From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id 4OEeOKjOrV+8HAAA0tVLHw (envelope-from ) for ; Fri, 13 Nov 2020 00:09:12 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id WO/yM6jOrV/xBQAAB5/wlQ (envelope-from ) for ; Fri, 13 Nov 2020 00:09:12 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 0A9B2940430 for ; Fri, 13 Nov 2020 00:09:11 +0000 (UTC) Received: from localhost ([::1]:55636 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kdMeM-0004lc-Q5 for larch@yhetil.org; Thu, 12 Nov 2020 19:09:10 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:34220) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kdMeE-0004kO-Q8 for guix-patches@gnu.org; Thu, 12 Nov 2020 19:09:02 -0500 Received: from debbugs.gnu.org ([209.51.188.43]:34548) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1kdMeE-0004Dy-GV for guix-patches@gnu.org; Thu, 12 Nov 2020 19:09:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1kdMeE-00044R-BO for guix-patches@gnu.org; Thu, 12 Nov 2020 19:09:02 -0500 X-Loop: help-debbugs@gnu.org Subject: [bug#44549] [PATCH v3] etc: updates for the guix-daemon SELinux policy References: <87sg9h8s5j.fsf@db48x.net> In-Reply-To: <87sg9h8s5j.fsf@db48x.net> Resent-From: Daniel Brooks Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Fri, 13 Nov 2020 00:09:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 44549 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 44549@debbugs.gnu.org Received: via spool by 44549-submit@debbugs.gnu.org id=B44549.160522608215569 (code B ref 44549); Fri, 13 Nov 2020 00:09:02 +0000 Received: (at 44549) by debbugs.gnu.org; 13 Nov 2020 00:08:02 +0000 Received: from localhost ([127.0.0.1]:46093 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kdMdF-00042j-AP for submit@debbugs.gnu.org; Thu, 12 Nov 2020 19:08:02 -0500 Received: from smtp-out-4.mxes.net ([198.205.123.69]:13116) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kdMdD-00042P-TD for 44549@debbugs.gnu.org; Thu, 12 Nov 2020 19:08:00 -0500 Received: from Customer-MUA (mua.mxes.net [10.0.0.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id 2144D759EF for <44549@debbugs.gnu.org>; Thu, 12 Nov 2020 19:07:54 -0500 (EST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mxes.net; s=mta; t=1605226074; bh=8i5oDHXjhfzsIbHdeEcmYJmPLSWVQi/95jiI5pzkcd0=; h=From:To:Subject:Date:Message-ID:MIME-Version:Content-Type; b=p+Hvjv/TDmYGFBaBNtIMFwyCWLYYjf64TRqXplMDCToD9a6O2JG6NsahLXJfPKkjd HV6lvgfezV4JF97+3/p93JUkpLpe6IiE7CA6g/YbDq7NDiRa5W5vEkghrJshF1z9CR pT8lbIgjLPvqeOMiOy76wb3wPXYinUrKYPgIAkoM= From: Daniel Brooks Date: Thu, 12 Nov 2020 16:07:52 -0800 Message-ID: <875z6a6rvr.fsf@db48x.net> MIME-Version: 1.0 Content-Type: text/x-patch; charset=utf-8 Content-Disposition: inline; filename=0001-etc-updates-for-the-guix-daemon-SELinux-policy.patch Content-Transfer-Encoding: quoted-printable Content-Description: [PATCH v3] etc: updates for the guix-daemon SELinux policy X-Sent-To: X-Spam-Score: -0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-Spam-Score: -1.7 (-) X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" X-Scanner: ns3122888.ip-94-23-21.eu Authentication-Results: aspmx1.migadu.com; dkim=fail (headers rsa verify failed) header.d=mxes.net header.s=mta header.b=p+Hvjv/T; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Spam-Score: -0.01 X-TUID: 2wKPV1n0hz3T >From 9354e87ccbc465aea7cefa1c7cc827c2b4f6057c Mon Sep 17 00:00:00 2001 From: Daniel Brooks Date: Mon, 9 Nov 2020 07:03:42 -0800 Subject: [PATCH v3] etc: updates for the guix-daemon SELinux policy * etc/guix-daemon.cil.in (guix_daemon): Specify more permissions for guix-daemon to account for daemon updates and newer SELinux. I can't promise that this is a complete list of everything that guix-daemon needs, but it's probably most of them. It can search for, install, upgrade, and remove packages, create virtual machines and containers, update itself, and so on. --- etc/guix-daemon.cil.in | 178 ++++++++++++++++++++++++++++++++++++----- 1 file changed, 160 insertions(+), 18 deletions(-) diff --git a/etc/guix-daemon.cil.in b/etc/guix-daemon.cil.in index e0c9113498..47fd12a214 100644 --- a/etc/guix-daemon.cil.in +++ b/etc/guix-daemon.cil.in @@ -1,6 +1,8 @@ ; -*- lisp -*- ;;; GNU Guix --- Functional package management for GNU ;;; Copyright =C2=A9 2018 Ricardo Wurmus +;;; Copyright =C2=A9 2020 Daniel Brooks +;;; Copyright =C2=A9 2020 Marius Bakke ;;; ;;; This file is part of GNU Guix. ;;; @@ -21,6 +23,18 @@ ;; Intermediate Language (CIL). It refers to types that must be defined in ;; the system's base policy. =20 +;; If you, like me, need advice about fixing an SELinux policy, I recommend +;; reading https://danwalsh.livejournal.com/55324.html + +;; In particular, you can run semanage permissive -a guix_daemon.guix_daem= on_t +;; to allow guix-daemon to do whatever it wants. SELinux will still check = its +;; permissions, and when it doesn't have permission it will still send an +;; audit message to your system logs. This lets you know what permissions = it +;; ought to have. Use ausearch --raw to find the permissions violations, t= hen +;; pipe that to audit2allow to generate an updated policy. You'll still ne= ed +;; to translate that policy into CIL in order to update this file, but tha= t's +;; fairly straight-forward. Annoying, but easy. + (block guix_daemon ;; Require existing types (typeattributeset cil_gen_require init_t) @@ -34,14 +48,19 @@ (roletype object_r guix_daemon_t) (type guix_daemon_conf_t) (roletype object_r guix_daemon_conf_t) + (typeattributeset file_type guix_daemon_conf_t) (type guix_daemon_exec_t) (roletype object_r guix_daemon_exec_t) + (typeattributeset file_type guix_daemon_exec_t) (type guix_daemon_socket_t) (roletype object_r guix_daemon_socket_t) + (typeattributeset file_type guix_daemon_socket_t) (type guix_store_content_t) (roletype object_r guix_store_content_t) + (typeattributeset file_type guix_store_content_t) (type guix_profiles_t) (roletype object_r guix_profiles_t) + (typeattributeset file_type guix_profiles_t) =20 ;; These types are domains, thereby allowing process rules (typeattributeset domain (guix_daemon_t guix_daemon_exec_t)) @@ -55,6 +74,30 @@ (typetransition guix_store_content_t guix_daemon_exec_t process guix_daemon_t) =20 + (roletype system_r guix_daemon_t) + + ;; allow init_t to read and execute guix files + (allow init_t + guix_profiles_t + (lnk_file (read))) + (allow init_t + guix_daemon_exec_t + (file (execute))) + (allow init_t + guix_daemon_t + (process (transition))) + (allow init_t + guix_store_content_t + (lnk_file (read))) + (allow init_t + guix_store_content_t + (file (open read execute))) + + ;; guix-daemon needs to know the names of users + (allow guix_daemon_t + passwd_file_t + (file (getattr open read))) + ;; Permit communication with NSCD (allow guix_daemon_t nscd_var_run_t @@ -71,25 +114,44 @@ (allow guix_daemon_t nscd_t (unix_stream_socket (connectto))) + (allow guix_daemon_t nscd_t + (nscd (getgrp gethost getpwd getserv shmemgrp shmemhost shmempwd = shmemserv))) + + ;; permit downloading packages via HTTP(s) + (allow guix_daemon_t http_port_t + (tcp_socket (name_connect))) + (allow guix_daemon_t ftp_port_t + (tcp_socket (name_connect))) + (allow guix_daemon_t ephemeral_port_t + (tcp_socket (name_connect))) =20 ;; Permit logging and temp file access (allow guix_daemon_t tmp_t - (lnk_file (setattr unlink))) + (lnk_file (create rename setattr unlink))) + (allow guix_daemon_t + tmp_t + (file (link rename create execute execute_no_trans write unlink s= etattr map relabelto))) + (allow guix_daemon_t + tmp_t + (fifo_file (open read write create getattr ioctl setattr unlink))) (allow guix_daemon_t tmp_t - (dir (create - rmdir + (dir (create rename + rmdir relabelto add_name remove_name open read write getattr setattr search))) + (allow guix_daemon_t + tmp_t + (sock_file (create getattr setattr unlink write))) (allow guix_daemon_t var_log_t (file (create getattr open write))) (allow guix_daemon_t var_log_t - (dir (getattr write add_name))) + (dir (getattr create write add_name))) (allow guix_daemon_t var_run_t (lnk_file (read))) @@ -100,10 +162,10 @@ ;; Spawning processes, execute helpers (allow guix_daemon_t self - (process (fork))) + (process (fork execmem setrlimit setpgid setsched))) (allow guix_daemon_t guix_daemon_exec_t - (file (execute execute_no_trans read open))) + (file (execute execute_no_trans read open entrypoint map))) =20 ;; TODO: unknown (allow guix_daemon_t @@ -119,38 +181,51 @@ ;; Build isolation (allow guix_daemon_t guix_store_content_t - (file (mounton))) + (file (ioctl mounton))) (allow guix_store_content_t fs_t (filesystem (associate))) (allow guix_daemon_t guix_store_content_t - (dir (mounton))) + (dir (read mounton))) (allow guix_daemon_t guix_daemon_t (capability (net_admin fsetid fowner chown setuid setgid dac_override dac_read_search - sys_chroot))) + sys_chroot + sys_admin))) (allow guix_daemon_t fs_t (filesystem (unmount))) + (allow guix_daemon_t + devpts_t + (dir (search))) (allow guix_daemon_t devpts_t (filesystem (mount))) (allow guix_daemon_t devpts_t - (chr_file (setattr getattr))) + (chr_file (ioctl open read write setattr getattr))) (allow guix_daemon_t tmpfs_t - (filesystem (mount))) + (filesystem (getattr mount))) + (allow guix_daemon_t + tmpfs_t + (file (create open read unlink write))) (allow guix_daemon_t tmpfs_t - (dir (getattr))) + (dir (getattr add_name remove_name write))) (allow guix_daemon_t proc_t - (filesystem (mount))) + (file (getattr open read))) + (allow guix_daemon_t + proc_t + (dir (read))) + (allow guix_daemon_t + proc_t + (filesystem (associate mount))) (allow guix_daemon_t null_device_t (chr_file (getattr open read write))) @@ -179,7 +254,7 @@ search rename add_name remove_name open write - rmdir))) + rmdir relabelfrom))) (allow guix_daemon_t guix_store_content_t (file (create @@ -189,7 +264,7 @@ link unlink map rename - open read write))) + open read write relabelfrom))) (allow guix_daemon_t guix_store_content_t (lnk_file (create @@ -197,17 +272,23 @@ link unlink read rename))) + (allow guix_daemon_t + guix_store_content_t + (fifo_file (create getattr open read unlink write))) + (allow guix_daemon_t + guix_store_content_t + (sock_file (create getattr unlink write))) =20 ;; Access to configuration files and directories (allow guix_daemon_t guix_daemon_conf_t - (dir (search + (dir (search create setattr getattr add_name remove_name open read write))) (allow guix_daemon_t guix_daemon_conf_t - (file (create + (file (create rename lock map getattr setattr @@ -216,11 +297,17 @@ (allow guix_daemon_t guix_daemon_conf_t (lnk_file (create getattr rename unlink))) + (allow guix_daemon_t net_conf_t + (file (getattr open read))) + (allow guix_daemon_t net_conf_t + (lnk_file (read))) + (allow guix_daemon_t NetworkManager_var_run_t + (dir (search))) =20 ;; Access to profiles (allow guix_daemon_t guix_profiles_t - (dir (getattr setattr read open))) + (dir (search getattr setattr read write open create add_name))) (allow guix_daemon_t guix_profiles_t (lnk_file (read getattr))) @@ -233,8 +320,22 @@ (allow guix_daemon_t user_home_t (dir (search))) + (allow guix_daemon_t + cache_home_t + (dir (search))) + + ;; self upgrades + (allow guix_daemon_t + self + (dir (add_name write))) + (allow guix_daemon_t + self + (netlink_route_socket (bind create getattr nlmsg_read read write)= )) =20 ;; Socket operations + (allow guix_daemon_t + guix_daemon_socket_t + (sock_file (unlink))) (allow guix_daemon_t init_t (fd (use))) @@ -253,12 +354,53 @@ read write connect bind accept getopt setopt))) + (allow guix_daemon_t + self + (tcp_socket (accept listen bind connect create setopt getopt geta= ttr ioctl read write shutdown))) + (allow guix_daemon_t + unreserved_port_t + (tcp_socket (name_bind name_connect accept listen))) + (allow guix_daemon_t + self + (udp_socket (connect getattr bind getopt setopt))) (allow guix_daemon_t self (fifo_file (write read))) (allow guix_daemon_t self (udp_socket (ioctl create))) + (allow guix_daemon_t + self + (unix_stream_socket (connectto))) + + (allow guix_daemon_t + node_t + (tcp_socket (node_bind))) + (allow guix_daemon_t + node_t + (udp_socket (node_bind))) + (allow guix_daemon_t + port_t + (tcp_socket (name_connect))) + (allow guix_daemon_t + rtp_media_port_t + (udp_socket (name_bind))) + (allow guix_daemon_t + vnc_port_t + (tcp_socket (name_bind))) + + ;; I guess sometimes it needs random numbers + (allow guix_daemon_t + random_device_t + (chr_file (read))) + + ;; guix system vm + (allow guix_daemon_t + kvm_device_t + (chr_file (ioctl open read write))) + (allow guix_daemon_t + kernel_t + (system (ipc_info))) =20 ;; Label file system (filecon "@guix_sysconfdir@/guix(/.*)?" --=20 2.26.2