Re: [PATCH] Add SELinux policy for guix-daemon.

[ludo@gnu.org (Ludovic Courtès)]

Hello!

Ricardo Wurmus <ricardo.wurmus@mdc-berlin.de> skribis:

> attached is a patch that adds an SELinux policy for the guix-daemon.
> The policy defines the guix_daemon_t domain and specifies what labels
> may be accessed and how by processes running in that domain.

Impressive!  I know nothing about SELinux so I can’t comment on the
specifics.

> These file labels are defined:

[...]

> The audit log shouldn’t show you any complaints.  At this point you
> could probably switch to enforcing mode, but I haven’t tested this
> myself for no particular reason.

What about putting this text in a new “SELinux Support” section or
similar, along with the current limitations?

> Open issues:

[...]

> * A possible problem is that I assign all files with a name matching
>   “/gnu/store/.+-(guix-.+|profile)/bin/guix-daemon” the label
>   “guix_daemon_exec_t”; this means that *any* file with that name in any
>   profile would be permitted to run in the guix_daemon_t domain.  This
>   is not ideal.  An attacker could build a package that provides this
>   executable and convince a user to install and run it, which lifts it
>   into the guix_daemon_t domain.  At that point SELinux could not
>   prevent it from accessing files that are allowed for processes in that
>   domain (such as the actual daemon).
>
>   This makes me wonder if we could do better by generating a much more
>   restrictive policy at installation time, so that only the *exact* file
>   name of the currently installed guix-daemon executable would be
>   labelled with guix_daemon_exec_t, instead of using a regular
>   expression like that.  This means that root would have to
>   install/upgrade the policy at installation time whenever the Guix
>   package that provides the effectively running guix-daemon executable
>   is upgraded.  Food for thought.

Yeah, guix-daemon.service currently refers to
/var/guix/profiles/…/guix-daemon for similar reasons.

> From d20bae0953d5d0a6bf1c06ab44505af6dea4df4d Mon Sep 17 00:00:00 2001
> From: Ricardo Wurmus <ricardo.wurmus@mdc-berlin.de>
> Date: Thu, 25 Jan 2018 15:21:07 +0100
> Subject: [PATCH] etc: Add SELinux policy for the daemon.
>
> * etc/guix-daemon.cil.in: New file.
> * Makefile.am: Add dist_selinux_policy_DATA.
> * configure.ac: Handle --with-selinux-policy-dir.

[...]

> --- /dev/null
> +++ b/etc/guix-daemon.cil.in
> @@ -0,0 +1,281 @@
> +; -*- lisp -*-

Perhaps add a comment like:

  ;; This is a specification for SELinux X.Y written in the SELinux
  ;; Common Intermediate Language (CIL).

Fun that it uses sexps.  :-)

Thanks!

Ludo’.