From mboxrd@z Thu Jan  1 00:00:00 1970
From: Ricardo Wurmus <rekado@elephly.net>
Subject: Re: [PATCH] Add SELinux policy for guix-daemon.
Date: Thu, 15 Feb 2018 16:32:02 +0100
Message-ID: <87inay6zgt.fsf@elephly.net>
References: <idjefmd6hh1.fsf@bimsb-sys02.mdc-berlin.net>
	<CAJ98PDzivagAJeofZ4++-ULFwiX+FXtvgFQ7010wbKyQJ+P9bQ@mail.gmail.com>
	<87zi4fiqzk.fsf@mdc-berlin.de> <87k1ve2w0o.fsf@gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:37739)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <rekado@elephly.net>) id 1emLlG-0001yj-6F
	for guix-devel@gnu.org; Thu, 15 Feb 2018 10:47:51 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <rekado@elephly.net>) id 1emLlC-0006rD-9S
	for guix-devel@gnu.org; Thu, 15 Feb 2018 10:47:50 -0500
Received: from sender-of-o51.zoho.com ([135.84.80.216]:21021)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
	(Exim 4.71) (envelope-from <rekado@elephly.net>) id 1emLlC-0006qx-0X
	for guix-devel@gnu.org; Thu, 15 Feb 2018 10:47:46 -0500
In-reply-to: <87k1ve2w0o.fsf@gmail.com>
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: Alex Vong <alexvong1995@gmail.com>
Cc: guix-devel <guix-devel@gnu.org>, Ricardo Wurmus <ricardo.wurmus@mdc-berlin.de>


Alex Vong <alexvong1995@gmail.com> writes:

>> No, the script won=E2=80=99t install the SELinux policy.  It wouldn=E2=
=80=99t work on
>> all systems, only on those where a suitable SELinux base policy is
>> available.
>>
> So it won't work on Debian? I think Debian and Fedora uses different
> base policy, right?

I don=E2=80=99t know much about SELinux on Debian, I=E2=80=99m afraid.

> If this is the case, should we also include an
> apparmor profile?

That=E2=80=99s unrelated, but sure, why not.

I would suggest writing a minimal base policy.  SELinux is not an
all-or-nothing affair.  That base policy only needs to provide the few
types that we care about for the guix-daemon.  It wouldn=E2=80=99t be too h=
ard.

The resulting policy could then be used on GuixSD or any other system
that doesn=E2=80=99t have a full SELinux configuration.

> Which paths does guix-daemon need to have r/w access
> to? From your SELinux profile, we know the following is needed:
>
>   @guix_sysconfdir@/guix(/.*)?
>   @guix_localstatedir@/guix(/.*)?
>   @guix_localstatedir@/guix/profiles(/.*)?
>   /gnu
>   @storedir@(/.+)?
>   @storedir@/[^/]+/.+
>   @prefix@/bin/guix-daemon
>   @storedir@/.+-(guix-.+|profile)/bin/guix-daemon
>   @storedir@/.+-(guix-.+|profile)/libexec/guix-authenticate
>   @storedir@/.+-(guix-.+|profile)/libexec/guix/(.*)?
>   @guix_localstatedir@/guix/daemon-socket/socket

These are not things that the daemon needs to have access to.  These are
paths that are to be labeled.  The daemon is executed in a certain
context, and processes in that context may have certain permissions on
some of the files that have been labeled.

--
Ricardo

GPG: BCA6 89B6 3655 3801 C3C6  2150 197A 5888 235F ACAC
https://elephly.net