From mboxrd@z Thu Jan  1 00:00:00 1970
From: Alex Vong <alexvong1995@gmail.com>
Subject: Re: [PATCH] Add SELinux policy for guix-daemon.
Date: Fri, 16 Feb 2018 15:46:37 +0800
Message-ID: <87mv09l6le.fsf@gmail.com>
References: <idjefmd6hh1.fsf@bimsb-sys02.mdc-berlin.net>
	<CAJ98PDzivagAJeofZ4++-ULFwiX+FXtvgFQ7010wbKyQJ+P9bQ@mail.gmail.com>
	<87zi4fiqzk.fsf@mdc-berlin.de> <87k1ve2w0o.fsf@gmail.com>
	<87inay6zgt.fsf@elephly.net>
	<CAE4v=pj-F=oUDbi_BR_duf2LtkoOUtNcKSDG=s_uSLy=7q1Kyw@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:56103)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <alexvong1995@gmail.com>) id 1emajH-0005DP-41
	for guix-devel@gnu.org; Fri, 16 Feb 2018 02:46:48 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <alexvong1995@gmail.com>) id 1emajC-0003xB-Jc
	for guix-devel@gnu.org; Fri, 16 Feb 2018 02:46:47 -0500
Received: from mail-pg0-x233.google.com ([2607:f8b0:400e:c05::233]:35043)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <alexvong1995@gmail.com>)
	id 1emajC-0003wI-D2
	for guix-devel@gnu.org; Fri, 16 Feb 2018 02:46:42 -0500
Received: by mail-pg0-x233.google.com with SMTP id l131so1826690pga.2
	for <guix-devel@gnu.org>; Thu, 15 Feb 2018 23:46:42 -0800 (PST)
In-Reply-To: <CAE4v=pj-F=oUDbi_BR_duf2LtkoOUtNcKSDG=s_uSLy=7q1Kyw@mail.gmail.com>
	(=?utf-8?Q?=22G=C3=A1bor?= Boskovits"'s message of "Fri, 16 Feb 2018
	07:50:35 +0100")
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: =?utf-8?Q?G=C3=A1bor?= Boskovits <boskovits@gmail.com>
Cc: guix-devel <guix-devel@gnu.org>, Ricardo Wurmus <ricardo.wurmus@mdc-berlin.de>

G=C3=A1bor Boskovits <boskovits@gmail.com> writes:

> 2018-02-15 16:32 GMT+01:00 Ricardo Wurmus <rekado@elephly.net>:
>
>  Alex Vong <alexvong1995@gmail.com> writes:
>
>  >> No, the script won=E2=80=99t install the SELinux policy. It wouldn=E2=
=80=99t work on
>  >> all systems, only on those where a suitable SELinux base policy is
>  >> available.
>  >>
>  > So it won't work on Debian? I think Debian and Fedora uses different
>  > base policy, right?
>
>  I don=E2=80=99t know much about SELinux on Debian, I=E2=80=99m afraid.
>
>  > If this is the case, should we also include an
>  > apparmor profile?
>
>  That=E2=80=99s unrelated, but sure, why not.
>
>  I would suggest writing a minimal base policy. SELinux is not an
>  all-or-nothing affair. That base policy only needs to provide the few
>  types that we care about for the guix-daemon. It wouldn=E2=80=99t be too=
 hard.
>
>  The resulting policy could then be used on GuixSD or any other system
>  that doesn=E2=80=99t have a full SELinux configuration.
>
> I would be interested in doing that. It would be great if we could use
> SELinux on GuixSD. I also like the apparmor idea. These would be
> great enablers for me. Do we have any policy how we do these, or
> should I check how it is done on other distros?
>
Since I haven't learnt selinux, I will only comment on apparmor (which I
learnt only recently). For apparmor, there is a documentation page[0]
and guide to write profiles[1]. In general, there are two approach -
generate profile or write profile by hand. In any case, it looks hard to
me since we will have to test everything guix-daemon can do to make sure
it really works. Maybe it will help if you know guix-daemon really well,
or you understand the SELinux profile...

[0]: https://gitlab.com/apparmor/apparmor/wikis/Documentation
[1]: https://gitlab.com/apparmor/apparmor/wikis/Profiles

>  > Which paths does guix-daemon need to have r/w access
>  > to? From your SELinux profile, we know the following is needed:
>  >
>  > @guix_sysconfdir@/guix(/.*)?
>  > @guix_localstatedir@/guix(/.*)?
>  > @guix_localstatedir@/guix/profiles(/.*)?
>  > /gnu
>  > @storedir@(/.+)?
>  > @storedir@/[^/]+/.+
>  > @prefix@/bin/guix-daemon
>  > @storedir@/.+-(guix-.+|profile)/bin/guix-daemon
>  > @storedir@/.+-(guix-.+|profile)/libexec/guix-authenticate
>  > @storedir@/.+-(guix-.+|profile)/libexec/guix/(.*)?
>  > @guix_localstatedir@/guix/daemon-socket/socket
>
>  These are not things that the daemon needs to have access to. These are
>  paths that are to be labeled. The daemon is executed in a certain
>  context, and processes in that context may have certain permissions on
>  some of the files that have been labeled.
>
>  --
>  Ricardo
>
>  GPG: BCA6 89B6 3655 3801 C3C6 2150 197A 5888 235F ACAC
>  https://elephly.net