* [PATCH] Add SELinux policy for guix-daemon.
@ 2018-01-25 16:17 Ricardo Wurmus
2018-01-25 17:14 ` Ludovic Courtès
` (4 more replies)
0 siblings, 5 replies; 18+ messages in thread
From: Ricardo Wurmus @ 2018-01-25 16:17 UTC (permalink / raw)
To: guix-devel
[-- Attachment #1: Type: text/plain, Size: 5639 bytes --]
Hi Guix,
attached is a patch that adds an SELinux policy for the guix-daemon.
The policy defines the guix_daemon_t domain and specifies what labels
may be accessed and how by processes running in that domain.
These file labels are defined:
* guix_daemon_conf_t
for Guix configuration files (in localstatedir and sysconfdir)
* guix_daemon_exec_t
for executables spawned by the daemon (which are allowed to run in the
guix_daemon_t domain)
* guix_daemon_socket_t
for the daemon socket file
* guix_profiles_t
for the contents of the profiles directory
The “filecon” statements near the bottom of the file specify which
labels are to be used for what file names.
I tested this with “guix build --no-grafts --check hello”, “guix build
samtools”, “guix gc -C 1k”, and “guix package -p ~/foo -i hello”;
no operations were blocked by SELinux.
If you want to test this on Fedora, set SELinux to permissive, and make
sure to configure Guix properly (i.e. set localstatedir, prefix, and
sysconfdir). Then install the policy with “sudo semodule -i
etc/guix-daemon.cil”. Then relabel the filesystem (at least /gnu,
$localstatedir, $sysconfdir, and $prefix) with something like this:
sudo restorecon -R /gnu $localstatedir $sysconfdir $prefix
This will take a very long time (a couple of hours).
Restart the daemon. Check that it now runs in the guix_daemon_t
context:
ps -Zax | grep /bin/guix-daemon
This should return something like this
system_u:system_r:guix_daemon.guix_daemon_t:s0 14886 ? Ss 0:00 /root/.guix-profile/bin/guix-daemon --build-users-group=guix-builder
Check the audit log for violations:
sudo tail -f /var/log/audit/audit.log | grep x-daemon
And then use Guix:
guix build --no-grafts --check hello
The audit log shouldn’t show you any complaints. At this point you
could probably switch to enforcing mode, but I haven’t tested this
myself for no particular reason.
Open issues:
* guix_daemon_socket_t isn’t actually used. All of the socket
operations that I observed involve contexts that don’t have anything
to do with guix_daemon_socket_t. It doesn’t hurt to have this unused
label, but I would have preferred to define socket rules for only this
label. Oh well.
* “guix gc” cannot access arbitrary links to profiles. By design, the
file label of the destination of a symlink is independent of the file
label of the link itself. Although all profiles under $localstatedir
are labelled, the links to these profiles inherit the label of the
directory they are in. For links in the user’s home directory this
will be “user_home_t” (for which I’ve added a rule). But for links
from root’s home directory, or /tmp, or the HTTP server’s working
directory … this won’t work. “guix gc” would be prevented from
reading and following these links.
* I don’t know if the daemon’s TCP listen feature still works. I didn’t
test it and assume that it would require extra rules, because SELinux
treats network sockets differently from files.
* Is this all correct? I don’t know! I only just learned about the
SELinux Common Intermediate Language (CIL), and the documentation is
very sparse, so I have no idea if I did something stupid. It seems
fine to me, but I must admit that I find it a bit uncomfortable to see
so many access types in the rules.
* I allowed type transitions from init_t to guix_daemon_t via
guix_daemon_exec_t, but also from guix_store_content_t to
guix_daemon_t via guix_daemon_exec_t. Type transitions are necessary
to get from an allowed entry point to a domain. On Fedora “init_t” is
the domain in which processes are that are spawned by the init
system. With the first type transition I permit these processes to
transition to the guix_daemon_t domain when the executables are
labeled as guix_daemon_exec_t (such as the daemon executable itself,
and all the helpers it spawns).
This much is obvious. But the second type transition is less obvious.
It is needed to make sure that we can enter the guix_daemon_t domain
even when running the daemon from an executable in the store (which
will be running in the “guix_store_content_t” domain). Thinking of
this, I wonder if maybe that’s actually a mistake and shouldn’t be
permitted.
* A possible problem is that I assign all files with a name matching
“/gnu/store/.+-(guix-.+|profile)/bin/guix-daemon” the label
“guix_daemon_exec_t”; this means that *any* file with that name in any
profile would be permitted to run in the guix_daemon_t domain. This
is not ideal. An attacker could build a package that provides this
executable and convince a user to install and run it, which lifts it
into the guix_daemon_t domain. At that point SELinux could not
prevent it from accessing files that are allowed for processes in that
domain (such as the actual daemon).
This makes me wonder if we could do better by generating a much more
restrictive policy at installation time, so that only the *exact* file
name of the currently installed guix-daemon executable would be
labelled with guix_daemon_exec_t, instead of using a regular
expression like that. This means that root would have to
install/upgrade the policy at installation time whenever the Guix
package that provides the effectively running guix-daemon executable
is upgraded. Food for thought.
Without further ado, here’s the patch:
[-- Attachment #2: 0001-etc-Add-SELinux-policy-for-the-daemon.patch --]
[-- Type: text/x-patch, Size: 11369 bytes --]
From d20bae0953d5d0a6bf1c06ab44505af6dea4df4d Mon Sep 17 00:00:00 2001
From: Ricardo Wurmus <ricardo.wurmus@mdc-berlin.de>
Date: Thu, 25 Jan 2018 15:21:07 +0100
Subject: [PATCH] etc: Add SELinux policy for the daemon.
* etc/guix-daemon.cil.in: New file.
* Makefile.am: Add dist_selinux_policy_DATA.
* configure.ac: Handle --with-selinux-policy-dir.
---
Makefile.am | 3 +
configure.ac | 10 +-
etc/guix-daemon.cil.in | 281 +++++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 293 insertions(+), 1 deletion(-)
create mode 100644 etc/guix-daemon.cil.in
diff --git a/Makefile.am b/Makefile.am
index aebd3b1eb..8f8ca0059 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -431,6 +431,9 @@ dist_zshcompletion_DATA = etc/completion/zsh/_guix
# Fish completion file.
dist_fishcompletion_DATA = etc/completion/fish/guix.fish
+# SELinux policy
+dist_selinux_policy_DATA = etc/guix-daemon.cil
+
EXTRA_DIST = \
HACKING \
ROADMAP \
diff --git a/configure.ac b/configure.ac
index 1e3912248..de86bfdd3 100644
--- a/configure.ac
+++ b/configure.ac
@@ -54,6 +54,13 @@ AC_ARG_WITH([fish-completion-dir],
[fishcompletiondir='${datadir}/fish/vendor_completions.d'])
AC_SUBST([fishcompletiondir])
+AC_ARG_WITH([selinux-policy-dir],
+ AC_HELP_STRING([--with-selinux-policy-dir=DIR],
+ [name of the SELinux policy directory]),
+ [selinux_policydir="$withval"],
+ [selinux_policydir='${datadir}/selinux/'])
+AC_SUBST([selinux_policydir])
+
dnl Better be verbose.
AC_MSG_CHECKING([for the store directory])
AC_MSG_RESULT([$storedir])
@@ -270,7 +277,8 @@ esac
AC_CONFIG_FILES([Makefile
po/guix/Makefile.in
po/packages/Makefile.in
- guix/config.scm])
+ etc/guix-daemon.cil
+ guix/config.scm])
AC_CONFIG_FILES([scripts/guix], [chmod +x scripts/guix])
AC_CONFIG_FILES([test-env:build-aux/test-env.in], [chmod +x test-env])
diff --git a/etc/guix-daemon.cil.in b/etc/guix-daemon.cil.in
new file mode 100644
index 000000000..825c12712
--- /dev/null
+++ b/etc/guix-daemon.cil.in
@@ -0,0 +1,281 @@
+; -*- lisp -*-
+;;; GNU Guix --- Functional package management for GNU
+;;; Copyright © 2018 Ricardo Wurmus <rekado@elephly.net>
+;;;
+;;; This file is part of GNU Guix.
+;;;
+;;; GNU Guix is free software; you can redistribute it and/or modify it
+;;; under the terms of the GNU General Public License as published by
+;;; the Free Software Foundation; either version 3 of the License, or (at
+;;; your option) any later version.
+;;;
+;;; GNU Guix is distributed in the hope that it will be useful, but
+;;; WITHOUT ANY WARRANTY; without even the implied warranty of
+;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+;;; GNU General Public License for more details.
+;;;
+;;; You should have received a copy of the GNU General Public License
+;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
+
+(block guix_daemon
+ ;; Require existing types
+ (typeattributeset cil_gen_require init_t)
+ (typeattributeset cil_gen_require tmp_t)
+ (typeattributeset cil_gen_require nscd_var_run_t)
+ (typeattributeset cil_gen_require var_log_t)
+ (typeattributeset cil_gen_require domain)
+
+ ;; Declare own types
+ (type guix_daemon_t)
+ (roletype object_r guix_daemon_t)
+ (type guix_daemon_conf_t)
+ (roletype object_r guix_daemon_conf_t)
+ (type guix_daemon_exec_t)
+ (roletype object_r guix_daemon_exec_t)
+ (type guix_daemon_socket_t)
+ (roletype object_r guix_daemon_socket_t)
+ (type guix_store_content_t)
+ (roletype object_r guix_store_content_t)
+ (type guix_profiles_t)
+ (roletype object_r guix_profiles_t)
+
+ ;; These types are domains, thereby allowing process rules
+ (typeattributeset domain (guix_daemon_t guix_daemon_exec_t))
+
+ (level low (s0))
+
+ ;; When a process in init_t or guix_store_content_t spawns a
+ ;; guix_daemon_exec_t process, let it run in the guix_daemon_t context
+ (typetransition init_t guix_daemon_exec_t
+ process guix_daemon_t)
+ (typetransition guix_store_content_t guix_daemon_exec_t
+ process guix_daemon_t)
+
+ ;; Permit communication with NSCD
+ (allow guix_daemon_t
+ nscd_var_run_t
+ (file (map read)))
+ (allow guix_daemon_t
+ nscd_var_run_t
+ (dir (search)))
+ (allow guix_daemon_t
+ nscd_var_run_t
+ (sock_file (write)))
+ (allow guix_daemon_t
+ nscd_t
+ (fd (use)))
+ (allow guix_daemon_t
+ nscd_t
+ (unix_stream_socket (connectto)))
+
+ ;; Permit logging and temp file access
+ (allow guix_daemon_t
+ tmp_t
+ (lnk_file (setattr unlink)))
+ (allow guix_daemon_t
+ tmp_t
+ (dir (create
+ rmdir
+ add_name remove_name
+ open read write
+ getattr setattr
+ search)))
+ (allow guix_daemon_t
+ var_log_t
+ (file (create getattr open write)))
+ (allow guix_daemon_t
+ var_log_t
+ (dir (getattr write add_name)))
+ (allow guix_daemon_t
+ var_run_t
+ (lnk_file (read)))
+ (allow guix_daemon_t
+ var_run_t
+ (dir (search)))
+
+ ;; Spawning processes, execute helpers
+ (allow guix_daemon_t
+ self
+ (process (fork)))
+ (allow guix_daemon_t
+ guix_daemon_exec_t
+ (file (execute execute_no_trans read open)))
+
+ ;; TODO: unknown
+ (allow guix_daemon_t
+ root_t
+ (dir (mounton)))
+ (allow guix_daemon_t
+ fs_t
+ (filesystem (getattr)))
+ (allow guix_daemon_conf_t
+ fs_t
+ (filesystem (associate)))
+
+ ;; Build isolation
+ (allow guix_daemon_t
+ guix_store_content_t
+ (file (mounton)))
+ (allow guix_store_content_t
+ fs_t
+ (filesystem (associate)))
+ (allow guix_daemon_t
+ guix_store_content_t
+ (dir (mounton)))
+ (allow guix_daemon_t
+ guix_daemon_t
+ (capability (net_admin
+ fsetid fowner
+ chown setuid setgid
+ dac_override dac_read_search
+ sys_chroot)))
+ (allow guix_daemon_t
+ fs_t
+ (filesystem (unmount)))
+ (allow guix_daemon_t
+ devpts_t
+ (filesystem (mount)))
+ (allow guix_daemon_t
+ devpts_t
+ (chr_file (setattr getattr)))
+ (allow guix_daemon_t
+ tmpfs_t
+ (filesystem (mount)))
+ (allow guix_daemon_t
+ tmpfs_t
+ (dir (getattr)))
+ (allow guix_daemon_t
+ proc_t
+ (filesystem (mount)))
+ (allow guix_daemon_t
+ null_device_t
+ (chr_file (getattr open read write)))
+ (allow guix_daemon_t
+ kvm_device_t
+ (chr_file (getattr)))
+ (allow guix_daemon_t
+ zero_device_t
+ (chr_file (getattr)))
+ (allow guix_daemon_t
+ urandom_device_t
+ (chr_file (getattr)))
+ (allow guix_daemon_t
+ random_device_t
+ (chr_file (getattr)))
+ (allow guix_daemon_t
+ devtty_t
+ (chr_file (getattr)))
+
+ ;; Access to store items
+ (allow guix_daemon_t
+ guix_store_content_t
+ (dir (reparent
+ create
+ getattr setattr
+ search rename
+ add_name remove_name
+ open write
+ rmdir)))
+ (allow guix_daemon_t
+ guix_store_content_t
+ (file (create
+ lock
+ setattr getattr
+ execute execute_no_trans
+ link unlink
+ map
+ rename
+ open read write)))
+ (allow guix_daemon_t
+ guix_store_content_t
+ (lnk_file (create
+ getattr setattr
+ link unlink
+ read
+ rename)))
+
+ ;; Access to configuration files and directories
+ (allow guix_daemon_t
+ guix_daemon_conf_t
+ (dir (search
+ setattr getattr
+ add_name remove_name
+ open read write)))
+ (allow guix_daemon_t
+ guix_daemon_conf_t
+ (file (create
+ lock
+ map
+ getattr setattr
+ unlink
+ open read write)))
+ (allow guix_daemon_t
+ guix_daemon_conf_t
+ (lnk_file (create getattr rename unlink)))
+
+ ;; Access to profiles
+ (allow guix_daemon_t
+ guix_profiles_t
+ (dir (getattr setattr read open)))
+ (allow guix_daemon_t
+ guix_profiles_t
+ (lnk_file (read getattr)))
+
+ ;; Access to profile links in the home directory
+ ;; TODO: allow access to profile links *anywhere* on the filesystem
+ (allow guix_daemon_t
+ user_home_t
+ (lnk_file (read getattr)))
+ (allow guix_daemon_t
+ user_home_t
+ (dir (search)))
+
+ ;; Socket operations
+ (allow guix_daemon_t
+ init_t
+ (fd (use)))
+ (allow guix_daemon_t
+ init_t
+ (unix_stream_socket (write)))
+ (allow guix_daemon_t
+ guix_daemon_conf_t
+ (unix_stream_socket (listen)))
+ (allow guix_daemon_t
+ guix_daemon_conf_t
+ (sock_file (create unlink)))
+ (allow guix_daemon_t
+ self
+ (unix_stream_socket (create
+ read write
+ connect bind accept
+ getopt setopt)))
+ (allow guix_daemon_t
+ self
+ (fifo_file (write read)))
+ (allow guix_daemon_t
+ self
+ (udp_socket (ioctl create)))
+
+ ;; Label file system
+ (filecon "@guix_sysconfdir@/guix(/.*)?"
+ any (system_u object_r guix_daemon_conf_t (low low)))
+ (filecon "@guix_localstatedir@/guix(/.*)?"
+ any (system_u object_r guix_daemon_conf_t (low low)))
+ (filecon "@guix_localstatedir@/guix/profiles(/.*)?"
+ any (system_u object_r guix_profiles_t (low low)))
+ (filecon "/gnu"
+ dir (unconfined_u object_r guix_store_content_t (low low)))
+ (filecon "@storedir@(/.+)?"
+ any (unconfined_u object_r guix_store_content_t (low low)))
+ (filecon "@storedir@/[^/]+/.+"
+ any (unconfined_u object_r guix_store_content_t (low low)))
+ (filecon "@prefix@/bin/guix-daemon"
+ file (system_u object_r guix_daemon_exec_t (low low)))
+ (filecon "@storedir@/.+-(guix-.+|profile)/bin/guix-daemon"
+ file (system_u object_r guix_daemon_exec_t (low low)))
+ (filecon "@storedir@/.+-(guix-.+|profile)/libexec/guix-authenticate"
+ file (system_u object_r guix_daemon_exec_t (low low)))
+ (filecon "@storedir@/.+-(guix-.+|profile)/libexec/guix/(.*)?"
+ any (system_u object_r guix_daemon_exec_t (low low)))
+ (filecon "@guix_localstatedir@/guix/daemon-socket/socket"
+ any (system_u object_r guix_daemon_socket_t (low low))))
--
2.15.1
[-- Attachment #3: Type: text/plain, Size: 12 bytes --]
--
Ricardo
^ permalink raw reply related [flat|nested] 18+ messages in thread
* Re: [PATCH] Add SELinux policy for guix-daemon.
2018-01-25 16:17 [PATCH] Add SELinux policy for guix-daemon Ricardo Wurmus
@ 2018-01-25 17:14 ` Ludovic Courtès
2018-01-26 11:18 ` Catonano
` (3 subsequent siblings)
4 siblings, 0 replies; 18+ messages in thread
From: Ludovic Courtès @ 2018-01-25 17:14 UTC (permalink / raw)
To: Ricardo Wurmus; +Cc: guix-devel
Hello!
Ricardo Wurmus <ricardo.wurmus@mdc-berlin.de> skribis:
> attached is a patch that adds an SELinux policy for the guix-daemon.
> The policy defines the guix_daemon_t domain and specifies what labels
> may be accessed and how by processes running in that domain.
Impressive! I know nothing about SELinux so I can’t comment on the
specifics.
> These file labels are defined:
[...]
> The audit log shouldn’t show you any complaints. At this point you
> could probably switch to enforcing mode, but I haven’t tested this
> myself for no particular reason.
What about putting this text in a new “SELinux Support” section or
similar, along with the current limitations?
> Open issues:
[...]
> * A possible problem is that I assign all files with a name matching
> “/gnu/store/.+-(guix-.+|profile)/bin/guix-daemon” the label
> “guix_daemon_exec_t”; this means that *any* file with that name in any
> profile would be permitted to run in the guix_daemon_t domain. This
> is not ideal. An attacker could build a package that provides this
> executable and convince a user to install and run it, which lifts it
> into the guix_daemon_t domain. At that point SELinux could not
> prevent it from accessing files that are allowed for processes in that
> domain (such as the actual daemon).
>
> This makes me wonder if we could do better by generating a much more
> restrictive policy at installation time, so that only the *exact* file
> name of the currently installed guix-daemon executable would be
> labelled with guix_daemon_exec_t, instead of using a regular
> expression like that. This means that root would have to
> install/upgrade the policy at installation time whenever the Guix
> package that provides the effectively running guix-daemon executable
> is upgraded. Food for thought.
Yeah, guix-daemon.service currently refers to
/var/guix/profiles/…/guix-daemon for similar reasons.
> From d20bae0953d5d0a6bf1c06ab44505af6dea4df4d Mon Sep 17 00:00:00 2001
> From: Ricardo Wurmus <ricardo.wurmus@mdc-berlin.de>
> Date: Thu, 25 Jan 2018 15:21:07 +0100
> Subject: [PATCH] etc: Add SELinux policy for the daemon.
>
> * etc/guix-daemon.cil.in: New file.
> * Makefile.am: Add dist_selinux_policy_DATA.
> * configure.ac: Handle --with-selinux-policy-dir.
[...]
> --- /dev/null
> +++ b/etc/guix-daemon.cil.in
> @@ -0,0 +1,281 @@
> +; -*- lisp -*-
Perhaps add a comment like:
;; This is a specification for SELinux X.Y written in the SELinux
;; Common Intermediate Language (CIL).
Fun that it uses sexps. :-)
Thanks!
Ludo’.
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PATCH] Add SELinux policy for guix-daemon.
2018-01-25 16:17 [PATCH] Add SELinux policy for guix-daemon Ricardo Wurmus
2018-01-25 17:14 ` Ludovic Courtès
@ 2018-01-26 11:18 ` Catonano
2018-01-26 14:47 ` Ricardo Wurmus
2018-02-11 12:39 ` Catonano
` (2 subsequent siblings)
4 siblings, 1 reply; 18+ messages in thread
From: Catonano @ 2018-01-26 11:18 UTC (permalink / raw)
To: Ricardo Wurmus; +Cc: guix-devel
[-- Attachment #1: Type: text/plain, Size: 1220 bytes --]
2018-01-25 17:17 GMT+01:00 Ricardo Wurmus <ricardo.wurmus@mdc-berlin.de>:
> Hi Guix,
>
> attached is a patch that adds an SELinux policy for the guix-daemon.
> The policy defines the guix_daemon_t domain and specifies what labels
> may be accessed and how by processes running in that domain.
>
> These file labels are defined:
>
> * guix_daemon_conf_t
> for Guix configuration files (in localstatedir and sysconfdir)
> * guix_daemon_exec_t
> for executables spawned by the daemon (which are allowed to run in the
> guix_daemon_t domain)
> * guix_daemon_socket_t
> for the daemon socket file
> * guix_profiles_t
> for the contents of the profiles directory
>
I' m not sure I understand: is this meant to allow Guix to run in foreign
distros like Fedora ?
Or is this meant to have SELinux running inside the GuixSD environment ?
I might be interested in runnig Guix on my Fedora installation.
Also, Ricardo, I remember you posted a link to an introduction to SELinux
for human beings, some months ago.
Maybe on the irc channel, maybe on some meiling list
I searched here and found nothing
Should you be able to post that lik again, I' d be grateful
I promise I will bookmark it this time
Thanks !
Ciao
[-- Attachment #2: Type: text/html, Size: 1812 bytes --]
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PATCH] Add SELinux policy for guix-daemon.
2018-01-26 11:18 ` Catonano
@ 2018-01-26 14:47 ` Ricardo Wurmus
0 siblings, 0 replies; 18+ messages in thread
From: Ricardo Wurmus @ 2018-01-26 14:47 UTC (permalink / raw)
To: Catonano; +Cc: guix-devel
Hi,
Catonano <catonano@gmail.com> writes:
> I' m not sure I understand: is this meant to allow Guix to run in foreign
> distros like Fedora ?
>
> Or is this meant to have SELinux running inside the GuixSD environment ?
On GuixSD we don’t have a base policy yet, so it would not work on
GuixSD. The base policy specifies a bunch of things that this
guix-daemon policy relies on, such as the type “init_t” and the
assumption that processes spawned by the init system are executed in
this domain.
> I might be interested in runnig Guix on my Fedora installation.
It should be useful for that purpose. I have a Fedora workstation at
work and I developed and tested the policy on it. I haven’t yet had the
time to switch to “enforcing” mode, which would block any operation that
is not explicitly permitted by the policy, so I suggest starting with
“permissive” mode and using it for a while. After some time you can
then analyse the audit logs to see if the daemon misbehaved according to
the policy.
> Also, Ricardo, I remember you posted a link to an introduction to SELinux
> for human beings, some months ago.
Yeah, it was the SELinux Coloring Book by Red Hat:
https://people.redhat.com/duffy/selinux/selinux-coloring-book_A4-Stapled.pdf
But I *really* don’t recommend it for learning SELinux. Half of the
book doesn’t even apply to common SELinux installations, and the bit
that *does* apply really isn’t thorough enough. All I took away from it
was that a dog shouldn’t eat cat food (and that’s enforced by an angry
penguin).
The lack of *good* documentation for SELinux is very frustrating.
Here’s a high level overview: the goal is to ensure that processes only
have a set of permissions to do exactly what they were designed to do,
and nothing more. A common example is an HTTP server. It should be
allowed to publish *some* files and not others. A misbehaving HTTP
server process should be prevented from publishing files that I didn’t
label as publishable (like my private home directory or /etc/passwd).
Traditionally, the only way to achieve this was to let the server
process run under a separate user identity and change the ownership of
files that are allowed to be published. To that end the server process
would be started as root and then drop privileges by becoming that
separate user. This assumes that software is bug free, though. What if
the server process has a bug that allows an attacker to run code as
root, though? In that case it could publish *any* file – or it could
delete or overwrite files.
So the idea behind SELinux is that the kernel should watch all access
attempts to all resources and only allow specific operations. This way
a rogue server process is automatically prevented from, say, publishing
the system passwords.
A system admin informs the kernel about what operations are permitted
through rules in a so-called policy. These rules look something like
this (in the SELinux Common Intermediate Language):
(allow guix_daemon_t
user_home_t
(dir (search)))
This says: a process of type “guix_daemon_t” is permitted to perform a
“search” action on a “dir(ectory)”, if that directory has the label/type
“user_home_t”. These types are defined by policy developers; they are
completely arbitrary.
There are two things in this example that have types: processes and
files. Files get their types by labeling. Looking at the policy for
guix-daemon you see things like this:
(filecon "/gnu/store(/.+)?"
any (unconfined_u object_r guix_store_content_t (low low)))
This is an instruction to label anything (“any”) matching the given
regular expression with the type “guix_store_content_t” (ignore the
“unconfined_u” and “object_r”, and also the “low”). By running
“restorecon” recursively on the file system, all files will get labels
according to instructions like that.
How about processes? How do they get their types? (In other words: how
does a process enter a certain domain?) They start out in a certain
domain and then may transition to other domains. That’s specified by
transition rules like this one:
(typetransition init_t guix_daemon_exec_t
process guix_daemon_t)
This says that a process in the domain “init_t” may transition to domain
“guix_daemon_t” if the file that spawns the process has the label
“guix_daemon_exec_t”. Again, “init_t” is an arbitrary name for a type,
which in the case of Fedora is specified in some other policy that I
simply take for granted. On Fedora, all processes that are spawned by
the init system are in the domain “init_t”, so when the daemon is
started via SystemD it’s in “init_t” and then transitions to
“guix_daemon_t” because the executable file “guix-daemon” is labeled
“guix_daemon_exec_t”.
Getting back to the rule above: it says that a process in the
“guix_daemon_t” domain may perform a “search” on a “dir” if that
directory has the label “user_home_t”. If that’s the only rule, then
that’s the only permitted action for such a process.
At some point I’d like to build a base policy for GuixSD, which defines
a couple of basic types, label rules, and type transitions. The hardest
part in designing a policy is finding good names for types and figuring
out how types should be allowed to transition. In the case of Guix this
is all made more difficult because applications don’t share the same
root-controlled global namespace (such as /usr, or /bin). But the core
idea is the same: make explicit what *type* of files there are and what
type of processes should be granted access to files of these types.
--
Ricardo
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PATCH] Add SELinux policy for guix-daemon.
2018-01-25 16:17 [PATCH] Add SELinux policy for guix-daemon Ricardo Wurmus
2018-01-25 17:14 ` Ludovic Courtès
2018-01-26 11:18 ` Catonano
@ 2018-02-11 12:39 ` Catonano
2018-02-11 13:40 ` Ricardo Wurmus
2018-02-13 15:30 ` Catonano
2018-02-13 19:46 ` Efraim Flashner
4 siblings, 1 reply; 18+ messages in thread
From: Catonano @ 2018-02-11 12:39 UTC (permalink / raw)
To: Ricardo Wurmus; +Cc: guix-devel
[-- Attachment #1: Type: text/plain, Size: 1610 bytes --]
2018-01-25 17:17 GMT+01:00 Ricardo Wurmus <ricardo.wurmus@mdc-berlin.de>:
> Hi Guix,
>
> attached is a patch that adds an SELinux policy for the guix-daemon.
> The policy defines the guix_daemon_t domain and specifies what labels
> may be accessed and how by processes running in that domain.
>
> These file labels are defined:
>
> * guix_daemon_conf_t
> for Guix configuration files (in localstatedir and sysconfdir)
> * guix_daemon_exec_t
> for executables spawned by the daemon (which are allowed to run in the
> guix_daemon_t domain)
> * guix_daemon_socket_t
> for the daemon socket file
> * guix_profiles_t
> for the contents of the profiles directory
>
> The “filecon” statements near the bottom of the file specify which
> labels are to be used for what file names.
>
> I tested this with “guix build --no-grafts --check hello”, “guix build
> samtools”, “guix gc -C 1k”, and “guix package -p ~/foo -i hello”;
> no operations were blocked by SELinux.
>
> If you want to test this on Fedora, set SELinux to permissive, and make
> sure to configure Guix properly (i.e. set localstatedir, prefix, and
> sysconfdir). Then install the policy with “sudo semodule -i
> etc/guix-daemon.cil”. Then relabel the filesystem (at least /gnu,
> $localstatedir, $sysconfdir, and $prefix) with something like this:
>
> sudo restorecon -R /gnu $localstatedir $sysconfdir $prefix
>
can I do this with the binary installation made with Sharlatan's script ?
$localstatedir is /var, I suppose
But I don' t know about $sysconfdir and $prefix
[-- Attachment #2: Type: text/html, Size: 2056 bytes --]
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PATCH] Add SELinux policy for guix-daemon.
2018-02-11 12:39 ` Catonano
@ 2018-02-11 13:40 ` Ricardo Wurmus
2018-02-15 14:00 ` Alex Vong
0 siblings, 1 reply; 18+ messages in thread
From: Ricardo Wurmus @ 2018-02-11 13:40 UTC (permalink / raw)
To: Catonano; +Cc: guix-devel
Catonano <catonano@gmail.com> writes:
>> If you want to test this on Fedora, set SELinux to permissive, and make
>> sure to configure Guix properly (i.e. set localstatedir, prefix, and
>> sysconfdir). Then install the policy with “sudo semodule -i
>> etc/guix-daemon.cil”. Then relabel the filesystem (at least /gnu,
>> $localstatedir, $sysconfdir, and $prefix) with something like this:
>>
>> sudo restorecon -R /gnu $localstatedir $sysconfdir $prefix
>>
>
> can I do this with the binary installation made with Sharlatan's script ?
No, the script won’t install the SELinux policy. It wouldn’t work on
all systems, only on those where a suitable SELinux base policy is
available.
> $localstatedir is /var, I suppose
>
> But I don' t know about $sysconfdir and $prefix
/etc and /. But you’d be better off just relabeling everything. On
Fedora you can touch a certain file and have everything relabeled on
reboot. Takes a long time, though.
--
Ricardo
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PATCH] Add SELinux policy for guix-daemon.
2018-02-11 13:40 ` Ricardo Wurmus
@ 2018-02-15 14:00 ` Alex Vong
2018-02-15 15:32 ` Ricardo Wurmus
0 siblings, 1 reply; 18+ messages in thread
From: Alex Vong @ 2018-02-15 14:00 UTC (permalink / raw)
To: Ricardo Wurmus; +Cc: guix-devel
Hello,
Ricardo Wurmus <ricardo.wurmus@mdc-berlin.de> writes:
> Catonano <catonano@gmail.com> writes:
>
>>> If you want to test this on Fedora, set SELinux to permissive, and make
>>> sure to configure Guix properly (i.e. set localstatedir, prefix, and
>>> sysconfdir). Then install the policy with “sudo semodule -i
>>> etc/guix-daemon.cil”. Then relabel the filesystem (at least /gnu,
>>> $localstatedir, $sysconfdir, and $prefix) with something like this:
>>>
>>> sudo restorecon -R /gnu $localstatedir $sysconfdir $prefix
>>>
>>
>> can I do this with the binary installation made with Sharlatan's script ?
>
> No, the script won’t install the SELinux policy. It wouldn’t work on
> all systems, only on those where a suitable SELinux base policy is
> available.
>
So it won't work on Debian? I think Debian and Fedora uses different
base policy, right? If this is the case, should we also include an
apparmor profile? Which paths does guix-daemon need to have r/w access
to? From your SELinux profile, we know the following is needed:
@guix_sysconfdir@/guix(/.*)?
@guix_localstatedir@/guix(/.*)?
@guix_localstatedir@/guix/profiles(/.*)?
/gnu
@storedir@(/.+)?
@storedir@/[^/]+/.+
@prefix@/bin/guix-daemon
@storedir@/.+-(guix-.+|profile)/bin/guix-daemon
@storedir@/.+-(guix-.+|profile)/libexec/guix-authenticate
@storedir@/.+-(guix-.+|profile)/libexec/guix/(.*)?
@guix_localstatedir@/guix/daemon-socket/socket
Also, access to $HOME will also be needed. What else?
>> $localstatedir is /var, I suppose
>>
>> But I don' t know about $sysconfdir and $prefix
>
> /etc and /. But you’d be better off just relabeling everything. On
> Fedora you can touch a certain file and have everything relabeled on
> reboot. Takes a long time, though.
>
> --
> Ricardo
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PATCH] Add SELinux policy for guix-daemon.
2018-02-15 14:00 ` Alex Vong
@ 2018-02-15 15:32 ` Ricardo Wurmus
2018-02-16 6:50 ` Gábor Boskovits
2018-02-16 7:49 ` Alex Vong
0 siblings, 2 replies; 18+ messages in thread
From: Ricardo Wurmus @ 2018-02-15 15:32 UTC (permalink / raw)
To: Alex Vong; +Cc: guix-devel, Ricardo Wurmus
Alex Vong <alexvong1995@gmail.com> writes:
>> No, the script won’t install the SELinux policy. It wouldn’t work on
>> all systems, only on those where a suitable SELinux base policy is
>> available.
>>
> So it won't work on Debian? I think Debian and Fedora uses different
> base policy, right?
I don’t know much about SELinux on Debian, I’m afraid.
> If this is the case, should we also include an
> apparmor profile?
That’s unrelated, but sure, why not.
I would suggest writing a minimal base policy. SELinux is not an
all-or-nothing affair. That base policy only needs to provide the few
types that we care about for the guix-daemon. It wouldn’t be too hard.
The resulting policy could then be used on GuixSD or any other system
that doesn’t have a full SELinux configuration.
> Which paths does guix-daemon need to have r/w access
> to? From your SELinux profile, we know the following is needed:
>
> @guix_sysconfdir@/guix(/.*)?
> @guix_localstatedir@/guix(/.*)?
> @guix_localstatedir@/guix/profiles(/.*)?
> /gnu
> @storedir@(/.+)?
> @storedir@/[^/]+/.+
> @prefix@/bin/guix-daemon
> @storedir@/.+-(guix-.+|profile)/bin/guix-daemon
> @storedir@/.+-(guix-.+|profile)/libexec/guix-authenticate
> @storedir@/.+-(guix-.+|profile)/libexec/guix/(.*)?
> @guix_localstatedir@/guix/daemon-socket/socket
These are not things that the daemon needs to have access to. These are
paths that are to be labeled. The daemon is executed in a certain
context, and processes in that context may have certain permissions on
some of the files that have been labeled.
--
Ricardo
GPG: BCA6 89B6 3655 3801 C3C6 2150 197A 5888 235F ACAC
https://elephly.net
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PATCH] Add SELinux policy for guix-daemon.
2018-02-15 15:32 ` Ricardo Wurmus
@ 2018-02-16 6:50 ` Gábor Boskovits
2018-02-16 7:46 ` Alex Vong
2018-02-16 7:49 ` Alex Vong
1 sibling, 1 reply; 18+ messages in thread
From: Gábor Boskovits @ 2018-02-16 6:50 UTC (permalink / raw)
To: Ricardo Wurmus; +Cc: guix-devel, Ricardo Wurmus
[-- Attachment #1: Type: text/plain, Size: 2164 bytes --]
2018-02-15 16:32 GMT+01:00 Ricardo Wurmus <rekado@elephly.net>:
>
> Alex Vong <alexvong1995@gmail.com> writes:
>
> >> No, the script won’t install the SELinux policy. It wouldn’t work on
> >> all systems, only on those where a suitable SELinux base policy is
> >> available.
> >>
> > So it won't work on Debian? I think Debian and Fedora uses different
> > base policy, right?
>
> I don’t know much about SELinux on Debian, I’m afraid.
>
> > If this is the case, should we also include an
> > apparmor profile?
>
> That’s unrelated, but sure, why not.
>
> I would suggest writing a minimal base policy. SELinux is not an
> all-or-nothing affair. That base policy only needs to provide the few
> types that we care about for the guix-daemon. It wouldn’t be too hard.
>
> The resulting policy could then be used on GuixSD or any other system
> that doesn’t have a full SELinux configuration.
>
>
I would be interested in doing that. It would be great if we could use
SELinux on GuixSD. I also like the apparmor idea. These would be
great enablers for me. Do we have any policy how we do these, or
should I check how it is done on other distros?
> > Which paths does guix-daemon need to have r/w access
> > to? From your SELinux profile, we know the following is needed:
> >
> > @guix_sysconfdir@/guix(/.*)?
> > @guix_localstatedir@/guix(/.*)?
> > @guix_localstatedir@/guix/profiles(/.*)?
> > /gnu
> > @storedir@(/.+)?
> > @storedir@/[^/]+/.+
> > @prefix@/bin/guix-daemon
> > @storedir@/.+-(guix-.+|profile)/bin/guix-daemon
> > @storedir@/.+-(guix-.+|profile)/libexec/guix-authenticate
> > @storedir@/.+-(guix-.+|profile)/libexec/guix/(.*)?
> > @guix_localstatedir@/guix/daemon-socket/socket
>
> These are not things that the daemon needs to have access to. These are
> paths that are to be labeled. The daemon is executed in a certain
> context, and processes in that context may have certain permissions on
> some of the files that have been labeled.
>
> --
> Ricardo
>
> GPG: BCA6 89B6 3655 3801 C3C6 2150 197A 5888 235F ACAC
> https://elephly.net
>
>
>
>
[-- Attachment #2: Type: text/html, Size: 3091 bytes --]
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PATCH] Add SELinux policy for guix-daemon.
2018-02-16 6:50 ` Gábor Boskovits
@ 2018-02-16 7:46 ` Alex Vong
0 siblings, 0 replies; 18+ messages in thread
From: Alex Vong @ 2018-02-16 7:46 UTC (permalink / raw)
To: Gábor Boskovits; +Cc: guix-devel, Ricardo Wurmus
Gábor Boskovits <boskovits@gmail.com> writes:
> 2018-02-15 16:32 GMT+01:00 Ricardo Wurmus <rekado@elephly.net>:
>
> Alex Vong <alexvong1995@gmail.com> writes:
>
> >> No, the script won’t install the SELinux policy. It wouldn’t work on
> >> all systems, only on those where a suitable SELinux base policy is
> >> available.
> >>
> > So it won't work on Debian? I think Debian and Fedora uses different
> > base policy, right?
>
> I don’t know much about SELinux on Debian, I’m afraid.
>
> > If this is the case, should we also include an
> > apparmor profile?
>
> That’s unrelated, but sure, why not.
>
> I would suggest writing a minimal base policy. SELinux is not an
> all-or-nothing affair. That base policy only needs to provide the few
> types that we care about for the guix-daemon. It wouldn’t be too hard.
>
> The resulting policy could then be used on GuixSD or any other system
> that doesn’t have a full SELinux configuration.
>
> I would be interested in doing that. It would be great if we could use
> SELinux on GuixSD. I also like the apparmor idea. These would be
> great enablers for me. Do we have any policy how we do these, or
> should I check how it is done on other distros?
>
Since I haven't learnt selinux, I will only comment on apparmor (which I
learnt only recently). For apparmor, there is a documentation page[0]
and guide to write profiles[1]. In general, there are two approach -
generate profile or write profile by hand. In any case, it looks hard to
me since we will have to test everything guix-daemon can do to make sure
it really works. Maybe it will help if you know guix-daemon really well,
or you understand the SELinux profile...
[0]: https://gitlab.com/apparmor/apparmor/wikis/Documentation
[1]: https://gitlab.com/apparmor/apparmor/wikis/Profiles
> > Which paths does guix-daemon need to have r/w access
> > to? From your SELinux profile, we know the following is needed:
> >
> > @guix_sysconfdir@/guix(/.*)?
> > @guix_localstatedir@/guix(/.*)?
> > @guix_localstatedir@/guix/profiles(/.*)?
> > /gnu
> > @storedir@(/.+)?
> > @storedir@/[^/]+/.+
> > @prefix@/bin/guix-daemon
> > @storedir@/.+-(guix-.+|profile)/bin/guix-daemon
> > @storedir@/.+-(guix-.+|profile)/libexec/guix-authenticate
> > @storedir@/.+-(guix-.+|profile)/libexec/guix/(.*)?
> > @guix_localstatedir@/guix/daemon-socket/socket
>
> These are not things that the daemon needs to have access to. These are
> paths that are to be labeled. The daemon is executed in a certain
> context, and processes in that context may have certain permissions on
> some of the files that have been labeled.
>
> --
> Ricardo
>
> GPG: BCA6 89B6 3655 3801 C3C6 2150 197A 5888 235F ACAC
> https://elephly.net
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PATCH] Add SELinux policy for guix-daemon.
2018-02-15 15:32 ` Ricardo Wurmus
2018-02-16 6:50 ` Gábor Boskovits
@ 2018-02-16 7:49 ` Alex Vong
2018-02-16 12:54 ` Gábor Boskovits
2018-02-16 16:00 ` Ricardo Wurmus
1 sibling, 2 replies; 18+ messages in thread
From: Alex Vong @ 2018-02-16 7:49 UTC (permalink / raw)
To: Ricardo Wurmus; +Cc: guix-devel, Ricardo Wurmus
Ricardo Wurmus <rekado@elephly.net> writes:
> Alex Vong <alexvong1995@gmail.com> writes:
>
>>> No, the script won’t install the SELinux policy. It wouldn’t work on
>>> all systems, only on those where a suitable SELinux base policy is
>>> available.
>>>
>> So it won't work on Debian? I think Debian and Fedora uses different
>> base policy, right?
>
> I don’t know much about SELinux on Debian, I’m afraid.
>
>> If this is the case, should we also include an
>> apparmor profile?
>
> That’s unrelated, but sure, why not.
>
> I would suggest writing a minimal base policy. SELinux is not an
> all-or-nothing affair. That base policy only needs to provide the few
> types that we care about for the guix-daemon. It wouldn’t be too hard.
>
> The resulting policy could then be used on GuixSD or any other system
> that doesn’t have a full SELinux configuration.
>
>> Which paths does guix-daemon need to have r/w access
>> to? From your SELinux profile, we know the following is needed:
>>
>> @guix_sysconfdir@/guix(/.*)?
>> @guix_localstatedir@/guix(/.*)?
>> @guix_localstatedir@/guix/profiles(/.*)?
>> /gnu
>> @storedir@(/.+)?
>> @storedir@/[^/]+/.+
>> @prefix@/bin/guix-daemon
>> @storedir@/.+-(guix-.+|profile)/bin/guix-daemon
>> @storedir@/.+-(guix-.+|profile)/libexec/guix-authenticate
>> @storedir@/.+-(guix-.+|profile)/libexec/guix/(.*)?
>> @guix_localstatedir@/guix/daemon-socket/socket
>
> These are not things that the daemon needs to have access to. These are
> paths that are to be labeled. The daemon is executed in a certain
> context, and processes in that context may have certain permissions on
> some of the files that have been labeled.
>
I will have to read the colour book when I have time to understand what
do you mean!
> --
> Ricardo
>
> GPG: BCA6 89B6 3655 3801 C3C6 2150 197A 5888 235F ACAC
> https://elephly.net
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PATCH] Add SELinux policy for guix-daemon.
2018-02-16 7:49 ` Alex Vong
@ 2018-02-16 12:54 ` Gábor Boskovits
2018-02-16 15:58 ` Ricardo Wurmus
2018-02-16 16:00 ` Ricardo Wurmus
1 sibling, 1 reply; 18+ messages in thread
From: Gábor Boskovits @ 2018-02-16 12:54 UTC (permalink / raw)
To: Alex Vong; +Cc: guix-devel, Ricardo Wurmus
[-- Attachment #1: Type: text/plain, Size: 2393 bytes --]
2018-02-16 8:49 GMT+01:00 Alex Vong <alexvong1995@gmail.com>:
> Ricardo Wurmus <rekado@elephly.net> writes:
>
> > Alex Vong <alexvong1995@gmail.com> writes:
> >
> >>> No, the script won’t install the SELinux policy. It wouldn’t work on
> >>> all systems, only on those where a suitable SELinux base policy is
> >>> available.
> >>>
> >> So it won't work on Debian? I think Debian and Fedora uses different
> >> base policy, right?
> >
> > I don’t know much about SELinux on Debian, I’m afraid.
> >
> >> If this is the case, should we also include an
> >> apparmor profile?
> >
> > That’s unrelated, but sure, why not.
> >
> > I would suggest writing a minimal base policy. SELinux is not an
> > all-or-nothing affair. That base policy only needs to provide the few
> > types that we care about for the guix-daemon. It wouldn’t be too hard.
> >
> > The resulting policy could then be used on GuixSD or any other system
> > that doesn’t have a full SELinux configuration.
>
I looked around a little, and it seems, that at least Fedora and Debian
has their base policies originated from SELinux reference policy:
https://github.com/TresysTechnology/refpolicy/wiki
I guess it would be nice to investigate how we could adopt this to GuixSD.
WDYT?
>
> >> Which paths does guix-daemon need to have r/w access
> >> to? From your SELinux profile, we know the following is needed:
> >>
> >> @guix_sysconfdir@/guix(/.*)?
> >> @guix_localstatedir@/guix(/.*)?
> >> @guix_localstatedir@/guix/profiles(/.*)?
> >> /gnu
> >> @storedir@(/.+)?
> >> @storedir@/[^/]+/.+
> >> @prefix@/bin/guix-daemon
> >> @storedir@/.+-(guix-.+|profile)/bin/guix-daemon
> >> @storedir@/.+-(guix-.+|profile)/libexec/guix-authenticate
> >> @storedir@/.+-(guix-.+|profile)/libexec/guix/(.*)?
> >> @guix_localstatedir@/guix/daemon-socket/socket
> >
> > These are not things that the daemon needs to have access to. These are
> > paths that are to be labeled. The daemon is executed in a certain
> > context, and processes in that context may have certain permissions on
> > some of the files that have been labeled.
> >
> I will have to read the colour book when I have time to understand what
> do you mean!
>
> > --
> > Ricardo
> >
> > GPG: BCA6 89B6 3655 3801 C3C6 2150 197A 5888 235F ACAC
> > https://elephly.net
>
>
[-- Attachment #2: Type: text/html, Size: 3730 bytes --]
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PATCH] Add SELinux policy for guix-daemon.
2018-02-16 12:54 ` Gábor Boskovits
@ 2018-02-16 15:58 ` Ricardo Wurmus
0 siblings, 0 replies; 18+ messages in thread
From: Ricardo Wurmus @ 2018-02-16 15:58 UTC (permalink / raw)
To: Gábor Boskovits; +Cc: guix-devel, Ricardo Wurmus
Gábor Boskovits <boskovits@gmail.com> writes:
>> > The resulting policy could then be used on GuixSD or any other system
>> > that doesn’t have a full SELinux configuration.
>>
>
> I looked around a little, and it seems, that at least Fedora and Debian
> has their base policies originated from SELinux reference policy:
> https://github.com/TresysTechnology/refpolicy/wiki
>
> I guess it would be nice to investigate how we could adopt this to GuixSD.
> WDYT?
Indeed. I didn’t know about the reference policy. We could take parts
of it and define an SELinux system service that applies it on boot.
--
Ricardo
GPG: BCA6 89B6 3655 3801 C3C6 2150 197A 5888 235F ACAC
https://elephly.net
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PATCH] Add SELinux policy for guix-daemon.
2018-02-16 7:49 ` Alex Vong
2018-02-16 12:54 ` Gábor Boskovits
@ 2018-02-16 16:00 ` Ricardo Wurmus
1 sibling, 0 replies; 18+ messages in thread
From: Ricardo Wurmus @ 2018-02-16 16:00 UTC (permalink / raw)
To: Alex Vong; +Cc: guix-devel, Ricardo Wurmus
Alex Vong <alexvong1995@gmail.com> writes:
>> These are not things that the daemon needs to have access to. These are
>> paths that are to be labeled. The daemon is executed in a certain
>> context, and processes in that context may have certain permissions on
>> some of the files that have been labeled.
>>
> I will have to read the colour book when I have time to understand what
> do you mean!
You might find this more informative:
http://lists.gnu.org/archive/html/guix-devel/2018-01/msg00433.html
--
Ricardo
GPG: BCA6 89B6 3655 3801 C3C6 2150 197A 5888 235F ACAC
https://elephly.net
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PATCH] Add SELinux policy for guix-daemon.
2018-01-25 16:17 [PATCH] Add SELinux policy for guix-daemon Ricardo Wurmus
` (2 preceding siblings ...)
2018-02-11 12:39 ` Catonano
@ 2018-02-13 15:30 ` Catonano
2018-02-13 16:29 ` Ricardo Wurmus
2018-02-13 19:46 ` Efraim Flashner
4 siblings, 1 reply; 18+ messages in thread
From: Catonano @ 2018-02-13 15:30 UTC (permalink / raw)
To: Ricardo Wurmus; +Cc: guix-devel
[-- Attachment #1: Type: text/plain, Size: 10695 bytes --]
2018-01-25 17:17 GMT+01:00 Ricardo Wurmus <ricardo.wurmus@mdc-berlin.de>:
> Hi Guix,
>
> attached is a patch that adds an SELinux policy for the guix-daemon.
> The policy defines the guix_daemon_t domain and specifies what labels
> may be accessed and how by processes running in that domain.
>
> These file labels are defined:
>
> * guix_daemon_conf_t
> for Guix configuration files (in localstatedir and sysconfdir)
> * guix_daemon_exec_t
> for executables spawned by the daemon (which are allowed to run in the
> guix_daemon_t domain)
> * guix_daemon_socket_t
> for the daemon socket file
> * guix_profiles_t
> for the contents of the profiles directory
>
> The “filecon” statements near the bottom of the file specify which
> labels are to be used for what file names.
>
> I tested this with “guix build --no-grafts --check hello”, “guix build
> samtools”, “guix gc -C 1k”, and “guix package -p ~/foo -i hello”;
> no operations were blocked by SELinux.
>
> If you want to test this on Fedora, set SELinux to permissive, and make
> sure to configure Guix properly (i.e. set localstatedir, prefix, and
> sysconfdir). Then install the policy with “sudo semodule -i
> etc/guix-daemon.cil”. Then relabel the filesystem (at least /gnu,
> $localstatedir, $sysconfdir, and $prefix) with something like this:
>
> sudo restorecon -R /gnu $localstatedir $sysconfdir $prefix
>
> This will take a very long time (a couple of hours).
>
> Restart the daemon. Check that it now runs in the guix_daemon_t
> context:
>
> ps -Zax | grep /bin/guix-daemon
>
> This should return something like this
>
> system_u:system_r:guix_daemon.guix_daemon_t:s0 14886 ? Ss 0:00
> /root/.guix-profile/bin/guix-daemon --build-users-group=guix-builder
>
> Check the audit log for violations:
>
> sudo tail -f /var/log/audit/audit.log | grep x-daemon
>
> And then use Guix:
>
> guix build --no-grafts --check hello
>
> The audit log shouldn’t show you any complaints. At this point you
> could probably switch to enforcing mode, but I haven’t tested this
> myself for no particular reason.
>
> Open issues:
>
> * guix_daemon_socket_t isn’t actually used. All of the socket
> operations that I observed involve contexts that don’t have anything
> to do with guix_daemon_socket_t. It doesn’t hurt to have this unused
> label, but I would have preferred to define socket rules for only this
> label. Oh well.
>
> * “guix gc” cannot access arbitrary links to profiles. By design, the
> file label of the destination of a symlink is independent of the file
> label of the link itself. Although all profiles under $localstatedir
> are labelled, the links to these profiles inherit the label of the
> directory they are in. For links in the user’s home directory this
> will be “user_home_t” (for which I’ve added a rule). But for links
> from root’s home directory, or /tmp, or the HTTP server’s working
> directory … this won’t work. “guix gc” would be prevented from
> reading and following these links.
>
> * I don’t know if the daemon’s TCP listen feature still works. I didn’t
> test it and assume that it would require extra rules, because SELinux
> treats network sockets differently from files.
>
> * Is this all correct? I don’t know! I only just learned about the
> SELinux Common Intermediate Language (CIL), and the documentation is
> very sparse, so I have no idea if I did something stupid. It seems
> fine to me, but I must admit that I find it a bit uncomfortable to see
> so many access types in the rules.
>
> * I allowed type transitions from init_t to guix_daemon_t via
> guix_daemon_exec_t, but also from guix_store_content_t to
> guix_daemon_t via guix_daemon_exec_t. Type transitions are necessary
> to get from an allowed entry point to a domain. On Fedora “init_t” is
> the domain in which processes are that are spawned by the init
> system. With the first type transition I permit these processes to
> transition to the guix_daemon_t domain when the executables are
> labeled as guix_daemon_exec_t (such as the daemon executable itself,
> and all the helpers it spawns).
>
> This much is obvious. But the second type transition is less obvious.
> It is needed to make sure that we can enter the guix_daemon_t domain
> even when running the daemon from an executable in the store (which
> will be running in the “guix_store_content_t” domain). Thinking of
> this, I wonder if maybe that’s actually a mistake and shouldn’t be
> permitted.
>
> * A possible problem is that I assign all files with a name matching
> “/gnu/store/.+-(guix-.+|profile)/bin/guix-daemon” the label
> “guix_daemon_exec_t”; this means that *any* file with that name in any
> profile would be permitted to run in the guix_daemon_t domain. This
> is not ideal. An attacker could build a package that provides this
> executable and convince a user to install and run it, which lifts it
> into the guix_daemon_t domain. At that point SELinux could not
> prevent it from accessing files that are allowed for processes in that
> domain (such as the actual daemon).
>
> This makes me wonder if we could do better by generating a much more
> restrictive policy at installation time, so that only the *exact* file
> name of the currently installed guix-daemon executable would be
> labelled with guix_daemon_exec_t, instead of using a regular
> expression like that. This means that root would have to
> install/upgrade the policy at installation time whenever the Guix
> package that provides the effectively running guix-daemon executable
> is upgraded. Food for thought.
>
> Without further ado, here’s the patch:
>
>
>
> --
> Ricardo
>
>
Ok, I followed all these steps
While processing
guix build --no-grafts --check hello
I got some violations, an example follows
SELinux impedisce a .guix-real un accesso write su sock_file
/var/guix/daemon-socket/socket.
⏎
⏎
***** Plugin catchall(100. confidenza) suggerisce**************************
If you believe that .guix-real should be allowed write access on the socket
sock_file by default.
Quindi si dovrebbe riportare il problema come bug.
E' possibile generare un modulo di politica locale per consentire questo
accesso.
Fai
allow this access for now by executing:
# ausearch -c '.guix-real' --raw | audit2allow -M my-guixreal
# semodule -X 300 -i my-guixreal.pp
Informazioni addizionali:
Contesto della sorgente
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
023
Contesto target
system_u:object_r:guix_daemon.guix_daemon_conf_t:s
0
Oggetti target /var/guix/daemon-socket/socket [ sock_file ]
Sorgente .guix-real
Percorso della sorgente .guix-real
Porta <Sconosciuto>
Host localhost.localdomain
Sorgente Pacchetti RPM
Pacchetti RPM target
RPM della policy selinux-policy-3.13.1-283.24.fc27.noarch
Selinux abilitato True
Tipo di politica targeted
Modalità Enforcing Permissive
Host Name localhost.localdomain
Piattaforma Linux localhost.localdomain
4.14.16-300.fc27.x86_64 #1 SMP Wed Jan 31
19:24:27
UTC 2018 x86_64 x86_64
Conteggio avvisi 1
Primo visto 2018-02-13 16:26:40 CET
Ultimo visto 2018-02-13 16:26:40 CET
ID locale 795369db-8842-4253-ac70-bfab33d85c47
Messaggi Raw Audit
type=AVC msg=audit(1518535600.232:493): avc: denied { write } for
pid=2978 comm=".guix-real" name="socket" dev="dm-0" ino=2754019
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=system_u:object_r:guix_daemon.guix_daemon_conf_t:s0
tclass=sock_file permissive=1
Hash: .guix-real,unconfined_t,guix_daemon.guix_daemon_conf_t,sock_file,write
There are some more, it' s just that fetching them in the Gnome GUI is not
immediate
But I can publish my /var/log/audit/audit.log file somewhere
Oh wait, i could catch another one right now, here it is
SELinux impedisce a .guix-real un accesso write su sock_file
/var/guix/daemon-socket/socket.
⏎
⏎
***** Plugin catchall(100. confidenza) suggerisce**************************
If you believe that .guix-real should be allowed write access on the socket
sock_file by default.
Quindi si dovrebbe riportare il problema come bug.
E' possibile generare un modulo di politica locale per consentire questo
accesso.
Fai
allow this access for now by executing:
# ausearch -c '.guix-real' --raw | audit2allow -M my-guixreal
# semodule -X 300 -i my-guixreal.pp
Informazioni addizionali:
Contesto della sorgente
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
023
Contesto target
system_u:object_r:guix_daemon.guix_daemon_conf_t:s
0
Oggetti target /var/guix/daemon-socket/socket [ sock_file ]
Sorgente .guix-real
Percorso della sorgente .guix-real
Porta <Sconosciuto>
Host localhost.localdomain
Sorgente Pacchetti RPM
Pacchetti RPM target
RPM della policy selinux-policy-3.13.1-283.24.fc27.noarch
Selinux abilitato True
Tipo di politica targeted
Modalità Enforcing Permissive
Host Name localhost.localdomain
Piattaforma Linux localhost.localdomain
4.14.16-300.fc27.x86_64 #1 SMP Wed Jan 31
19:24:27
UTC 2018 x86_64 x86_64
Conteggio avvisi 1
Primo visto 2018-02-13 16:26:40 CET
Ultimo visto 2018-02-13 16:26:40 CET
ID locale 795369db-8842-4253-ac70-bfab33d85c47
Messaggi Raw Audit
type=AVC msg=audit(1518535600.232:493): avc: denied { write } for
pid=2978 comm=".guix-real" name="socket" dev="dm-0" ino=2754019
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=system_u:object_r:guix_daemon.guix_daemon_conf_t:s0
tclass=sock_file permissive=1
Hash: .guix-real,unconfined_t,guix_daemon.guix_daemon_conf_t,sock_file,write
I' ll keep following this
Thanks
Ciao
[-- Attachment #2: Type: text/html, Size: 12907 bytes --]
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PATCH] Add SELinux policy for guix-daemon.
2018-02-13 15:30 ` Catonano
@ 2018-02-13 16:29 ` Ricardo Wurmus
0 siblings, 0 replies; 18+ messages in thread
From: Ricardo Wurmus @ 2018-02-13 16:29 UTC (permalink / raw)
To: Catonano; +Cc: guix-devel
Catonano <catonano@gmail.com> writes:
> While processing
>
> guix build --no-grafts --check hello
>
> I got some violations, an example follows
>
> SELinux impedisce a .guix-real un accesso write su sock_file
> /var/guix/daemon-socket/socket.
Ah, the wrapper! I suppose we need to either merge the wrapper change
(next core-updates round) or add a regular expression to label
“.guix-real” just like “guix”.
Thanks for testing it!
--
Ricardo
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PATCH] Add SELinux policy for guix-daemon.
2018-01-25 16:17 [PATCH] Add SELinux policy for guix-daemon Ricardo Wurmus
` (3 preceding siblings ...)
2018-02-13 15:30 ` Catonano
@ 2018-02-13 19:46 ` Efraim Flashner
2018-02-13 19:53 ` Leo Famulari
4 siblings, 1 reply; 18+ messages in thread
From: Efraim Flashner @ 2018-02-13 19:46 UTC (permalink / raw)
To: Ricardo Wurmus; +Cc: guix-devel
[-- Attachment #1: Type: text/plain, Size: 265 bytes --]
Should etc/guix-daemon.cil be added to .gitignore?
--
Efraim Flashner <efraim@flashner.co.il> אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 18+ messages in thread
end of thread, other threads:[~2018-02-16 16:01 UTC | newest]
Thread overview: 18+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-01-25 16:17 [PATCH] Add SELinux policy for guix-daemon Ricardo Wurmus
2018-01-25 17:14 ` Ludovic Courtès
2018-01-26 11:18 ` Catonano
2018-01-26 14:47 ` Ricardo Wurmus
2018-02-11 12:39 ` Catonano
2018-02-11 13:40 ` Ricardo Wurmus
2018-02-15 14:00 ` Alex Vong
2018-02-15 15:32 ` Ricardo Wurmus
2018-02-16 6:50 ` Gábor Boskovits
2018-02-16 7:46 ` Alex Vong
2018-02-16 7:49 ` Alex Vong
2018-02-16 12:54 ` Gábor Boskovits
2018-02-16 15:58 ` Ricardo Wurmus
2018-02-16 16:00 ` Ricardo Wurmus
2018-02-13 15:30 ` Catonano
2018-02-13 16:29 ` Ricardo Wurmus
2018-02-13 19:46 ` Efraim Flashner
2018-02-13 19:53 ` Leo Famulari
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.