51 @@
|
||||||
;; Build isolation
|
;; Build isolation
|
||||||
(allow guix_daemon_t
|
(allow guix_daemon_t
|
||||||
guix_store_content_t
|
guix_store_content_t
|
||||||
(file (mounton)))
|
(file (ioctl mounton)))
|
||||||
(allow guix_store_content_t
|
(allow guix_store_content_t
|
||||||
fs_t
|
fs_t
|
||||||
(filesystem (associate)))
|
(filesystem (associate)))
|
||||||
(allow guix_daemon_t
|
(allow guix_daemon_t
|
||||||
guix_store_content_t
|
guix_store_content_t
|
||||||
(dir (mounton)))
|
(dir (read mounton)))
|
||||||
(allow guix_daemon_t
|
(allow guix_daemon_t
|
||||||
guix_daemon_t
|
guix_daemon_t
|
||||||
(capability (net_admin
|
(capability (net_admin
|
||||||
fsetid fowner
|
fsetid fowner
|
||||||
chown setuid setgid
|
chown setuid setgid
|
||||||
dac_override dac_read_search
|
dac_override dac_read_search
|
||||||
sys_chroot)))
|
sys_chroot
|
||||||
|
sys_admin)))
|
||||||
(allow guix_daemon_t
|
(allow guix_daemon_t
|
||||||
fs_t
|
fs_t
|
||||||
(filesystem (unmount)))
|
(filesystem (unmount)))
|
||||||
|
(allow guix_daemon_t
|
||||||
|
devpts_t
|
||||||
|
(dir (search)))
|
||||||
(allow guix_daemon_t
|
(allow guix_daemon_t
|
||||||
devpts_t
|
devpts_t
|
||||||
(filesystem (mount)))
|
(filesystem (mount)))
|
||||||
(allow guix_daemon_t
|
(allow guix_daemon_t
|
||||||
devpts_t
|
devpts_t
|
||||||
(chr_file (setattr getattr)))
|
(chr_file (ioctl open read write setattr getattr)))
|
||||||
(allow guix_daemon_t
|
(allow guix_daemon_t
|
||||||
tmpfs_t
|
tmpfs_t
|
||||||
(filesystem (mount)))
|
(filesystem (getattr mount)))
|
||||||
(allow guix_daemon_t
|
(allow guix_daemon_t
|
||||||
tmpfs_t
|
tmpfs_t
|
||||||
(dir (getattr)))
|
(file (create open read unlink write)))
|
||||||
|
(allow guix_daemon_t
|
||||||
|
tmpfs_t
|
||||||
|
(dir (getattr add_name remove_name write)))
|
||||||
(allow guix_daemon_t
|
(allow guix_daemon_t
|
||||||
proc_t
|
proc_t
|
||||||
(filesystem (mount)))
|
(file (getattr open read)))
|
||||||
|
(allow guix_daemon_t
|
||||||
|
proc_t
|
||||||
|
(dir (read)))
|
||||||
|
(allow guix_daemon_t
|
||||||
|
proc_t
|
||||||
|
(filesystem (associate mount)))
|
||||||
(allow guix_daemon_t
|
(allow guix_daemon_t
|
||||||
null_device_t
|
null_device_t
|
||||||
(chr_file (getattr open read write)))
|
(chr_file (getattr open read write)))
|
||||||
|
@ -179,7 +254,7 @@
|
||||||
search rename
|
search rename
|
||||||
add_name remove_name
|
add_name remove_name
|
||||||
open write
|
open write
|
||||||
rmdir)))
|
rmdir relabelfrom)))
|
||||||
(allow guix_daemon_t
|
(allow guix_daemon_t
|
||||||
guix_store_content_t
|
guix_store_content_t
|
||||||
(file (create
|
(file (create
|
||||||
|
@ -189,7 +264,7 @@
|
||||||
link unlink
|
link unlink
|
||||||
map
|
map
|
||||||
rename
|
rename
|
||||||
open read write)))
|
open read write relabelfrom)))
|
||||||
(allow guix_daemon_t
|
(allow guix_daemon_t
|
||||||
guix_store_content_t
|
guix_store_content_t
|
||||||
(lnk_file (create
|
(lnk_file (create
|
||||||
|
@ -197,17 +272,23 @@
|
||||||
link unlink
|
link unlink
|
||||||
read
|
read
|
||||||
rename)))
|
rename)))
|
||||||
|
(allow guix_daemon_t
|
||||||
|
guix_store_content_t
|
||||||
|
(fifo_file (create getattr open read unlink write)))
|
||||||
|
(allow guix_daemon_t
|
||||||
|
guix_store_content_t
|
||||||
|
(sock_file (create getattr unlink write)))
|
||||||
|
|
||||||
;; Access to configuration files and directories
|
;; Access to configuration files and directories
|
||||||
(allow guix_daemon_t
|
(allow guix_daemon_t
|
||||||
guix_daemon_conf_t
|
guix_daemon_conf_t
|
||||||
(dir (search
|
(dir (search create
|
||||||
setattr getattr
|
setattr getattr
|
||||||
add_name remove_name
|
add_name remove_name
|
||||||
open read write)))
|
open read write)))
|
||||||
(allow guix_daemon_t
|
(allow guix_daemon_t
|
||||||
guix_daemon_conf_t
|
guix_daemon_conf_t
|
||||||
(file (create
|
(file (create rename
|
||||||
lock
|
lock
|
||||||
map
|
map
|
||||||
getattr setattr
|
getattr setattr
|
||||||
|
@ -216,11 +297,17 @@
|
||||||
(allow guix_daemon_t
|
(allow guix_daemon_t
|
||||||
guix_daemon_conf_t
|
guix_daemon_conf_t
|
||||||
(lnk_file (create getattr rename unlink)))
|
(lnk_file (create getattr rename unlink)))
|
||||||
|
(allow guix_daemon_t net_conf_t
|
||||||
|
(file (getattr open read)))
|
||||||
|
(allow guix_daemon_t net_conf_t
|
||||||
|
(lnk_file (read)))
|
||||||
|
(allow guix_daemon_t NetworkManager_var_run_t
|
||||||
|
(dir (search)))
|
||||||
|
|
||||||
;; Access to profiles
|
;; Access to profiles
|
||||||
(allow guix_daemon_t
|
(allow guix_daemon_t
|
||||||
guix_profiles_t
|
guix_profiles_t
|
||||||
(dir (getattr setattr read open)))
|
(dir (search getattr setattr read write open create add_name)))
|
||||||
(allow guix_daemon_t
|
(allow guix_daemon_t
|
||||||
guix_profiles_t
|
guix_profiles_t
|
||||||
(lnk_file (read getattr)))
|
(lnk_file (read getattr)))
|
||||||
|
@ -233,8 +320,22 @@
|
||||||
(allow guix_daemon_t
|
(allow guix_daemon_t
|
||||||
user_home_t
|
user_home_t
|
||||||
(dir (search)))
|
(dir (search)))
|
||||||
|
(allow guix_daemon_t
|
||||||
|
cache_home_t
|
||||||
|
(dir (search)))
|
||||||
|
|
||||||
|
;; self upgrades
|
||||||
|
(allow guix_daemon_t
|
||||||
|
self
|
||||||
|
(dir (add_name write)))
|
||||||
|
(allow guix_daemon_t
|
||||||
|
self
|
||||||
|
(netlink_route_socket (bind create getattr nlmsg_read read write)))
|
||||||
|
|
||||||
;; Socket operations
|
;; Socket operations
|
||||||
|
(allow guix_daemon_t
|
||||||
|
guix_daemon_socket_t
|
||||||
|
(sock_file (unlink)))
|
||||||
(allow guix_daemon_t
|
(allow guix_daemon_t
|
||||||
init_t
|
init_t
|
||||||
(fd (use)))
|
(fd (use)))
|
||||||
|
@ -253,12 +354,53 @@
|
||||||
read write
|
read write
|
||||||
connect bind accept
|
connect bind accept
|
||||||
getopt setopt)))
|
getopt setopt)))
|
||||||
|
(allow guix_daemon_t
|
||||||
|
self
|
||||||
|
(tcp_socket (accept listen bind connect create setopt getopt getattr ioctl read write shutdown)))
|
||||||
|
(allow guix_daemon_t
|
||||||
|
unreserved_port_t
|
||||||
|
(tcp_socket (name_bind name_connect accept listen)))
|
||||||
|
(allow guix_daemon_t
|
||||||
|
self
|
||||||
|
(udp_socket (connect getattr bind getopt setopt)))
|
||||||
(allow guix_daemon_t
|
(allow guix_daemon_t
|
||||||
self
|
self
|
||||||
(fifo_file (write read)))
|
(fifo_file (write read)))
|
||||||
(allow guix_daemon_t
|
(allow guix_daemon_t
|
||||||
self
|
self
|
||||||
(udp_socket (ioctl create)))
|
(udp_socket (ioctl create)))
|
||||||
|
(allow guix_daemon_t
|
||||||
|
self
|
||||||
|
(unix_stream_socket (connectto)))
|
||||||
|
|
||||||
|
(allow guix_daemon_t
|
||||||
|
node_t
|
||||||
|
(tcp_socket (node_bind)))
|
||||||
|
(allow guix_daemon_t
|
||||||
|
node_t
|
||||||
|
(udp_socket (node_bind)))
|
||||||
|
(allow guix_daemon_t
|
||||||
|
port_t
|
||||||
|
(tcp_socket (name_connect)))
|
||||||
|
(allow guix_daemon_t
|
||||||
|
rtp_media_port_t
|
||||||
|
(udp_socket (name_bind)))
|
||||||
|
(allow guix_daemon_t
|
||||||
|
vnc_port_t
|
||||||
|
(tcp_socket (name_bind)))
|
||||||
|
|
||||||
|
;; I guess sometimes it needs random numbers
|
||||||
|
(allow guix_daemon_t
|
||||||
|
random_device_t
|
||||||
|
(chr_file (read)))
|
||||||
|
|
||||||
|
;; guix system vm
|
||||||
|
(allow guix_daemon_t
|
||||||
|
kvm_device_t
|
||||||
|
(chr_file (ioctl open read write)))
|
||||||
|
(allow guix_daemon_t
|
||||||
|
kernel_t
|
||||||
|
(system (ipc_info)))
|
||||||
|
|
||||||
;; Label file system
|
;; Label file system
|
||||||
(filecon "@guix_sysconfdir@/guix(/.*)?"
|
(filecon "@guix_sysconfdir@/guix(/.*)?"
|
||||||
|
@ -277,5 +419,7 @@
|
||||||
file (system_u object_r guix_daemon_exec_t (low low)))
|
file (system_u object_r guix_daemon_exec_t (low low)))
|
||||||
(filecon "@storedir@/.+-(guix-.+|profile)/bin/guix-daemon"
|
(filecon "@storedir@/.+-(guix-.+|profile)/bin/guix-daemon"
|
||||||
file (system_u object_r guix_daemon_exec_t (low low)))
|
file (system_u object_r guix_daemon_exec_t (low low)))
|
||||||
|
(filecon "@storedir@/[a-z0-9]+-guix-daemon"
|
||||||
|
file (system_u object_r guix_daemon_exec_t (low low)))
|
||||||
(filecon "@guix_localstatedir@/guix/daemon-socket/socket"
|
(filecon "@guix_localstatedir@/guix/daemon-socket/socket"
|
||||||
any (system_u object_r guix_daemon_socket_t (low low))))
|
any (system_u object_r guix_daemon_socket_t (low low))))
|
||||||
|
|
Reference in a new issue