From mboxrd@z Thu Jan 1 00:00:00 1970 From: =?UTF-8?Q?G=C3=A1bor_Boskovits?= Subject: Re: [PATCH] Add SELinux policy for guix-daemon. Date: Fri, 16 Feb 2018 13:54:21 +0100 Message-ID: References: <87zi4fiqzk.fsf@mdc-berlin.de> <87k1ve2w0o.fsf@gmail.com> <87inay6zgt.fsf@elephly.net> <87inaxl6hc.fsf@gmail.com> Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="001a11441236e5b7fe056553d700" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:47043) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1emfWy-00009g-HM for guix-devel@gnu.org; Fri, 16 Feb 2018 07:54:25 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1emfWx-00025N-Dm for guix-devel@gnu.org; Fri, 16 Feb 2018 07:54:24 -0500 Received: from mail-it0-x22b.google.com ([2607:f8b0:4001:c0b::22b]:54749) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1emfWx-00024e-7X for guix-devel@gnu.org; Fri, 16 Feb 2018 07:54:23 -0500 Received: by mail-it0-x22b.google.com with SMTP id p204so1721052itc.4 for ; Fri, 16 Feb 2018 04:54:23 -0800 (PST) In-Reply-To: <87inaxl6hc.fsf@gmail.com> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Alex Vong Cc: guix-devel , Ricardo Wurmus --001a11441236e5b7fe056553d700 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable 2018-02-16 8:49 GMT+01:00 Alex Vong : > Ricardo Wurmus writes: > > > Alex Vong writes: > > > >>> No, the script won=E2=80=99t install the SELinux policy. It wouldn= =E2=80=99t work on > >>> all systems, only on those where a suitable SELinux base policy is > >>> available. > >>> > >> So it won't work on Debian? I think Debian and Fedora uses different > >> base policy, right? > > > > I don=E2=80=99t know much about SELinux on Debian, I=E2=80=99m afraid. > > > >> If this is the case, should we also include an > >> apparmor profile? > > > > That=E2=80=99s unrelated, but sure, why not. > > > > I would suggest writing a minimal base policy. SELinux is not an > > all-or-nothing affair. That base policy only needs to provide the few > > types that we care about for the guix-daemon. It wouldn=E2=80=99t be t= oo hard. > > > > The resulting policy could then be used on GuixSD or any other system > > that doesn=E2=80=99t have a full SELinux configuration. > I looked around a little, and it seems, that at least Fedora and Debian has their base policies originated from SELinux reference policy: https://github.com/TresysTechnology/refpolicy/wiki I guess it would be nice to investigate how we could adopt this to GuixSD. WDYT? > > >> Which paths does guix-daemon need to have r/w access > >> to? From your SELinux profile, we know the following is needed: > >> > >> @guix_sysconfdir@/guix(/.*)? > >> @guix_localstatedir@/guix(/.*)? > >> @guix_localstatedir@/guix/profiles(/.*)? > >> /gnu > >> @storedir@(/.+)? > >> @storedir@/[^/]+/.+ > >> @prefix@/bin/guix-daemon > >> @storedir@/.+-(guix-.+|profile)/bin/guix-daemon > >> @storedir@/.+-(guix-.+|profile)/libexec/guix-authenticate > >> @storedir@/.+-(guix-.+|profile)/libexec/guix/(.*)? > >> @guix_localstatedir@/guix/daemon-socket/socket > > > > These are not things that the daemon needs to have access to. These ar= e > > paths that are to be labeled. The daemon is executed in a certain > > context, and processes in that context may have certain permissions on > > some of the files that have been labeled. > > > I will have to read the colour book when I have time to understand what > do you mean! > > > -- > > Ricardo > > > > GPG: BCA6 89B6 3655 3801 C3C6 2150 197A 5888 235F ACAC > > https://elephly.net > > --001a11441236e5b7fe056553d700 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
2018= -02-16 8:49 GMT+01:00 Alex Vong <alexvong1995@gmail.com>:
Ricardo Wurmus <rekado@elephly.net> writes:

> Alex Vong <alexvong1995@g= mail.com> writes:
>
>>> No, the script won=E2=80=99t install the SELinux policy.=C2=A0= It wouldn=E2=80=99t work on
>>> all systems, only on those where a suitable SELinux base polic= y is
>>> available.
>>>
>> So it won't work on Debian? I think Debian and Fedora uses dif= ferent
>> base policy, right?
>
> I don=E2=80=99t know much about SELinux on Debian, I=E2=80=99m afraid.=
>
>> If this is the case, should we also include an
>> apparmor profile?
>
> That=E2=80=99s unrelated, but sure, why not.
>
> I would suggest writing a minimal base policy.=C2=A0 SELinux is not an=
> all-or-nothing affair.=C2=A0 That base policy only needs to provide th= e few
> types that we care about for the guix-daemon.=C2=A0 It wouldn=E2=80=99= t be too hard.
>
> The resulting policy could then be used on GuixSD or any other system<= br> > that doesn=E2=80=99t have a full SELinux configuration.

I looked around a little, and = it seems, that at least Fedora and Debian
has their base policies= originated from SELinux reference policy:
=C2=A0
I guess it would be nic= e to investigate how we could adopt this to GuixSD.
WDYT?

>
>> Which paths does guix-daemon need to have r/w access
>> to? From your SELinux profile, we know the following is needed: >>
>>=C2=A0 =C2=A0@guix_sysconfdir@/guix(/.*)?
>>=C2=A0 =C2=A0@guix_localstatedir@/guix(/.*)?
>>=C2=A0 =C2=A0@guix_localstatedir@/guix/profiles(/.*)?
>>=C2=A0 =C2=A0/gnu
>>=C2=A0 =C2=A0@storedir@(/.+)?
>>=C2=A0 =C2=A0@storedir@/[^/]+/.+
>>=C2=A0 =C2=A0@prefix@/bin/guix-daemon
>>=C2=A0 =C2=A0@storedir@/.+-(guix-.+|profile)/bin/guix-daemon >>=C2=A0 =C2=A0@storedir@/.+-(guix-.+|profile)/libexec/guix-authenticate
>>=C2=A0 =C2=A0@storedir@/.+-(guix-.+|profile)/libexec/guix/(.*)= ?
>>=C2=A0 =C2=A0@guix_localstatedir@/guix/daemon-socket/socket >
> These are not things that the daemon needs to have access to.=C2=A0 Th= ese are
> paths that are to be labeled.=C2=A0 The daemon is executed in a certai= n
> context, and processes in that context may have certain permissions on=
> some of the files that have been labeled.
>
I will have to read the colour book when I have time to underst= and what
do you mean!

> --
> Ricardo
>
> GPG: BCA6 89B6 3655 3801 C3C6=C2=A0 2150 197A 5888 235F ACAC
> h= ttps://elephly.net


--001a11441236e5b7fe056553d700--