From mboxrd@z Thu Jan 1 00:00:00 1970 From: =?UTF-8?Q?G=C3=A1bor_Boskovits?= Subject: Re: [PATCH] Add SELinux policy for guix-daemon. Date: Fri, 16 Feb 2018 07:50:35 +0100 Message-ID: References: <87zi4fiqzk.fsf@mdc-berlin.de> <87k1ve2w0o.fsf@gmail.com> <87inay6zgt.fsf@elephly.net> Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="001a114ab6faf3de4b05654ec217" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:44411) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1emZqw-0007v7-E6 for guix-devel@gnu.org; Fri, 16 Feb 2018 01:50:42 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1emZqv-0001ao-4i for guix-devel@gnu.org; Fri, 16 Feb 2018 01:50:38 -0500 Received: from mail-io0-x22d.google.com ([2607:f8b0:4001:c06::22d]:41829) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1emZqu-0001ad-Ty for guix-devel@gnu.org; Fri, 16 Feb 2018 01:50:37 -0500 Received: by mail-io0-x22d.google.com with SMTP id e4so3206871iob.8 for ; Thu, 15 Feb 2018 22:50:36 -0800 (PST) In-Reply-To: <87inay6zgt.fsf@elephly.net> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Ricardo Wurmus Cc: guix-devel , Ricardo Wurmus --001a114ab6faf3de4b05654ec217 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable 2018-02-15 16:32 GMT+01:00 Ricardo Wurmus : > > Alex Vong writes: > > >> No, the script won=E2=80=99t install the SELinux policy. It wouldn=E2= =80=99t work on > >> all systems, only on those where a suitable SELinux base policy is > >> available. > >> > > So it won't work on Debian? I think Debian and Fedora uses different > > base policy, right? > > I don=E2=80=99t know much about SELinux on Debian, I=E2=80=99m afraid. > > > If this is the case, should we also include an > > apparmor profile? > > That=E2=80=99s unrelated, but sure, why not. > > I would suggest writing a minimal base policy. SELinux is not an > all-or-nothing affair. That base policy only needs to provide the few > types that we care about for the guix-daemon. It wouldn=E2=80=99t be too= hard. > > The resulting policy could then be used on GuixSD or any other system > that doesn=E2=80=99t have a full SELinux configuration. > > I would be interested in doing that. It would be great if we could use SELinux on GuixSD. I also like the apparmor idea. These would be great enablers for me. Do we have any policy how we do these, or should I check how it is done on other distros? > > Which paths does guix-daemon need to have r/w access > > to? From your SELinux profile, we know the following is needed: > > > > @guix_sysconfdir@/guix(/.*)? > > @guix_localstatedir@/guix(/.*)? > > @guix_localstatedir@/guix/profiles(/.*)? > > /gnu > > @storedir@(/.+)? > > @storedir@/[^/]+/.+ > > @prefix@/bin/guix-daemon > > @storedir@/.+-(guix-.+|profile)/bin/guix-daemon > > @storedir@/.+-(guix-.+|profile)/libexec/guix-authenticate > > @storedir@/.+-(guix-.+|profile)/libexec/guix/(.*)? > > @guix_localstatedir@/guix/daemon-socket/socket > > These are not things that the daemon needs to have access to. These are > paths that are to be labeled. The daemon is executed in a certain > context, and processes in that context may have certain permissions on > some of the files that have been labeled. > > -- > Ricardo > > GPG: BCA6 89B6 3655 3801 C3C6 2150 197A 5888 235F ACAC > https://elephly.net > > > > --001a114ab6faf3de4b05654ec217 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
2018= -02-15 16:32 GMT+01:00 Ricardo Wurmus <rekado@elephly.net>:=

Alex Vong <alexvong1995@gmail.= com> writes:

>> No, the script won=E2=80=99t install the SELinux policy.=C2=A0 It = wouldn=E2=80=99t work on
>> all systems, only on those where a suitable SELinux base policy is=
>> available.
>>
> So it won't work on Debian? I think Debian and Fedora uses differe= nt
> base policy, right?

I don=E2=80=99t know much about SELinux on Debian, I=E2=80=99m afrai= d.

> If this is the case, should we also include an
> apparmor profile?

That=E2=80=99s unrelated, but sure, why not.

I would suggest writing a minimal base policy.=C2=A0 SELinux is not an
all-or-nothing affair.=C2=A0 That base policy only needs to provide the few=
types that we care about for the guix-daemon.=C2=A0 It wouldn=E2=80=99t be = too hard.

The resulting policy could then be used on GuixSD or any other system
that doesn=E2=80=99t have a full SELinux configuration.


I would be int= erested in doing that. It would be great if we could use
SELinux = on GuixSD. I also like the apparmor idea. These would be
great en= ablers for me. Do we have any policy how we do these, or
should I= check how it is done on other distros?
=C2=A0
> Which paths does guix-daemon need to have r/w access
> to? From your SELinux profile, we know the following is needed:
>
>=C2=A0 =C2=A0@guix_sysconfdir@/guix(/.*)?
>=C2=A0 =C2=A0@guix_localstatedir@/guix(/.*)?
>=C2=A0 =C2=A0@guix_localstatedir@/guix/profiles(/.*)?
>=C2=A0 =C2=A0/gnu
>=C2=A0 =C2=A0@storedir@(/.+)?
>=C2=A0 =C2=A0@storedir@/[^/]+/.+
>=C2=A0 =C2=A0@prefix@/bin/guix-daemon
>=C2=A0 =C2=A0@storedir@/.+-(guix-.+|profile)/bin/guix-daemon
>=C2=A0 =C2=A0@storedir@/.+-(guix-.+|profile)/libexec/guix-aut= henticate
>=C2=A0 =C2=A0@storedir@/.+-(guix-.+|profile)/libexec/guix/(.*)? >=C2=A0 =C2=A0@guix_localstatedir@/guix/daemon-socket/socket

These are not things that the daemon needs to have access to.=C2=A0 = These are
paths that are to be labeled.=C2=A0 The daemon is executed in a certain
context, and processes in that context may have certain permissions on
some of the files that have been labeled.

--
Ricardo

GPG: BCA6 89B6 3655 3801 C3C6=C2=A0 2150 197A 5888 235F ACAC
https:= //elephly.net




--001a114ab6faf3de4b05654ec217--