From mboxrd@z Thu Jan 1 00:00:00 1970 From: Catonano Subject: Re: [PATCH] Add SELinux policy for guix-daemon. Date: Sun, 11 Feb 2018 13:39:02 +0100 Message-ID: References: Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="94eb2c0a8b54e98b500564ef0b64" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:37055) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ekquP-00085g-Gv for guix-devel@gnu.org; Sun, 11 Feb 2018 07:39:06 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ekquO-0007iC-Gp for guix-devel@gnu.org; Sun, 11 Feb 2018 07:39:05 -0500 Received: from mail-yw0-x22f.google.com ([2607:f8b0:4002:c05::22f]:47015) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1ekquO-0007h3-8R for guix-devel@gnu.org; Sun, 11 Feb 2018 07:39:04 -0500 Received: by mail-yw0-x22f.google.com with SMTP id c78so8186357ywb.13 for ; Sun, 11 Feb 2018 04:39:04 -0800 (PST) In-Reply-To: List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Ricardo Wurmus Cc: guix-devel --94eb2c0a8b54e98b500564ef0b64 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable 2018-01-25 17:17 GMT+01:00 Ricardo Wurmus : > Hi Guix, > > attached is a patch that adds an SELinux policy for the guix-daemon. > The policy defines the guix_daemon_t domain and specifies what labels > may be accessed and how by processes running in that domain. > > These file labels are defined: > > * guix_daemon_conf_t > for Guix configuration files (in localstatedir and sysconfdir) > * guix_daemon_exec_t > for executables spawned by the daemon (which are allowed to run in the > guix_daemon_t domain) > * guix_daemon_socket_t > for the daemon socket file > * guix_profiles_t > for the contents of the profiles directory > > The =E2=80=9Cfilecon=E2=80=9D statements near the bottom of the file spec= ify which > labels are to be used for what file names. > > I tested this with =E2=80=9Cguix build --no-grafts --check hello=E2=80=9D= , =E2=80=9Cguix build > samtools=E2=80=9D, =E2=80=9Cguix gc -C 1k=E2=80=9D, and =E2=80=9Cguix pac= kage -p ~/foo -i hello=E2=80=9D; > no operations were blocked by SELinux. > > If you want to test this on Fedora, set SELinux to permissive, and make > sure to configure Guix properly (i.e. set localstatedir, prefix, and > sysconfdir). Then install the policy with =E2=80=9Csudo semodule -i > etc/guix-daemon.cil=E2=80=9D. Then relabel the filesystem (at least /gnu= , > $localstatedir, $sysconfdir, and $prefix) with something like this: > > sudo restorecon -R /gnu $localstatedir $sysconfdir $prefix > can I do this with the binary installation made with Sharlatan's script ? $localstatedir is /var, I suppose But I don' t know about $sysconfdir and $prefix --94eb2c0a8b54e98b500564ef0b64 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


2018-01-25 17:17 GMT+01:00 Ricardo Wurmus <ricardo.wurmus@m= dc-berlin.de>:
Hi Guix,

attached is a patch that adds an SELinux policy for the guix-daemon.
The policy defines the guix_daemon_t domain and specifies what labels
may be accessed and how by processes running in that domain.

These file labels are defined:

* guix_daemon_conf_t
=C2=A0 for Guix configuration files (in localstatedir and sysconfdir)
* guix_daemon_exec_t
=C2=A0 for executables spawned by the daemon (which are allowed to run in t= he
=C2=A0 guix_daemon_t domain)
* guix_daemon_socket_t
=C2=A0 for the daemon socket file
* guix_profiles_t
=C2=A0 for the contents of the profiles directory

The =E2=80=9Cfilecon=E2=80=9D statements near the bottom of the file specif= y which
labels are to be used for what file names.

I tested this with =E2=80=9Cguix build --no-grafts --check hello=E2=80=9D, = =E2=80=9Cguix build
samtools=E2=80=9D, =E2=80=9Cguix gc -C 1k=E2=80=9D, and =E2=80=9Cguix packa= ge -p ~/foo -i hello=E2=80=9D;
no operations were blocked by SELinux.

If you want to test this on Fedora, set SELinux to permissive, and make
sure to configure Guix properly (i.e. set localstatedir, prefix, and
sysconfdir).=C2=A0 Then install the policy with =E2=80=9Csudo semodule -i etc/guix-daemon.cil=E2=80=9D.=C2=A0 Then relabel the filesystem (at least /= gnu,
$localstatedir, $sysconfdir, and $prefix) with something like this:

=C2=A0 =C2=A0 sudo restorecon -R /gnu $localstatedir $sysconfdir $prefix

can I do this with the binary installatio= n made with Sharlatan's script ?

$localstatedir is /v= ar, I suppose

But I don' t know about $sysconfdir and= $prefix

--94eb2c0a8b54e98b500564ef0b64--