From mboxrd@z Thu Jan  1 00:00:00 1970
From: Ricardo Wurmus <rekado@elephly.net>
Subject: Re: SELinux log
Date: Tue, 11 Jun 2019 14:23:37 +0200
Message-ID: <87tvcw9upi.fsf@elephly.net>
References: <CAPNLzUMak3sEm53s=DScGaKSG2ffx6dbPs6aMkpetNzW+5g11A@mail.gmail.com>
 <87sgsocqx5.fsf@elephly.net>
 <CAPNLzUNS-zJTEDWFz8JAgXM5UXM--aiPw_fBn6zTpq+mHfNt4w@mail.gmail.com>
 <87k1dyk33n.fsf@elephly.net>
 <CAPNLzUNRchOyMV=t1guAUcPr+Wg6Ho1pTXeNEYYxhJVod8atYw@mail.gmail.com>
 <87ef4586oh.fsf@elephly.net>
 <CAPNLzUPCGCvVbS=pcHi_9_TY8J9tBTME2aGhu6269HB+TiwJdg@mail.gmail.com>
 <CAPNLzUM3o0irXqsdPMj+utjpPsPas2qHwKVRDJo=N9u5mynpZg@mail.gmail.com>
 <CAPNLzUMu=LYRxc_c5fJAmFv+Ef7nk8iBXUF1ZAGqsjypGk+vgQ@mail.gmail.com>
 <87a7es8spi.fsf@elephly.net>
 <CAPNLzUNbWzw2NkA+n-jxtY5XZcpb_OaxhWprcbwTdbcZg8kMTQ@mail.gmail.com>
 <87r284cer2.fsf@elephly.net>
 <CAPNLzUNiKiz7rT=vN+PtRVmUj97WftH3rPgmumtZdDFyK9kwpw@mail.gmail.com>
 <87muisc8x8.fsf@elephly.net>
 <CAPNLzUPpzp2PL+k3zw_4FaBpO_4VT8T1PYnUHJaV1B_xzRvmOw@mail.gmail.com>
 <CAPNLzUMdJa1nbOeqQLpz9WG==2F=WfbXN052fPOVnd9=-S--Ow@mail.gmail.com>
 <87ef41dfkc.fsf@elephly.net>
 <CAPNLzUN6WD+Y8uKkNGbLDffeZmiaemB9DRDwqRfXaD5zS5VKUA@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:470:142:3::10]:37210)
 by lists.gnu.org with esmtp (Exim 4.86_2)
 (envelope-from <rekado@elephly.net>) id 1hafof-0002Nu-6T
 for guix-devel@gnu.org; Tue, 11 Jun 2019 08:23:55 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <rekado@elephly.net>) id 1hafoe-0005Kz-41
 for guix-devel@gnu.org; Tue, 11 Jun 2019 08:23:53 -0400
Received: from sender4-of-o53.zoho.com ([136.143.188.53]:21328)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <rekado@elephly.net>) id 1hafod-0005Gr-3w
 for guix-devel@gnu.org; Tue, 11 Jun 2019 08:23:52 -0400
In-reply-to: <CAPNLzUN6WD+Y8uKkNGbLDffeZmiaemB9DRDwqRfXaD5zS5VKUA@mail.gmail.com>
List-Id: "Development of GNU Guix and the GNU System distribution."
 <guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: Laura Lazzati <laura.lazzati.15@gmail.com>
Cc: Guix-devel <guix-devel@gnu.org>


Hi Laura,

> So we need to figure out what file that =E2=80=9Cguix=E2=80=9D command co=
rresponds to,
>> so that we can add a rule to the policy to apply the correct label.
>>
> I see. But how can we do this?

We then need to think about the kinds of file operations that the =E2=80=9C=
guix=E2=80=9D
command should be permitted to perform.  We know already that it should
be allowed to access files of type =E2=80=9Cguix_daemon_conf_t=E2=80=9D.

What do you think: should we define a new type for the Guix command?  If
so, we need to declare it near the top:

  ;; Declare own types
  (type guix_daemon_t)
  =E2=80=A6

We would add two new types: one is a file type =E2=80=9Cguix_client_exec_t=
=E2=80=9D,
which will be given to the =E2=80=9Cguix=E2=80=9D executables.  The file ty=
pe should
allow the *process* spawned by the executable to operate in the
=E2=80=9Cguix_client_t=E2=80=9D domain.

So, we=E2=80=99ll do this:

  (type guix_client_exec_t)
  (roletype object_r guix_client_exec_t)
  (type guix_client_t)
  (roletype object_r guix_client_t)

Since this type should not just be a file type but a *process* domain (=3D
a type for processes), we need to declare it as such, so this line

  (typeattributeset domain (guix_daemon_t guix_daemon_exec_t))

would become that line:

  (typeattributeset domain (guix_daemon_t guix_daemon_exec_t guix_client_t))

Now we need to permit a domain transition: a file with type
guix_client_exec_t (when executed) should cause the resulting process to
transition to the guix_client_t domain.  I=E2=80=99m not sure about this, b=
ut I
think we want this transition declaration:

  (typetransition guix_store_content_t guix_client_exec_t
                  process guix_client_t)

This means: when a process in guix_store_content_t spawns a
guix_client_exec_t process, let it run in the guix_client_t context.

And *now* we can add rules of access for processes running in the
guix_client_t domain, such as these read-only directory access
permissions:

  (allow guix_client_t
         guix_daemon_conf_t
         (dir (search
               getattr
               open read)))

and perhaps these read-only file access permissions:

  (allow guix_client_t
         guix_daemon_conf_t
         (file (map
                getattr
                open read)))

Lastly, we need to add a file rule, so that the guix executables all get
the right type.  The first step is to see what =E2=80=9Cguix=E2=80=9D is:

    readlink -f $(which guix)

It=E2=80=99s probably a store item with a particular name that isn=E2=80=99=
t captured by
an explicit rule in etc/guix-daemon.cil yet.  We then add a rule to give
the =E2=80=9Cguix=E2=80=9D file the proper label, something like the follow=
ing, but with
a glob pattern matching the actual =E2=80=9Cguix=E2=80=9D file:

  (filecon "@storedir@/=E2=80=A6/bin/guix"
           file (system_u object_r guix_client_exec_t (low low)))

Every time we change the policy we need to run semanage to unload the
loaded policy and load the new one from file, then run restorecon to
relabel (a subset of the) files in /gnu.

A little tedious, but it should be manageable.  Would you like to give
it a try?

--
Ricardo