From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Subject: Re: [PATCH] Add SELinux policy for guix-daemon. Date: Thu, 25 Jan 2018 18:14:51 +0100 Message-ID: <87inbpsvw4.fsf@gnu.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:60810) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eel72-0004lB-W0 for guix-devel@gnu.org; Thu, 25 Jan 2018 12:15:01 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eel71-00055F-Rl for guix-devel@gnu.org; Thu, 25 Jan 2018 12:14:56 -0500 Received: from hera.aquilenet.fr ([2a0c:e300::1]:55520) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1eel71-00054I-Kx for guix-devel@gnu.org; Thu, 25 Jan 2018 12:14:55 -0500 In-Reply-To: (Ricardo Wurmus's message of "Thu, 25 Jan 2018 17:17:14 +0100") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Ricardo Wurmus Cc: guix-devel@gnu.org Hello! Ricardo Wurmus skribis: > attached is a patch that adds an SELinux policy for the guix-daemon. > The policy defines the guix_daemon_t domain and specifies what labels > may be accessed and how by processes running in that domain. Impressive! I know nothing about SELinux so I can=E2=80=99t comment on the specifics. > These file labels are defined: [...] > The audit log shouldn=E2=80=99t show you any complaints. At this point y= ou > could probably switch to enforcing mode, but I haven=E2=80=99t tested this > myself for no particular reason. What about putting this text in a new =E2=80=9CSELinux Support=E2=80=9D sec= tion or similar, along with the current limitations? > Open issues: [...] > * A possible problem is that I assign all files with a name matching > =E2=80=9C/gnu/store/.+-(guix-.+|profile)/bin/guix-daemon=E2=80=9D the l= abel > =E2=80=9Cguix_daemon_exec_t=E2=80=9D; this means that *any* file with t= hat name in any > profile would be permitted to run in the guix_daemon_t domain. This > is not ideal. An attacker could build a package that provides this > executable and convince a user to install and run it, which lifts it > into the guix_daemon_t domain. At that point SELinux could not > prevent it from accessing files that are allowed for processes in that > domain (such as the actual daemon). > > This makes me wonder if we could do better by generating a much more > restrictive policy at installation time, so that only the *exact* file > name of the currently installed guix-daemon executable would be > labelled with guix_daemon_exec_t, instead of using a regular > expression like that. This means that root would have to > install/upgrade the policy at installation time whenever the Guix > package that provides the effectively running guix-daemon executable > is upgraded. Food for thought. Yeah, guix-daemon.service currently refers to /var/guix/profiles/=E2=80=A6/guix-daemon for similar reasons. > From d20bae0953d5d0a6bf1c06ab44505af6dea4df4d Mon Sep 17 00:00:00 2001 > From: Ricardo Wurmus > Date: Thu, 25 Jan 2018 15:21:07 +0100 > Subject: [PATCH] etc: Add SELinux policy for the daemon. > > * etc/guix-daemon.cil.in: New file. > * Makefile.am: Add dist_selinux_policy_DATA. > * configure.ac: Handle --with-selinux-policy-dir. [...] > --- /dev/null > +++ b/etc/guix-daemon.cil.in > @@ -0,0 +1,281 @@ > +; -*- lisp -*- Perhaps add a comment like: ;; This is a specification for SELinux X.Y written in the SELinux ;; Common Intermediate Language (CIL). Fun that it uses sexps. :-) Thanks! Ludo=E2=80=99.