* [bug#44549] [PATCH] etc: updates for the guix-daemon SELinux policy
2020-11-10 9:42 [bug#44549] [PATCH] etc: updates for the guix-daemon SELinux policy Daniel Brooks
@ 2020-11-12 21:13 ` Marius Bakke
2020-11-12 21:45 ` Daniel Brooks
2020-11-13 0:01 ` [bug#44549] [PATCH v2] " Daniel Brooks
` (3 subsequent siblings)
4 siblings, 1 reply; 14+ messages in thread
From: Marius Bakke @ 2020-11-12 21:13 UTC (permalink / raw)
To: Daniel Brooks, 44549
[-- Attachment #1.1: Type: text/plain, Size: 2238 bytes --]
Hello Daniel,
Thanks a lot for this.
Daniel Brooks <db48x@db48x.net> writes:
>>From 7dd9ed6da01c5bf125c95592f4978b579198731a Mon Sep 17 00:00:00 2001
> From: Daniel Brooks <db48x@db48x.net>
> Date: Mon, 9 Nov 2020 07:03:42 -0800
> Subject: [PATCH] etc: updates for the guix-daemon SELinux policy
>
> * etc/guix-daemon.cil.in: I can't promise that this is a complete list of
> everything that guix-daemon needs, but it's probably most of them. It can
> search for, install, upgrade, and remove packages, create virtual machines,
> update itself, and so on. I haven't tried creating containers yet, which might
> reveal more things to add.
This commit message is somewhat unorthodox. :-)
Perhaps it can be shortened to:
* etc/guix-daemon.cil.in (guix_daemon): Specify more permissions for
guix-daemon to account for daemon updates and newer SELinux.
[...]
> diff --git a/etc/guix-daemon.cil.in b/etc/guix-daemon.cil.in
> index e0c9113498..666e5677a3 100644
> --- a/etc/guix-daemon.cil.in
> +++ b/etc/guix-daemon.cil.in
> @@ -21,6 +21,18 @@
> ;; Intermediate Language (CIL). It refers to types that must be defined in
> ;; the system's base policy.
>
> +;; If you, like me, need advice about fixing an SELinux policy, I recommend
> +;; reading https://danwalsh.livejournal.com/55324.html
> +
> +;; In particular, you can run semanage permissive -a guix_daemon.guix_daemon_t
> +;; to allow guix-daemon to do whatever it wants. SELinux will still check its
> +;; permissions, and when it doesn't have permission it will still send an
> +;; audit message to your system logs. This lets you know what permissions it
> +;; ought to have. Use ausearch --raw to find the permissions violations, then
> +;; pipe that to audit2allow to generate an updated policy. You'll still need
> +;; to translate that policy into CIL in order to update this file, but that's
> +;; fairly straight-forward. Annoying, but easy.
I'm not sure about the second paragraph. It's mainly a rehash of the
blog post, no? And there are many other ways to go about
troubleshooting SELinux (I did not use ausearch at all).
Anyway! I tried it on RHEL8, and had to do a few more tweaks to get it
working:
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1.2: diff --]
[-- Type: text/x-patch, Size: 1201 bytes --]
diff --git a/etc/guix-daemon.cil.in b/etc/guix-daemon.cil.in
index 666e5677a3..b5909f1b18 100644
--- a/etc/guix-daemon.cil.in
+++ b/etc/guix-daemon.cil.in
@@ -84,6 +84,9 @@
(allow init_t
guix_daemon_t
(process (transition)))
+ (allow init_t
+ guix_store_content_t
+ (lnk_file (read)))
(allow init_t
guix_store_content_t
(file (open read execute)))
@@ -166,6 +169,9 @@
(allow guix_daemon_t
root_t
(dir (mounton)))
+ (allow guix_daemon_t
+ guix_daemon_socket_t
+ (sock_file (unlink)))
(allow guix_daemon_t
fs_t
(filesystem (getattr)))
@@ -348,7 +354,12 @@
getopt setopt)))
(allow guix_daemon_t
self
- (tcp_socket (accept listen bind connect create setopt getopt getattr ioctl)))
+ (netlink_route_socket (read write)))
+ (allow guix_daemon_t
+ self
+ (tcp_socket (accept
+ listen bind connect create read write
+ setopt getopt getattr ioctl)))
(allow guix_daemon_t
unreserved_port_t
(tcp_socket (name_bind name_connect accept listen)))
[-- Attachment #1.3: Type: text/plain, Size: 331 bytes --]
Can you test these additional changes on Fedora?
With this, I no longer have to go through 'guix pack' and 'podman' to
run Guix packages on my RHEL workstation! :-)
Also, is it OK to add you to the list of contributors at the top of the
file with this name and address?
Thanks! It's really great to get this in before 1.2.0.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 507 bytes --]
^ permalink raw reply related [flat|nested] 14+ messages in thread* [bug#44549] [PATCH] etc: updates for the guix-daemon SELinux policy
2020-11-12 21:13 ` Marius Bakke
@ 2020-11-12 21:45 ` Daniel Brooks
2020-11-12 22:19 ` Marius Bakke
0 siblings, 1 reply; 14+ messages in thread
From: Daniel Brooks @ 2020-11-12 21:45 UTC (permalink / raw)
To: Marius Bakke; +Cc: 44549
Marius Bakke <marius@gnu.org> writes:
> Hello Daniel,
>
> Thanks a lot for this.
You're welcome.
>
> Daniel Brooks <db48x@db48x.net> writes:
>
>>>From 7dd9ed6da01c5bf125c95592f4978b579198731a Mon Sep 17 00:00:00 2001
>> From: Daniel Brooks <db48x@db48x.net>
>> Date: Mon, 9 Nov 2020 07:03:42 -0800
>> Subject: [PATCH] etc: updates for the guix-daemon SELinux policy
>>
>> * etc/guix-daemon.cil.in: I can't promise that this is a complete list of
>> everything that guix-daemon needs, but it's probably most of them. It can
>> search for, install, upgrade, and remove packages, create virtual machines,
>> update itself, and so on. I haven't tried creating containers yet, which might
>> reveal more things to add.
>
> This commit message is somewhat unorthodox. :-)
>
> Perhaps it can be shortened to:
>
> * etc/guix-daemon.cil.in (guix_daemon): Specify more permissions for
> guix-daemon to account for daemon updates and newer SELinux.
I suppose. Personally I dislike the changelog style commit messages, but
when in Rome…
>> +;; In particular, you can run semanage permissive -a guix_daemon.guix_daemon_t
>> +;; to allow guix-daemon to do whatever it wants. SELinux will still check its
>> +;; permissions, and when it doesn't have permission it will still send an
>> +;; audit message to your system logs. This lets you know what permissions it
>> +;; ought to have. Use ausearch --raw to find the permissions violations, then
>> +;; pipe that to audit2allow to generate an updated policy. You'll still need
>> +;; to translate that policy into CIL in order to update this file, but that's
>> +;; fairly straight-forward. Annoying, but easy.
>
> I'm not sure about the second paragraph. It's mainly a rehash of the
> blog post, no? And there are many other ways to go about
> troubleshooting SELinux (I did not use ausearch at all).
True. I just wanted a quick summary somewhere in the source so that
future us won't have to rely on a random blog post, even one from Dan
Walsh.
> diff --git a/etc/guix-daemon.cil.in b/etc/guix-daemon.cil.in
> index 666e5677a3..b5909f1b18 100644
> --- a/etc/guix-daemon.cil.in
> +++ b/etc/guix-daemon.cil.in
> @@ -84,6 +84,9 @@
> (allow init_t
> guix_daemon_t
> (process (transition)))
> + (allow init_t
> + guix_store_content_t
> + (lnk_file (read)))
This one is a little unusual; is your service file symlinked or something?
> (allow init_t
> guix_store_content_t
> (file (open read execute)))
> @@ -166,6 +169,9 @@
> (allow guix_daemon_t
> root_t
> (dir (mounton)))
> + (allow guix_daemon_t
> + guix_daemon_socket_t
> + (sock_file (unlink)))
That shouldn't be a problem, though we don't have any other rules for
guix_daemon_socket_t. Possibly that is because my socket file is labeled
guix_daemon_conf_t, for unknown reasons. Perhaps it was not labeled
correctly when created, and hasn't been relabeled since.
> (allow guix_daemon_t
> fs_t
> (filesystem (getattr)))
> @@ -348,7 +354,12 @@
> getopt setopt)))
> (allow guix_daemon_t
> self
> - (tcp_socket (accept listen bind connect create setopt getopt getattr ioctl)))
> + (netlink_route_socket (read write)))
> + (allow guix_daemon_t
> + self
> + (tcp_socket (accept
> + listen bind connect create read write
> + setopt getopt getattr ioctl)))
These are fine; in fact I discovered these myself this morning and was
going to send a patch.
> Can you test these additional changes on Fedora?
Yes, I'll let you know if there are any problems. Also, I'll investigate
the socket file some more.
>
> With this, I no longer have to go through 'guix pack' and 'podman' to
> run Guix packages on my RHEL workstation! :-)
Ideal :)
>
> Also, is it OK to add you to the list of contributors at the top of the
> file with this name and address?
Certainly.
db48x
^ permalink raw reply [flat|nested] 14+ messages in thread
* [bug#44549] [PATCH] etc: updates for the guix-daemon SELinux policy
2020-11-12 21:45 ` Daniel Brooks
@ 2020-11-12 22:19 ` Marius Bakke
2020-11-12 23:56 ` Daniel Brooks
0 siblings, 1 reply; 14+ messages in thread
From: Marius Bakke @ 2020-11-12 22:19 UTC (permalink / raw)
To: Daniel Brooks; +Cc: 44549
[-- Attachment #1: Type: text/plain, Size: 5505 bytes --]
Daniel Brooks <db48x@db48x.net> writes:
>> Daniel Brooks <db48x@db48x.net> writes:
>>
>>>>From 7dd9ed6da01c5bf125c95592f4978b579198731a Mon Sep 17 00:00:00 2001
>>> From: Daniel Brooks <db48x@db48x.net>
>>> Date: Mon, 9 Nov 2020 07:03:42 -0800
>>> Subject: [PATCH] etc: updates for the guix-daemon SELinux policy
>>>
>>> * etc/guix-daemon.cil.in: I can't promise that this is a complete list of
>>> everything that guix-daemon needs, but it's probably most of them. It can
>>> search for, install, upgrade, and remove packages, create virtual machines,
>>> update itself, and so on. I haven't tried creating containers yet, which might
>>> reveal more things to add.
>>
>> This commit message is somewhat unorthodox. :-)
>>
>> Perhaps it can be shortened to:
>>
>> * etc/guix-daemon.cil.in (guix_daemon): Specify more permissions for
>> guix-daemon to account for daemon updates and newer SELinux.
>
> I suppose. Personally I dislike the changelog style commit messages, but
> when in Rome…
It's not a very strong opinion. I think it would be fine without the
first person style.
>>> +;; In particular, you can run semanage permissive -a guix_daemon.guix_daemon_t
>>> +;; to allow guix-daemon to do whatever it wants. SELinux will still check its
>>> +;; permissions, and when it doesn't have permission it will still send an
>>> +;; audit message to your system logs. This lets you know what permissions it
>>> +;; ought to have. Use ausearch --raw to find the permissions violations, then
>>> +;; pipe that to audit2allow to generate an updated policy. You'll still need
>>> +;; to translate that policy into CIL in order to update this file, but that's
>>> +;; fairly straight-forward. Annoying, but easy.
>>
>> I'm not sure about the second paragraph. It's mainly a rehash of the
>> blog post, no? And there are many other ways to go about
>> troubleshooting SELinux (I did not use ausearch at all).
>
> True. I just wanted a quick summary somewhere in the source so that
> future us won't have to rely on a random blog post, even one from Dan
> Walsh.
Fair point. I can imagine a scenario when I'm stuck on a SELinux system
without an internet connection.
>> diff --git a/etc/guix-daemon.cil.in b/etc/guix-daemon.cil.in
>> index 666e5677a3..b5909f1b18 100644
>> --- a/etc/guix-daemon.cil.in
>> +++ b/etc/guix-daemon.cil.in
>> @@ -84,6 +84,9 @@
>> (allow init_t
>> guix_daemon_t
>> (process (transition)))
>> + (allow init_t
>> + guix_store_content_t
>> + (lnk_file (read)))
>
> This one is a little unusual; is your service file symlinked or something?
Hmm. Could it be because /etc/systemd/system/guix-daemon.service refers
to /var/guix/profiles/per-user/root/current-guix/bin/guix-daemon?
>> (allow init_t
>> guix_store_content_t
>> (file (open read execute)))
>> @@ -166,6 +169,9 @@
>> (allow guix_daemon_t
>> root_t
>> (dir (mounton)))
>> + (allow guix_daemon_t
>> + guix_daemon_socket_t
>> + (sock_file (unlink)))
>
> That shouldn't be a problem, though we don't have any other rules for
> guix_daemon_socket_t. Possibly that is because my socket file is labeled
> guix_daemon_conf_t, for unknown reasons. Perhaps it was not labeled
> correctly when created, and hasn't been relabeled since.
It could also be an artifact from my ancient experiments with Guix and
SELinux on this system. Perhaps we should test on a "clean" system to
verify, I can do that next week.
>> (allow guix_daemon_t
>> fs_t
>> (filesystem (getattr)))
>> @@ -348,7 +354,12 @@
>> getopt setopt)))
>> (allow guix_daemon_t
>> self
>> - (tcp_socket (accept listen bind connect create setopt getopt getattr ioctl)))
>> + (netlink_route_socket (read write)))
>> + (allow guix_daemon_t
>> + self
>> + (tcp_socket (accept
>> + listen bind connect create read write
>> + setopt getopt getattr ioctl)))
>
> These are fine; in fact I discovered these myself this morning and was
> going to send a patch.
>
>> Can you test these additional changes on Fedora?
>
> Yes, I'll let you know if there are any problems. Also, I'll investigate
> the socket file some more.
Awesome, thanks a lot!
Can you "squash" the relevant changes from my patch and send a new patch
when you are done?
As a side note, I've seen a couple other audit messages from
guix-daemon, although though they don't seem to cause a problem in
practice.
type=AVC msg=audit(1605189801.627:8637388): avc: denied { read } for pid=2312896 comm="guix-daemon" path="socket:[74336318]" dev="sockfs" ino=74336318 scontext=system_u:system_r:guix_daemon.guix_daemon_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1605189801.627:8637388): avc: denied { read } for pid=2312896 comm="guix-daemon" path="socket:[74336318]" dev="sockfs" ino=74336318 scontext=system_u:system_r:guix_daemon.guix_daemon_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1605189801.627:8637388): avc: denied { siginh } for pid=2312896 comm="guix-daemon" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:guix_daemon.guix_daemon_t:s0 tclass=process permissive=0
Not sure what that's about.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 507 bytes --]
^ permalink raw reply [flat|nested] 14+ messages in thread* [bug#44549] [PATCH] etc: updates for the guix-daemon SELinux policy
2020-11-12 22:19 ` Marius Bakke
@ 2020-11-12 23:56 ` Daniel Brooks
2020-11-13 14:52 ` Marius Bakke
0 siblings, 1 reply; 14+ messages in thread
From: Daniel Brooks @ 2020-11-12 23:56 UTC (permalink / raw)
To: Marius Bakke; +Cc: 44549
Marius Bakke <marius@gnu.org> writes:
>>> + (allow init_t
>>> + guix_store_content_t
>>> + (lnk_file (read)))
>>
>> This one is a little unusual; is your service file symlinked or something?
>
> Hmm. Could it be because /etc/systemd/system/guix-daemon.service refers
> to /var/guix/profiles/per-user/root/current-guix/bin/guix-daemon?
That was it. Not sure how I left that one out, in fact.
>>> + (allow guix_daemon_t
>>> + guix_daemon_socket_t
>>> + (sock_file (unlink)))
>>
>> That shouldn't be a problem, though we don't have any other rules for
>> guix_daemon_socket_t. Possibly that is because my socket file is labeled
>> guix_daemon_conf_t, for unknown reasons. Perhaps it was not labeled
>> correctly when created, and hasn't been relabeled since.
>
> It could also be an artifact from my ancient experiments with Guix and
> SELinux on this system. Perhaps we should test on a "clean" system to
> verify, I can do that next week.
Ok, I figured this one out. When the socket file is created it is
labeled at guix_daemon_conf_t, but the filecon rules will cause that to
be relabeled to guix_daemon_socket_t at some point in the future. When
the guix-daemon process stops it tries to delete the socket file, but
can't. I'll go ahead and include the rule.
> Can you "squash" the relevant changes from my patch and send a new patch
> when you are done?
Will do.
>
> As a side note, I've seen a couple other audit messages from
> guix-daemon, although though they don't seem to cause a problem in
> practice.
>
> type=AVC msg=audit(1605189801.627:8637388): avc: denied { read } for
> pid=2312896 comm="guix-daemon" path="socket:[74336318]" dev="sockfs"
> ino=74336318 scontext=system_u:system_r:guix_daemon.guix_daemon_t:s0
> tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket
> permissive=0
> type=AVC msg=audit(1605189801.627:8637388): avc: denied { read } for
> pid=2312896 comm="guix-daemon" path="socket:[74336318]" dev="sockfs"
> ino=74336318 scontext=system_u:system_r:guix_daemon.guix_daemon_t:s0
> tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket
> permissive=0
> type=AVC msg=audit(1605189801.627:8637388): avc: denied { siginh } for
> pid=2312896 comm="guix-daemon" scontext=system_u:system_r:init_t:s0
> tcontext=system_u:system_r:guix_daemon.guix_daemon_t:s0 tclass=process
> permissive=0
The first two are already covered by the new policy, and the third is
inconsequential. The kernel checks on our behalf to see if our child
processes are allowed to inherit our signal state. That's usually
disallowed, so that rule is marked 'dontaudit' so that it doesn't spam
the logs; you probably had that disabled. I'm not going to add a rule
allowing that one; It would just cause accidents.
db48x
^ permalink raw reply [flat|nested] 14+ messages in thread* [bug#44549] [PATCH] etc: updates for the guix-daemon SELinux policy
2020-11-12 23:56 ` Daniel Brooks
@ 2020-11-13 14:52 ` Marius Bakke
2020-11-13 15:34 ` Daniel Brooks
0 siblings, 1 reply; 14+ messages in thread
From: Marius Bakke @ 2020-11-13 14:52 UTC (permalink / raw)
To: Daniel Brooks; +Cc: 44549
[-- Attachment #1.1: Type: text/plain, Size: 2554 bytes --]
Daniel Brooks <db48x@db48x.net> writes:
>>>> + (allow guix_daemon_t
>>>> + guix_daemon_socket_t
>>>> + (sock_file (unlink)))
>>>
>>> That shouldn't be a problem, though we don't have any other rules for
>>> guix_daemon_socket_t. Possibly that is because my socket file is labeled
>>> guix_daemon_conf_t, for unknown reasons. Perhaps it was not labeled
>>> correctly when created, and hasn't been relabeled since.
>>
>> It could also be an artifact from my ancient experiments with Guix and
>> SELinux on this system. Perhaps we should test on a "clean" system to
>> verify, I can do that next week.
>
> Ok, I figured this one out. When the socket file is created it is
> labeled at guix_daemon_conf_t, but the filecon rules will cause that to
> be relabeled to guix_daemon_socket_t at some point in the future. When
> the guix-daemon process stops it tries to delete the socket file, but
> can't. I'll go ahead and include the rule.
OK.
>> As a side note, I've seen a couple other audit messages from
>> guix-daemon, although though they don't seem to cause a problem in
>> practice.
>>
>> type=AVC msg=audit(1605189801.627:8637388): avc: denied { read } for
>> pid=2312896 comm="guix-daemon" path="socket:[74336318]" dev="sockfs"
>> ino=74336318 scontext=system_u:system_r:guix_daemon.guix_daemon_t:s0
>> tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket
>> permissive=0
>> type=AVC msg=audit(1605189801.627:8637388): avc: denied { read } for
>> pid=2312896 comm="guix-daemon" path="socket:[74336318]" dev="sockfs"
>> ino=74336318 scontext=system_u:system_r:guix_daemon.guix_daemon_t:s0
>> tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket
>> permissive=0
>> type=AVC msg=audit(1605189801.627:8637388): avc: denied { siginh } for
>> pid=2312896 comm="guix-daemon" scontext=system_u:system_r:init_t:s0
>> tcontext=system_u:system_r:guix_daemon.guix_daemon_t:s0 tclass=process
>> permissive=0
>
> The first two are already covered by the new policy, and the third is
> inconsequential. The kernel checks on our behalf to see if our child
> processes are allowed to inherit our signal state. That's usually
> disallowed, so that rule is marked 'dontaudit' so that it doesn't spam
> the logs; you probably had that disabled. I'm not going to add a rule
> allowing that one; It would just cause accidents.
Thanks for investigating.
Interestingly, after updating the system (both RHEL8 and Guix) and
rebooting, I got new SELinux troubles!
I had to add these additional rules to make guix-daemon start again:
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1.2: diff --]
[-- Type: text/x-patch, Size: 633 bytes --]
diff --git a/etc/guix-daemon.cil.in b/etc/guix-daemon.cil.in
index 47fd12a214..3e254a2187 100644
--- a/etc/guix-daemon.cil.in
+++ b/etc/guix-daemon.cil.in
@@ -86,12 +86,15 @@
(allow init_t
guix_daemon_t
(process (transition)))
+ (allow init_t
+ self
+ (process (execmem)))
(allow init_t
guix_store_content_t
(lnk_file (read)))
(allow init_t
guix_store_content_t
- (file (open read execute)))
+ (file (open read execute execute_no_trans map)))
;; guix-daemon needs to know the names of users
(allow guix_daemon_t
[-- Attachment #1.3: Type: text/plain, Size: 70 bytes --]
Do these look sane to you? I can squash them into the commit if so.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 507 bytes --]
^ permalink raw reply related [flat|nested] 14+ messages in thread* [bug#44549] [PATCH] etc: updates for the guix-daemon SELinux policy
2020-11-13 14:52 ` Marius Bakke
@ 2020-11-13 15:34 ` Daniel Brooks
2020-11-13 15:59 ` Marius Bakke
0 siblings, 1 reply; 14+ messages in thread
From: Daniel Brooks @ 2020-11-13 15:34 UTC (permalink / raw)
To: Marius Bakke; +Cc: 44549
Marius Bakke <marius@gnu.org> writes:
> Interestingly, after updating the system (both RHEL8 and Guix) and
> rebooting, I got new SELinux troubles!
>
> I had to add these additional rules to make guix-daemon start again:
>
> diff --git a/etc/guix-daemon.cil.in b/etc/guix-daemon.cil.in
> index 47fd12a214..3e254a2187 100644
> --- a/etc/guix-daemon.cil.in
> +++ b/etc/guix-daemon.cil.in
> @@ -86,12 +86,15 @@
> (allow init_t
> guix_daemon_t
> (process (transition)))
> + (allow init_t
> + self
> + (process (execmem)))
At some point we should track down why that one is necessary, perhaps
Guile has a JIT compiler or something?
> (allow init_t
> guix_store_content_t
> - (file (open read execute)))
> + (file (open read execute execute_no_trans map)))
This one looks pretty suspicious. I think it would allow any file
labeled guix_store_content_t to run in the init_t domain? We wouldn't
want that.
db48x
^ permalink raw reply [flat|nested] 14+ messages in thread
* [bug#44549] [PATCH] etc: updates for the guix-daemon SELinux policy
2020-11-13 15:34 ` Daniel Brooks
@ 2020-11-13 15:59 ` Marius Bakke
0 siblings, 0 replies; 14+ messages in thread
From: Marius Bakke @ 2020-11-13 15:59 UTC (permalink / raw)
To: Daniel Brooks; +Cc: 44549
[-- Attachment #1: Type: text/plain, Size: 1352 bytes --]
Daniel Brooks <db48x@db48x.net> writes:
> Marius Bakke <marius@gnu.org> writes:
>
>> Interestingly, after updating the system (both RHEL8 and Guix) and
>> rebooting, I got new SELinux troubles!
>>
>> I had to add these additional rules to make guix-daemon start again:
>>
>> diff --git a/etc/guix-daemon.cil.in b/etc/guix-daemon.cil.in
>> index 47fd12a214..3e254a2187 100644
>> --- a/etc/guix-daemon.cil.in
>> +++ b/etc/guix-daemon.cil.in
>> @@ -86,12 +86,15 @@
>> (allow init_t
>> guix_daemon_t
>> (process (transition)))
>> + (allow init_t
>> + self
>> + (process (execmem)))
>
> At some point we should track down why that one is necessary, perhaps
> Guile has a JIT compiler or something?
Ding ding ding.
https://wingolog.org/archives/2019/05/24/lightening-run-time-code-generation
>> (allow init_t
>> guix_store_content_t
>> - (file (open read execute)))
>> + (file (open read execute execute_no_trans map)))
>
> This one looks pretty suspicious. I think it would allow any file
> labeled guix_store_content_t to run in the init_t domain? We wouldn't
> want that.
Right. The guix_store_content_t file in question was 'guile', which I
suppose is a kind of special case. Can you think of any workarounds
for this?
Are you testing with the latest version of guix-daemon?
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 507 bytes --]
^ permalink raw reply [flat|nested] 14+ messages in thread
* [bug#44549] [PATCH v2] etc: updates for the guix-daemon SELinux policy
2020-11-10 9:42 [bug#44549] [PATCH] etc: updates for the guix-daemon SELinux policy Daniel Brooks
2020-11-12 21:13 ` Marius Bakke
@ 2020-11-13 0:01 ` Daniel Brooks
2020-11-13 0:07 ` [bug#44549] [PATCH v3] " Daniel Brooks
` (2 subsequent siblings)
4 siblings, 0 replies; 14+ messages in thread
From: Daniel Brooks @ 2020-11-13 0:01 UTC (permalink / raw)
To: 44549
[-- Attachment #1: [PATCH v2] etc: updates for the guix-daemon SELinux policy --]
[-- Type: text/x-patch, Size: 11776 bytes --]
From a4262f3ee0feb98d84e0eeb4b86c1575f00e2078 Mon Sep 17 00:00:00 2001
From: Daniel Brooks <db48x@db48x.net>
Date: Mon, 9 Nov 2020 07:03:42 -0800
Subject: [PATCH v2] etc: updates for the guix-daemon SELinux policy
* etc/guix-daemon.cil.in (guix_daemon): Specify more permissions for
guix-daemon to account for daemon updates and newer SELinux.
I can't promise that this is a complete list of everything that guix-daemon
needs, but it's probably most of them. It can search for, install, upgrade,
and remove packages, create virtual machines and containers, update itself,
and so on.
---
etc/guix-daemon.cil.in | 175 ++++++++++++++++++++++++++++++++++++-----
1 file changed, 157 insertions(+), 18 deletions(-)
diff --git a/etc/guix-daemon.cil.in b/etc/guix-daemon.cil.in
index e0c9113498..5de89eb98e 100644
--- a/etc/guix-daemon.cil.in
+++ b/etc/guix-daemon.cil.in
@@ -1,6 +1,8 @@
; -*- lisp -*-
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2018 Ricardo Wurmus <rekado@elephly.net>
+;;; Copyright © 2020 Daniel Brooks <db48x@db48x.net>
+;;; Copyright © 2020 Marius Bakke <marius@gnu.org>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -21,6 +23,18 @@
;; Intermediate Language (CIL). It refers to types that must be defined in
;; the system's base policy.
+;; If you, like me, need advice about fixing an SELinux policy, I recommend
+;; reading https://danwalsh.livejournal.com/55324.html
+
+;; In particular, you can run semanage permissive -a guix_daemon.guix_daemon_t
+;; to allow guix-daemon to do whatever it wants. SELinux will still check its
+;; permissions, and when it doesn't have permission it will still send an
+;; audit message to your system logs. This lets you know what permissions it
+;; ought to have. Use ausearch --raw to find the permissions violations, then
+;; pipe that to audit2allow to generate an updated policy. You'll still need
+;; to translate that policy into CIL in order to update this file, but that's
+;; fairly straight-forward. Annoying, but easy.
+
(block guix_daemon
;; Require existing types
(typeattributeset cil_gen_require init_t)
@@ -34,14 +48,19 @@
(roletype object_r guix_daemon_t)
(type guix_daemon_conf_t)
(roletype object_r guix_daemon_conf_t)
+ (typeattributeset file_type guix_daemon_conf_t)
(type guix_daemon_exec_t)
(roletype object_r guix_daemon_exec_t)
+ (typeattributeset file_type guix_daemon_exec_t)
(type guix_daemon_socket_t)
(roletype object_r guix_daemon_socket_t)
+ (typeattributeset file_type guix_daemon_socket_t)
(type guix_store_content_t)
(roletype object_r guix_store_content_t)
+ (typeattributeset file_type guix_store_content_t)
(type guix_profiles_t)
(roletype object_r guix_profiles_t)
+ (typeattributeset file_type guix_profiles_t)
;; These types are domains, thereby allowing process rules
(typeattributeset domain (guix_daemon_t guix_daemon_exec_t))
@@ -55,6 +74,30 @@
(typetransition guix_store_content_t guix_daemon_exec_t
process guix_daemon_t)
+ (roletype system_r guix_daemon_t)
+
+ ;; allow init_t to read and execute guix files
+ (allow init_t
+ guix_profiles_t
+ (lnk_file (read)))
+ (allow init_t
+ guix_daemon_exec_t
+ (file (execute)))
+ (allow init_t
+ guix_daemon_t
+ (process (transition)))
+ (allow init_t
+ guix_store_content_t
+ (lnk_file (read)))
+ (allow init_t
+ guix_store_content_t
+ (file (open read execute)))
+
+ ;; guix-daemon needs to know the names of users
+ (allow guix_daemon_t
+ passwd_file_t
+ (file (getattr open read)))
+
;; Permit communication with NSCD
(allow guix_daemon_t
nscd_var_run_t
@@ -71,25 +114,44 @@
(allow guix_daemon_t
nscd_t
(unix_stream_socket (connectto)))
+ (allow guix_daemon_t nscd_t
+ (nscd (getgrp gethost getpwd getserv shmemgrp shmemhost shmempwd shmemserv)))
+
+ ;; permit downloading packages via HTTP(s)
+ (allow guix_daemon_t http_port_t
+ (tcp_socket (name_connect)))
+ (allow guix_daemon_t ftp_port_t
+ (tcp_socket (name_connect)))
+ (allow guix_daemon_t ephemeral_port_t
+ (tcp_socket (name_connect)))
;; Permit logging and temp file access
(allow guix_daemon_t
tmp_t
- (lnk_file (setattr unlink)))
+ (lnk_file (create rename setattr unlink)))
+ (allow guix_daemon_t
+ tmp_t
+ (file (link rename create execute execute_no_trans write unlink setattr map relabelto)))
+ (allow guix_daemon_t
+ tmp_t
+ (fifo_file (open read write create getattr ioctl setattr unlink)))
(allow guix_daemon_t
tmp_t
- (dir (create
- rmdir
+ (dir (create rename
+ rmdir relabelto
add_name remove_name
open read write
getattr setattr
search)))
+ (allow guix_daemon_t
+ tmp_t
+ (sock_file (create getattr setattr unlink write)))
(allow guix_daemon_t
var_log_t
(file (create getattr open write)))
(allow guix_daemon_t
var_log_t
- (dir (getattr write add_name)))
+ (dir (getattr create write add_name)))
(allow guix_daemon_t
var_run_t
(lnk_file (read)))
@@ -100,10 +162,10 @@
;; Spawning processes, execute helpers
(allow guix_daemon_t
self
- (process (fork)))
+ (process (fork execmem setrlimit setpgid setsched)))
(allow guix_daemon_t
guix_daemon_exec_t
- (file (execute execute_no_trans read open)))
+ (file (execute execute_no_trans read open entrypoint map)))
;; TODO: unknown
(allow guix_daemon_t
@@ -119,38 +181,51 @@
;; Build isolation
(allow guix_daemon_t
guix_store_content_t
- (file (mounton)))
+ (file (ioctl mounton)))
(allow guix_store_content_t
fs_t
(filesystem (associate)))
(allow guix_daemon_t
guix_store_content_t
- (dir (mounton)))
+ (dir (read mounton)))
(allow guix_daemon_t
guix_daemon_t
(capability (net_admin
fsetid fowner
chown setuid setgid
dac_override dac_read_search
- sys_chroot)))
+ sys_chroot
+ sys_admin)))
(allow guix_daemon_t
fs_t
(filesystem (unmount)))
+ (allow guix_daemon_t
+ devpts_t
+ (dir (search)))
(allow guix_daemon_t
devpts_t
(filesystem (mount)))
(allow guix_daemon_t
devpts_t
- (chr_file (setattr getattr)))
+ (chr_file (ioctl open read write setattr getattr)))
(allow guix_daemon_t
tmpfs_t
- (filesystem (mount)))
+ (filesystem (getattr mount)))
(allow guix_daemon_t
tmpfs_t
- (dir (getattr)))
+ (file (create open read unlink write)))
+ (allow guix_daemon_t
+ tmpfs_t
+ (dir (getattr add_name remove_name write)))
(allow guix_daemon_t
proc_t
- (filesystem (mount)))
+ (file (getattr open read)))
+ (allow guix_daemon_t
+ proc_t
+ (dir (read)))
+ (allow guix_daemon_t
+ proc_t
+ (filesystem (associate mount)))
(allow guix_daemon_t
null_device_t
(chr_file (getattr open read write)))
@@ -179,7 +254,7 @@
search rename
add_name remove_name
open write
- rmdir)))
+ rmdir relabelfrom)))
(allow guix_daemon_t
guix_store_content_t
(file (create
@@ -189,7 +264,7 @@
link unlink
map
rename
- open read write)))
+ open read write relabelfrom)))
(allow guix_daemon_t
guix_store_content_t
(lnk_file (create
@@ -197,17 +272,23 @@
link unlink
read
rename)))
+ (allow guix_daemon_t
+ guix_store_content_t
+ (fifo_file (create getattr open read unlink write)))
+ (allow guix_daemon_t
+ guix_store_content_t
+ (sock_file (create getattr unlink write)))
;; Access to configuration files and directories
(allow guix_daemon_t
guix_daemon_conf_t
- (dir (search
+ (dir (search create
setattr getattr
add_name remove_name
open read write)))
(allow guix_daemon_t
guix_daemon_conf_t
- (file (create
+ (file (create rename
lock
map
getattr setattr
@@ -216,11 +297,17 @@
(allow guix_daemon_t
guix_daemon_conf_t
(lnk_file (create getattr rename unlink)))
+ (allow guix_daemon_t net_conf_t
+ (file (getattr open read)))
+ (allow guix_daemon_t net_conf_t
+ (lnk_file (read)))
+ (allow guix_daemon_t NetworkManager_var_run_t
+ (dir (search)))
;; Access to profiles
(allow guix_daemon_t
guix_profiles_t
- (dir (getattr setattr read open)))
+ (dir (search getattr setattr read write open create add_name)))
(allow guix_daemon_t
guix_profiles_t
(lnk_file (read getattr)))
@@ -233,6 +320,17 @@
(allow guix_daemon_t
user_home_t
(dir (search)))
+ (allow guix_daemon_t
+ cache_home_t
+ (dir (search)))
+
+ ;; self upgrades
+ (allow guix_daemon_t
+ self
+ (dir (add_name write)))
+ (allow guix_daemon_t
+ self
+ (netlink_route_socket (bind create getattr nlmsg_read read write)))
;; Socket operations
(allow guix_daemon_t
@@ -253,12 +351,53 @@
read write
connect bind accept
getopt setopt)))
+ (allow guix_daemon_t
+ self
+ (tcp_socket (accept listen bind connect create setopt getopt getattr ioctl read write shutdown)))
+ (allow guix_daemon_t
+ unreserved_port_t
+ (tcp_socket (name_bind name_connect accept listen)))
+ (allow guix_daemon_t
+ self
+ (udp_socket (connect getattr bind getopt setopt)))
(allow guix_daemon_t
self
(fifo_file (write read)))
(allow guix_daemon_t
self
(udp_socket (ioctl create)))
+ (allow guix_daemon_t
+ self
+ (unix_stream_socket (connectto)))
+
+ (allow guix_daemon_t
+ node_t
+ (tcp_socket (node_bind)))
+ (allow guix_daemon_t
+ node_t
+ (udp_socket (node_bind)))
+ (allow guix_daemon_t
+ port_t
+ (tcp_socket (name_connect)))
+ (allow guix_daemon_t
+ rtp_media_port_t
+ (udp_socket (name_bind)))
+ (allow guix_daemon_t
+ vnc_port_t
+ (tcp_socket (name_bind)))
+
+ ;; I guess sometimes it needs random numbers
+ (allow guix_daemon_t
+ random_device_t
+ (chr_file (read)))
+
+ ;; guix system vm
+ (allow guix_daemon_t
+ kvm_device_t
+ (chr_file (ioctl open read write)))
+ (allow guix_daemon_t
+ kernel_t
+ (system (ipc_info)))
;; Label file system
(filecon "@guix_sysconfdir@/guix(/.*)?"
--
2.26.2
^ permalink raw reply related [flat|nested] 14+ messages in thread* [bug#44549] [PATCH v3] etc: updates for the guix-daemon SELinux policy
2020-11-10 9:42 [bug#44549] [PATCH] etc: updates for the guix-daemon SELinux policy Daniel Brooks
2020-11-12 21:13 ` Marius Bakke
2020-11-13 0:01 ` [bug#44549] [PATCH v2] " Daniel Brooks
@ 2020-11-13 0:07 ` Daniel Brooks
2020-11-14 14:57 ` [bug#44549] [PATCH v4] " Daniel Brooks
2020-11-14 16:49 ` [bug#44549] [PATCH v4] doc: add a note about relabling after upgrades to the guix deamon Daniel Brooks
4 siblings, 0 replies; 14+ messages in thread
From: Daniel Brooks @ 2020-11-13 0:07 UTC (permalink / raw)
To: 44549
[-- Attachment #1: [PATCH v3] etc: updates for the guix-daemon SELinux policy --]
[-- Type: text/x-patch, Size: 11907 bytes --]
From 9354e87ccbc465aea7cefa1c7cc827c2b4f6057c Mon Sep 17 00:00:00 2001
From: Daniel Brooks <db48x@db48x.net>
Date: Mon, 9 Nov 2020 07:03:42 -0800
Subject: [PATCH v3] etc: updates for the guix-daemon SELinux policy
* etc/guix-daemon.cil.in (guix_daemon): Specify more permissions for
guix-daemon to account for daemon updates and newer SELinux.
I can't promise that this is a complete list of everything that guix-daemon
needs, but it's probably most of them. It can search for, install, upgrade,
and remove packages, create virtual machines and containers, update itself,
and so on.
---
etc/guix-daemon.cil.in | 178 ++++++++++++++++++++++++++++++++++++-----
1 file changed, 160 insertions(+), 18 deletions(-)
diff --git a/etc/guix-daemon.cil.in b/etc/guix-daemon.cil.in
index e0c9113498..47fd12a214 100644
--- a/etc/guix-daemon.cil.in
+++ b/etc/guix-daemon.cil.in
@@ -1,6 +1,8 @@
; -*- lisp -*-
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2018 Ricardo Wurmus <rekado@elephly.net>
+;;; Copyright © 2020 Daniel Brooks <db48x@db48x.net>
+;;; Copyright © 2020 Marius Bakke <marius@gnu.org>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -21,6 +23,18 @@
;; Intermediate Language (CIL). It refers to types that must be defined in
;; the system's base policy.
+;; If you, like me, need advice about fixing an SELinux policy, I recommend
+;; reading https://danwalsh.livejournal.com/55324.html
+
+;; In particular, you can run semanage permissive -a guix_daemon.guix_daemon_t
+;; to allow guix-daemon to do whatever it wants. SELinux will still check its
+;; permissions, and when it doesn't have permission it will still send an
+;; audit message to your system logs. This lets you know what permissions it
+;; ought to have. Use ausearch --raw to find the permissions violations, then
+;; pipe that to audit2allow to generate an updated policy. You'll still need
+;; to translate that policy into CIL in order to update this file, but that's
+;; fairly straight-forward. Annoying, but easy.
+
(block guix_daemon
;; Require existing types
(typeattributeset cil_gen_require init_t)
@@ -34,14 +48,19 @@
(roletype object_r guix_daemon_t)
(type guix_daemon_conf_t)
(roletype object_r guix_daemon_conf_t)
+ (typeattributeset file_type guix_daemon_conf_t)
(type guix_daemon_exec_t)
(roletype object_r guix_daemon_exec_t)
+ (typeattributeset file_type guix_daemon_exec_t)
(type guix_daemon_socket_t)
(roletype object_r guix_daemon_socket_t)
+ (typeattributeset file_type guix_daemon_socket_t)
(type guix_store_content_t)
(roletype object_r guix_store_content_t)
+ (typeattributeset file_type guix_store_content_t)
(type guix_profiles_t)
(roletype object_r guix_profiles_t)
+ (typeattributeset file_type guix_profiles_t)
;; These types are domains, thereby allowing process rules
(typeattributeset domain (guix_daemon_t guix_daemon_exec_t))
@@ -55,6 +74,30 @@
(typetransition guix_store_content_t guix_daemon_exec_t
process guix_daemon_t)
+ (roletype system_r guix_daemon_t)
+
+ ;; allow init_t to read and execute guix files
+ (allow init_t
+ guix_profiles_t
+ (lnk_file (read)))
+ (allow init_t
+ guix_daemon_exec_t
+ (file (execute)))
+ (allow init_t
+ guix_daemon_t
+ (process (transition)))
+ (allow init_t
+ guix_store_content_t
+ (lnk_file (read)))
+ (allow init_t
+ guix_store_content_t
+ (file (open read execute)))
+
+ ;; guix-daemon needs to know the names of users
+ (allow guix_daemon_t
+ passwd_file_t
+ (file (getattr open read)))
+
;; Permit communication with NSCD
(allow guix_daemon_t
nscd_var_run_t
@@ -71,25 +114,44 @@
(allow guix_daemon_t
nscd_t
(unix_stream_socket (connectto)))
+ (allow guix_daemon_t nscd_t
+ (nscd (getgrp gethost getpwd getserv shmemgrp shmemhost shmempwd shmemserv)))
+
+ ;; permit downloading packages via HTTP(s)
+ (allow guix_daemon_t http_port_t
+ (tcp_socket (name_connect)))
+ (allow guix_daemon_t ftp_port_t
+ (tcp_socket (name_connect)))
+ (allow guix_daemon_t ephemeral_port_t
+ (tcp_socket (name_connect)))
;; Permit logging and temp file access
(allow guix_daemon_t
tmp_t
- (lnk_file (setattr unlink)))
+ (lnk_file (create rename setattr unlink)))
+ (allow guix_daemon_t
+ tmp_t
+ (file (link rename create execute execute_no_trans write unlink setattr map relabelto)))
+ (allow guix_daemon_t
+ tmp_t
+ (fifo_file (open read write create getattr ioctl setattr unlink)))
(allow guix_daemon_t
tmp_t
- (dir (create
- rmdir
+ (dir (create rename
+ rmdir relabelto
add_name remove_name
open read write
getattr setattr
search)))
+ (allow guix_daemon_t
+ tmp_t
+ (sock_file (create getattr setattr unlink write)))
(allow guix_daemon_t
var_log_t
(file (create getattr open write)))
(allow guix_daemon_t
var_log_t
- (dir (getattr write add_name)))
+ (dir (getattr create write add_name)))
(allow guix_daemon_t
var_run_t
(lnk_file (read)))
@@ -100,10 +162,10 @@
;; Spawning processes, execute helpers
(allow guix_daemon_t
self
- (process (fork)))
+ (process (fork execmem setrlimit setpgid setsched)))
(allow guix_daemon_t
guix_daemon_exec_t
- (file (execute execute_no_trans read open)))
+ (file (execute execute_no_trans read open entrypoint map)))
;; TODO: unknown
(allow guix_daemon_t
@@ -119,38 +181,51 @@
;; Build isolation
(allow guix_daemon_t
guix_store_content_t
- (file (mounton)))
+ (file (ioctl mounton)))
(allow guix_store_content_t
fs_t
(filesystem (associate)))
(allow guix_daemon_t
guix_store_content_t
- (dir (mounton)))
+ (dir (read mounton)))
(allow guix_daemon_t
guix_daemon_t
(capability (net_admin
fsetid fowner
chown setuid setgid
dac_override dac_read_search
- sys_chroot)))
+ sys_chroot
+ sys_admin)))
(allow guix_daemon_t
fs_t
(filesystem (unmount)))
+ (allow guix_daemon_t
+ devpts_t
+ (dir (search)))
(allow guix_daemon_t
devpts_t
(filesystem (mount)))
(allow guix_daemon_t
devpts_t
- (chr_file (setattr getattr)))
+ (chr_file (ioctl open read write setattr getattr)))
(allow guix_daemon_t
tmpfs_t
- (filesystem (mount)))
+ (filesystem (getattr mount)))
+ (allow guix_daemon_t
+ tmpfs_t
+ (file (create open read unlink write)))
(allow guix_daemon_t
tmpfs_t
- (dir (getattr)))
+ (dir (getattr add_name remove_name write)))
(allow guix_daemon_t
proc_t
- (filesystem (mount)))
+ (file (getattr open read)))
+ (allow guix_daemon_t
+ proc_t
+ (dir (read)))
+ (allow guix_daemon_t
+ proc_t
+ (filesystem (associate mount)))
(allow guix_daemon_t
null_device_t
(chr_file (getattr open read write)))
@@ -179,7 +254,7 @@
search rename
add_name remove_name
open write
- rmdir)))
+ rmdir relabelfrom)))
(allow guix_daemon_t
guix_store_content_t
(file (create
@@ -189,7 +264,7 @@
link unlink
map
rename
- open read write)))
+ open read write relabelfrom)))
(allow guix_daemon_t
guix_store_content_t
(lnk_file (create
@@ -197,17 +272,23 @@
link unlink
read
rename)))
+ (allow guix_daemon_t
+ guix_store_content_t
+ (fifo_file (create getattr open read unlink write)))
+ (allow guix_daemon_t
+ guix_store_content_t
+ (sock_file (create getattr unlink write)))
;; Access to configuration files and directories
(allow guix_daemon_t
guix_daemon_conf_t
- (dir (search
+ (dir (search create
setattr getattr
add_name remove_name
open read write)))
(allow guix_daemon_t
guix_daemon_conf_t
- (file (create
+ (file (create rename
lock
map
getattr setattr
@@ -216,11 +297,17 @@
(allow guix_daemon_t
guix_daemon_conf_t
(lnk_file (create getattr rename unlink)))
+ (allow guix_daemon_t net_conf_t
+ (file (getattr open read)))
+ (allow guix_daemon_t net_conf_t
+ (lnk_file (read)))
+ (allow guix_daemon_t NetworkManager_var_run_t
+ (dir (search)))
;; Access to profiles
(allow guix_daemon_t
guix_profiles_t
- (dir (getattr setattr read open)))
+ (dir (search getattr setattr read write open create add_name)))
(allow guix_daemon_t
guix_profiles_t
(lnk_file (read getattr)))
@@ -233,8 +320,22 @@
(allow guix_daemon_t
user_home_t
(dir (search)))
+ (allow guix_daemon_t
+ cache_home_t
+ (dir (search)))
+
+ ;; self upgrades
+ (allow guix_daemon_t
+ self
+ (dir (add_name write)))
+ (allow guix_daemon_t
+ self
+ (netlink_route_socket (bind create getattr nlmsg_read read write)))
;; Socket operations
+ (allow guix_daemon_t
+ guix_daemon_socket_t
+ (sock_file (unlink)))
(allow guix_daemon_t
init_t
(fd (use)))
@@ -253,12 +354,53 @@
read write
connect bind accept
getopt setopt)))
+ (allow guix_daemon_t
+ self
+ (tcp_socket (accept listen bind connect create setopt getopt getattr ioctl read write shutdown)))
+ (allow guix_daemon_t
+ unreserved_port_t
+ (tcp_socket (name_bind name_connect accept listen)))
+ (allow guix_daemon_t
+ self
+ (udp_socket (connect getattr bind getopt setopt)))
(allow guix_daemon_t
self
(fifo_file (write read)))
(allow guix_daemon_t
self
(udp_socket (ioctl create)))
+ (allow guix_daemon_t
+ self
+ (unix_stream_socket (connectto)))
+
+ (allow guix_daemon_t
+ node_t
+ (tcp_socket (node_bind)))
+ (allow guix_daemon_t
+ node_t
+ (udp_socket (node_bind)))
+ (allow guix_daemon_t
+ port_t
+ (tcp_socket (name_connect)))
+ (allow guix_daemon_t
+ rtp_media_port_t
+ (udp_socket (name_bind)))
+ (allow guix_daemon_t
+ vnc_port_t
+ (tcp_socket (name_bind)))
+
+ ;; I guess sometimes it needs random numbers
+ (allow guix_daemon_t
+ random_device_t
+ (chr_file (read)))
+
+ ;; guix system vm
+ (allow guix_daemon_t
+ kvm_device_t
+ (chr_file (ioctl open read write)))
+ (allow guix_daemon_t
+ kernel_t
+ (system (ipc_info)))
;; Label file system
(filecon "@guix_sysconfdir@/guix(/.*)?"
--
2.26.2
^ permalink raw reply related [flat|nested] 14+ messages in thread* [bug#44549] [PATCH v4] etc: updates for the guix-daemon SELinux policy
2020-11-10 9:42 [bug#44549] [PATCH] etc: updates for the guix-daemon SELinux policy Daniel Brooks
` (2 preceding siblings ...)
2020-11-13 0:07 ` [bug#44549] [PATCH v3] " Daniel Brooks
@ 2020-11-14 14:57 ` Daniel Brooks
2020-11-15 22:19 ` bug#44549: " Marius Bakke
2020-11-14 16:49 ` [bug#44549] [PATCH v4] doc: add a note about relabling after upgrades to the guix deamon Daniel Brooks
4 siblings, 1 reply; 14+ messages in thread
From: Daniel Brooks @ 2020-11-14 14:57 UTC (permalink / raw)
To: 44549
[-- Attachment #1: Type: text/plain, Size: 80 bytes --]
This update adds a filecon rule for the guix-daemon shell script in the store.
[-- Attachment #2: [PATCH v4] etc: updates for the guix-daemon SELinux policy --]
[-- Type: text/x-patch, Size: 12369 bytes --]
From 8858b4df306e7846a1709c420ba7f7b194f05a97 Mon Sep 17 00:00:00 2001
From: Daniel Brooks <db48x@db48x.net>
Date: Mon, 9 Nov 2020 07:03:42 -0800
Subject: [PATCH v4] etc: updates for the guix-daemon SELinux policy
* etc/guix-daemon.cil.in (guix_daemon): Specify more permissions for
guix-daemon to account for daemon updates and newer SELinux.
I can't promise that this is a complete list of everything that guix-daemon
needs, but it's probably most of them. It can search for, install, upgrade,
and remove packages, create virtual machines and containers, update itself,
and so on.
---
etc/guix-daemon.cil.in | 180 ++++++++++++++++++++++++++++++++++++-----
1 file changed, 162 insertions(+), 18 deletions(-)
diff --git a/etc/guix-daemon.cil.in b/etc/guix-daemon.cil.in
index e0c9113498..91958b7617 100644
--- a/etc/guix-daemon.cil.in
+++ b/etc/guix-daemon.cil.in
@@ -1,6 +1,8 @@
; -*- lisp -*-
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2018 Ricardo Wurmus <rekado@elephly.net>
+;;; Copyright © 2020 Daniel Brooks <db48x@db48x.net>
+;;; Copyright © 2020 Marius Bakke <marius@gnu.org>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -21,6 +23,18 @@
;; Intermediate Language (CIL). It refers to types that must be defined in
;; the system's base policy.
+;; If you, like me, need advice about fixing an SELinux policy, I recommend
+;; reading https://danwalsh.livejournal.com/55324.html
+
+;; In particular, you can run semanage permissive -a guix_daemon.guix_daemon_t
+;; to allow guix-daemon to do whatever it wants. SELinux will still check its
+;; permissions, and when it doesn't have permission it will still send an
+;; audit message to your system logs. This lets you know what permissions it
+;; ought to have. Use ausearch --raw to find the permissions violations, then
+;; pipe that to audit2allow to generate an updated policy. You'll still need
+;; to translate that policy into CIL in order to update this file, but that's
+;; fairly straight-forward. Annoying, but easy.
+
(block guix_daemon
;; Require existing types
(typeattributeset cil_gen_require init_t)
@@ -34,14 +48,19 @@
(roletype object_r guix_daemon_t)
(type guix_daemon_conf_t)
(roletype object_r guix_daemon_conf_t)
+ (typeattributeset file_type guix_daemon_conf_t)
(type guix_daemon_exec_t)
(roletype object_r guix_daemon_exec_t)
+ (typeattributeset file_type guix_daemon_exec_t)
(type guix_daemon_socket_t)
(roletype object_r guix_daemon_socket_t)
+ (typeattributeset file_type guix_daemon_socket_t)
(type guix_store_content_t)
(roletype object_r guix_store_content_t)
+ (typeattributeset file_type guix_store_content_t)
(type guix_profiles_t)
(roletype object_r guix_profiles_t)
+ (typeattributeset file_type guix_profiles_t)
;; These types are domains, thereby allowing process rules
(typeattributeset domain (guix_daemon_t guix_daemon_exec_t))
@@ -55,6 +74,30 @@
(typetransition guix_store_content_t guix_daemon_exec_t
process guix_daemon_t)
+ (roletype system_r guix_daemon_t)
+
+ ;; allow init_t to read and execute guix files
+ (allow init_t
+ guix_profiles_t
+ (lnk_file (read)))
+ (allow init_t
+ guix_daemon_exec_t
+ (file (execute)))
+ (allow init_t
+ guix_daemon_t
+ (process (transition)))
+ (allow init_t
+ guix_store_content_t
+ (lnk_file (read)))
+ (allow init_t
+ guix_store_content_t
+ (file (open read execute)))
+
+ ;; guix-daemon needs to know the names of users
+ (allow guix_daemon_t
+ passwd_file_t
+ (file (getattr open read)))
+
;; Permit communication with NSCD
(allow guix_daemon_t
nscd_var_run_t
@@ -71,25 +114,44 @@
(allow guix_daemon_t
nscd_t
(unix_stream_socket (connectto)))
+ (allow guix_daemon_t nscd_t
+ (nscd (getgrp gethost getpwd getserv shmemgrp shmemhost shmempwd shmemserv)))
+
+ ;; permit downloading packages via HTTP(s)
+ (allow guix_daemon_t http_port_t
+ (tcp_socket (name_connect)))
+ (allow guix_daemon_t ftp_port_t
+ (tcp_socket (name_connect)))
+ (allow guix_daemon_t ephemeral_port_t
+ (tcp_socket (name_connect)))
;; Permit logging and temp file access
(allow guix_daemon_t
tmp_t
- (lnk_file (setattr unlink)))
+ (lnk_file (create rename setattr unlink)))
+ (allow guix_daemon_t
+ tmp_t
+ (file (link rename create execute execute_no_trans write unlink setattr map relabelto)))
+ (allow guix_daemon_t
+ tmp_t
+ (fifo_file (open read write create getattr ioctl setattr unlink)))
(allow guix_daemon_t
tmp_t
- (dir (create
- rmdir
+ (dir (create rename
+ rmdir relabelto
add_name remove_name
open read write
getattr setattr
search)))
+ (allow guix_daemon_t
+ tmp_t
+ (sock_file (create getattr setattr unlink write)))
(allow guix_daemon_t
var_log_t
(file (create getattr open write)))
(allow guix_daemon_t
var_log_t
- (dir (getattr write add_name)))
+ (dir (getattr create write add_name)))
(allow guix_daemon_t
var_run_t
(lnk_file (read)))
@@ -100,10 +162,10 @@
;; Spawning processes, execute helpers
(allow guix_daemon_t
self
- (process (fork)))
+ (process (fork execmem setrlimit setpgid setsched)))
(allow guix_daemon_t
guix_daemon_exec_t
- (file (execute execute_no_trans read open)))
+ (file (execute execute_no_trans read open entrypoint map)))
;; TODO: unknown
(allow guix_daemon_t
@@ -119,38 +181,51 @@
;; Build isolation
(allow guix_daemon_t
guix_store_content_t
- (file (mounton)))
+ (file (ioctl mounton)))
(allow guix_store_content_t
fs_t
(filesystem (associate)))
(allow guix_daemon_t
guix_store_content_t
- (dir (mounton)))
+ (dir (read mounton)))
(allow guix_daemon_t
guix_daemon_t
(capability (net_admin
fsetid fowner
chown setuid setgid
dac_override dac_read_search
- sys_chroot)))
+ sys_chroot
+ sys_admin)))
(allow guix_daemon_t
fs_t
(filesystem (unmount)))
+ (allow guix_daemon_t
+ devpts_t
+ (dir (search)))
(allow guix_daemon_t
devpts_t
(filesystem (mount)))
(allow guix_daemon_t
devpts_t
- (chr_file (setattr getattr)))
+ (chr_file (ioctl open read write setattr getattr)))
(allow guix_daemon_t
tmpfs_t
- (filesystem (mount)))
+ (filesystem (getattr mount)))
+ (allow guix_daemon_t
+ tmpfs_t
+ (file (create open read unlink write)))
(allow guix_daemon_t
tmpfs_t
- (dir (getattr)))
+ (dir (getattr add_name remove_name write)))
(allow guix_daemon_t
proc_t
- (filesystem (mount)))
+ (file (getattr open read)))
+ (allow guix_daemon_t
+ proc_t
+ (dir (read)))
+ (allow guix_daemon_t
+ proc_t
+ (filesystem (associate mount)))
(allow guix_daemon_t
null_device_t
(chr_file (getattr open read write)))
@@ -179,7 +254,7 @@
search rename
add_name remove_name
open write
- rmdir)))
+ rmdir relabelfrom)))
(allow guix_daemon_t
guix_store_content_t
(file (create
@@ -189,7 +264,7 @@
link unlink
map
rename
- open read write)))
+ open read write relabelfrom)))
(allow guix_daemon_t
guix_store_content_t
(lnk_file (create
@@ -197,17 +272,23 @@
link unlink
read
rename)))
+ (allow guix_daemon_t
+ guix_store_content_t
+ (fifo_file (create getattr open read unlink write)))
+ (allow guix_daemon_t
+ guix_store_content_t
+ (sock_file (create getattr unlink write)))
;; Access to configuration files and directories
(allow guix_daemon_t
guix_daemon_conf_t
- (dir (search
+ (dir (search create
setattr getattr
add_name remove_name
open read write)))
(allow guix_daemon_t
guix_daemon_conf_t
- (file (create
+ (file (create rename
lock
map
getattr setattr
@@ -216,11 +297,17 @@
(allow guix_daemon_t
guix_daemon_conf_t
(lnk_file (create getattr rename unlink)))
+ (allow guix_daemon_t net_conf_t
+ (file (getattr open read)))
+ (allow guix_daemon_t net_conf_t
+ (lnk_file (read)))
+ (allow guix_daemon_t NetworkManager_var_run_t
+ (dir (search)))
;; Access to profiles
(allow guix_daemon_t
guix_profiles_t
- (dir (getattr setattr read open)))
+ (dir (search getattr setattr read write open create add_name)))
(allow guix_daemon_t
guix_profiles_t
(lnk_file (read getattr)))
@@ -233,8 +320,22 @@
(allow guix_daemon_t
user_home_t
(dir (search)))
+ (allow guix_daemon_t
+ cache_home_t
+ (dir (search)))
+
+ ;; self upgrades
+ (allow guix_daemon_t
+ self
+ (dir (add_name write)))
+ (allow guix_daemon_t
+ self
+ (netlink_route_socket (bind create getattr nlmsg_read read write)))
;; Socket operations
+ (allow guix_daemon_t
+ guix_daemon_socket_t
+ (sock_file (unlink)))
(allow guix_daemon_t
init_t
(fd (use)))
@@ -253,12 +354,53 @@
read write
connect bind accept
getopt setopt)))
+ (allow guix_daemon_t
+ self
+ (tcp_socket (accept listen bind connect create setopt getopt getattr ioctl read write shutdown)))
+ (allow guix_daemon_t
+ unreserved_port_t
+ (tcp_socket (name_bind name_connect accept listen)))
+ (allow guix_daemon_t
+ self
+ (udp_socket (connect getattr bind getopt setopt)))
(allow guix_daemon_t
self
(fifo_file (write read)))
(allow guix_daemon_t
self
(udp_socket (ioctl create)))
+ (allow guix_daemon_t
+ self
+ (unix_stream_socket (connectto)))
+
+ (allow guix_daemon_t
+ node_t
+ (tcp_socket (node_bind)))
+ (allow guix_daemon_t
+ node_t
+ (udp_socket (node_bind)))
+ (allow guix_daemon_t
+ port_t
+ (tcp_socket (name_connect)))
+ (allow guix_daemon_t
+ rtp_media_port_t
+ (udp_socket (name_bind)))
+ (allow guix_daemon_t
+ vnc_port_t
+ (tcp_socket (name_bind)))
+
+ ;; I guess sometimes it needs random numbers
+ (allow guix_daemon_t
+ random_device_t
+ (chr_file (read)))
+
+ ;; guix system vm
+ (allow guix_daemon_t
+ kvm_device_t
+ (chr_file (ioctl open read write)))
+ (allow guix_daemon_t
+ kernel_t
+ (system (ipc_info)))
;; Label file system
(filecon "@guix_sysconfdir@/guix(/.*)?"
@@ -277,5 +419,7 @@
file (system_u object_r guix_daemon_exec_t (low low)))
(filecon "@storedir@/.+-(guix-.+|profile)/bin/guix-daemon"
file (system_u object_r guix_daemon_exec_t (low low)))
+ (filecon "@storedir@/[a-z0-9]+-guix-daemon"
+ file (system_u object_r guix_daemon_exec_t (low low)))
(filecon "@guix_localstatedir@/guix/daemon-socket/socket"
any (system_u object_r guix_daemon_socket_t (low low))))
--
2.26.2
^ permalink raw reply related [flat|nested] 14+ messages in thread* bug#44549: [PATCH v4] etc: updates for the guix-daemon SELinux policy
2020-11-14 14:57 ` [bug#44549] [PATCH v4] " Daniel Brooks
@ 2020-11-15 22:19 ` Marius Bakke
0 siblings, 0 replies; 14+ messages in thread
From: Marius Bakke @ 2020-11-15 22:19 UTC (permalink / raw)
To: Daniel Brooks, 44549-done
[-- Attachment #1: Type: text/plain, Size: 825 bytes --]
Daniel Brooks <db48x@db48x.net> writes:
> This update adds a filecon rule for the guix-daemon shell script in the store.
>
>>From 8858b4df306e7846a1709c420ba7f7b194f05a97 Mon Sep 17 00:00:00 2001
> From: Daniel Brooks <db48x@db48x.net>
> Date: Mon, 9 Nov 2020 07:03:42 -0800
> Subject: [PATCH v4] etc: updates for the guix-daemon SELinux policy
>
> * etc/guix-daemon.cil.in (guix_daemon): Specify more permissions for
> guix-daemon to account for daemon updates and newer SELinux.
>
> I can't promise that this is a complete list of everything that guix-daemon
> needs, but it's probably most of them. It can search for, install, upgrade,
> and remove packages, create virtual machines and containers, update itself,
> and so on.
Pushed to the 'version-1.2.0' branch, which will show up on 'master'
eventually. Thank you!
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 507 bytes --]
^ permalink raw reply [flat|nested] 14+ messages in thread
* [bug#44549] [PATCH v4] doc: add a note about relabling after upgrades to the guix deamon
2020-11-10 9:42 [bug#44549] [PATCH] etc: updates for the guix-daemon SELinux policy Daniel Brooks
` (3 preceding siblings ...)
2020-11-14 14:57 ` [bug#44549] [PATCH v4] " Daniel Brooks
@ 2020-11-14 16:49 ` Daniel Brooks
2020-11-15 22:18 ` Marius Bakke
4 siblings, 1 reply; 14+ messages in thread
From: Daniel Brooks @ 2020-11-14 16:49 UTC (permalink / raw)
To: 44549
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: [PATCH v4] doc: add a note about relabling after upgrades to the --]
[-- Type: text/x-patch, Size: 1154 bytes --]
From b29749885c93811f901d0ec4e13de38f70f8c100 Mon Sep 17 00:00:00 2001
From: Daniel Brooks <db48x@db48x.net>
Date: Sat, 14 Nov 2020 08:04:30 -0800
Subject: [PATCH v4] doc: add a note about relabling after upgrades to the
SELinux Support section of the manual
* doc/guix.texi (SELinux Support): add note about upgrades
---
doc/guix.texi | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/doc/guix.texi b/doc/guix.texi
index 8440ffffc7..67f5155b9f 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -1398,6 +1398,11 @@ install and run it, which lifts it into the @code{guix_daemon_t} domain.
At that point SELinux could not prevent it from accessing files that are
allowed for processes in that domain.
+You will need to relabel the @file{/gnu} directory after all upgrades to
+@file{guix-daemon}, such as with @code{guix pull}. You can do this with
+@code{restorecon -vR /gnu}, or by other means provided by your operating
+system.
+
We could generate a much more restrictive policy at installation time,
so that only the @emph{exact} file name of the currently installed
@code{guix-daemon} executable would be labelled with
--
2.26.2
^ permalink raw reply related [flat|nested] 14+ messages in thread