b617a9fe23
* etc/guix-daemon.cil.in: New file. * Makefile.am (dist_selinux_policy_DATA): Define it. * configure.ac: Handle --with-selinux-policy-dir. * doc/guix.texi (SELinux Support): New section.
286 lines
8.6 KiB
Common Lisp
286 lines
8.6 KiB
Common Lisp
; -*- lisp -*-
|
|
;;; GNU Guix --- Functional package management for GNU
|
|
;;; Copyright © 2018 Ricardo Wurmus <rekado@elephly.net>
|
|
;;;
|
|
;;; This file is part of GNU Guix.
|
|
;;;
|
|
;;; GNU Guix is free software; you can redistribute it and/or modify it
|
|
;;; under the terms of the GNU General Public License as published by
|
|
;;; the Free Software Foundation; either version 3 of the License, or (at
|
|
;;; your option) any later version.
|
|
;;;
|
|
;;; GNU Guix is distributed in the hope that it will be useful, but
|
|
;;; WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
;;; GNU General Public License for more details.
|
|
;;;
|
|
;;; You should have received a copy of the GNU General Public License
|
|
;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
;; This is a specification for SELinux 2.7 written in the SELinux Common
|
|
;; Intermediate Language (CIL). It refers to types that must be defined in
|
|
;; the system's base policy.
|
|
|
|
(block guix_daemon
|
|
;; Require existing types
|
|
(typeattributeset cil_gen_require init_t)
|
|
(typeattributeset cil_gen_require tmp_t)
|
|
(typeattributeset cil_gen_require nscd_var_run_t)
|
|
(typeattributeset cil_gen_require var_log_t)
|
|
(typeattributeset cil_gen_require domain)
|
|
|
|
;; Declare own types
|
|
(type guix_daemon_t)
|
|
(roletype object_r guix_daemon_t)
|
|
(type guix_daemon_conf_t)
|
|
(roletype object_r guix_daemon_conf_t)
|
|
(type guix_daemon_exec_t)
|
|
(roletype object_r guix_daemon_exec_t)
|
|
(type guix_daemon_socket_t)
|
|
(roletype object_r guix_daemon_socket_t)
|
|
(type guix_store_content_t)
|
|
(roletype object_r guix_store_content_t)
|
|
(type guix_profiles_t)
|
|
(roletype object_r guix_profiles_t)
|
|
|
|
;; These types are domains, thereby allowing process rules
|
|
(typeattributeset domain (guix_daemon_t guix_daemon_exec_t))
|
|
|
|
(level low (s0))
|
|
|
|
;; When a process in init_t or guix_store_content_t spawns a
|
|
;; guix_daemon_exec_t process, let it run in the guix_daemon_t context
|
|
(typetransition init_t guix_daemon_exec_t
|
|
process guix_daemon_t)
|
|
(typetransition guix_store_content_t guix_daemon_exec_t
|
|
process guix_daemon_t)
|
|
|
|
;; Permit communication with NSCD
|
|
(allow guix_daemon_t
|
|
nscd_var_run_t
|
|
(file (map read)))
|
|
(allow guix_daemon_t
|
|
nscd_var_run_t
|
|
(dir (search)))
|
|
(allow guix_daemon_t
|
|
nscd_var_run_t
|
|
(sock_file (write)))
|
|
(allow guix_daemon_t
|
|
nscd_t
|
|
(fd (use)))
|
|
(allow guix_daemon_t
|
|
nscd_t
|
|
(unix_stream_socket (connectto)))
|
|
|
|
;; Permit logging and temp file access
|
|
(allow guix_daemon_t
|
|
tmp_t
|
|
(lnk_file (setattr unlink)))
|
|
(allow guix_daemon_t
|
|
tmp_t
|
|
(dir (create
|
|
rmdir
|
|
add_name remove_name
|
|
open read write
|
|
getattr setattr
|
|
search)))
|
|
(allow guix_daemon_t
|
|
var_log_t
|
|
(file (create getattr open write)))
|
|
(allow guix_daemon_t
|
|
var_log_t
|
|
(dir (getattr write add_name)))
|
|
(allow guix_daemon_t
|
|
var_run_t
|
|
(lnk_file (read)))
|
|
(allow guix_daemon_t
|
|
var_run_t
|
|
(dir (search)))
|
|
|
|
;; Spawning processes, execute helpers
|
|
(allow guix_daemon_t
|
|
self
|
|
(process (fork)))
|
|
(allow guix_daemon_t
|
|
guix_daemon_exec_t
|
|
(file (execute execute_no_trans read open)))
|
|
|
|
;; TODO: unknown
|
|
(allow guix_daemon_t
|
|
root_t
|
|
(dir (mounton)))
|
|
(allow guix_daemon_t
|
|
fs_t
|
|
(filesystem (getattr)))
|
|
(allow guix_daemon_conf_t
|
|
fs_t
|
|
(filesystem (associate)))
|
|
|
|
;; Build isolation
|
|
(allow guix_daemon_t
|
|
guix_store_content_t
|
|
(file (mounton)))
|
|
(allow guix_store_content_t
|
|
fs_t
|
|
(filesystem (associate)))
|
|
(allow guix_daemon_t
|
|
guix_store_content_t
|
|
(dir (mounton)))
|
|
(allow guix_daemon_t
|
|
guix_daemon_t
|
|
(capability (net_admin
|
|
fsetid fowner
|
|
chown setuid setgid
|
|
dac_override dac_read_search
|
|
sys_chroot)))
|
|
(allow guix_daemon_t
|
|
fs_t
|
|
(filesystem (unmount)))
|
|
(allow guix_daemon_t
|
|
devpts_t
|
|
(filesystem (mount)))
|
|
(allow guix_daemon_t
|
|
devpts_t
|
|
(chr_file (setattr getattr)))
|
|
(allow guix_daemon_t
|
|
tmpfs_t
|
|
(filesystem (mount)))
|
|
(allow guix_daemon_t
|
|
tmpfs_t
|
|
(dir (getattr)))
|
|
(allow guix_daemon_t
|
|
proc_t
|
|
(filesystem (mount)))
|
|
(allow guix_daemon_t
|
|
null_device_t
|
|
(chr_file (getattr open read write)))
|
|
(allow guix_daemon_t
|
|
kvm_device_t
|
|
(chr_file (getattr)))
|
|
(allow guix_daemon_t
|
|
zero_device_t
|
|
(chr_file (getattr)))
|
|
(allow guix_daemon_t
|
|
urandom_device_t
|
|
(chr_file (getattr)))
|
|
(allow guix_daemon_t
|
|
random_device_t
|
|
(chr_file (getattr)))
|
|
(allow guix_daemon_t
|
|
devtty_t
|
|
(chr_file (getattr)))
|
|
|
|
;; Access to store items
|
|
(allow guix_daemon_t
|
|
guix_store_content_t
|
|
(dir (reparent
|
|
create
|
|
getattr setattr
|
|
search rename
|
|
add_name remove_name
|
|
open write
|
|
rmdir)))
|
|
(allow guix_daemon_t
|
|
guix_store_content_t
|
|
(file (create
|
|
lock
|
|
setattr getattr
|
|
execute execute_no_trans
|
|
link unlink
|
|
map
|
|
rename
|
|
open read write)))
|
|
(allow guix_daemon_t
|
|
guix_store_content_t
|
|
(lnk_file (create
|
|
getattr setattr
|
|
link unlink
|
|
read
|
|
rename)))
|
|
|
|
;; Access to configuration files and directories
|
|
(allow guix_daemon_t
|
|
guix_daemon_conf_t
|
|
(dir (search
|
|
setattr getattr
|
|
add_name remove_name
|
|
open read write)))
|
|
(allow guix_daemon_t
|
|
guix_daemon_conf_t
|
|
(file (create
|
|
lock
|
|
map
|
|
getattr setattr
|
|
unlink
|
|
open read write)))
|
|
(allow guix_daemon_t
|
|
guix_daemon_conf_t
|
|
(lnk_file (create getattr rename unlink)))
|
|
|
|
;; Access to profiles
|
|
(allow guix_daemon_t
|
|
guix_profiles_t
|
|
(dir (getattr setattr read open)))
|
|
(allow guix_daemon_t
|
|
guix_profiles_t
|
|
(lnk_file (read getattr)))
|
|
|
|
;; Access to profile links in the home directory
|
|
;; TODO: allow access to profile links *anywhere* on the filesystem
|
|
(allow guix_daemon_t
|
|
user_home_t
|
|
(lnk_file (read getattr)))
|
|
(allow guix_daemon_t
|
|
user_home_t
|
|
(dir (search)))
|
|
|
|
;; Socket operations
|
|
(allow guix_daemon_t
|
|
init_t
|
|
(fd (use)))
|
|
(allow guix_daemon_t
|
|
init_t
|
|
(unix_stream_socket (write)))
|
|
(allow guix_daemon_t
|
|
guix_daemon_conf_t
|
|
(unix_stream_socket (listen)))
|
|
(allow guix_daemon_t
|
|
guix_daemon_conf_t
|
|
(sock_file (create unlink)))
|
|
(allow guix_daemon_t
|
|
self
|
|
(unix_stream_socket (create
|
|
read write
|
|
connect bind accept
|
|
getopt setopt)))
|
|
(allow guix_daemon_t
|
|
self
|
|
(fifo_file (write read)))
|
|
(allow guix_daemon_t
|
|
self
|
|
(udp_socket (ioctl create)))
|
|
|
|
;; Label file system
|
|
(filecon "@guix_sysconfdir@/guix(/.*)?"
|
|
any (system_u object_r guix_daemon_conf_t (low low)))
|
|
(filecon "@guix_localstatedir@/guix(/.*)?"
|
|
any (system_u object_r guix_daemon_conf_t (low low)))
|
|
(filecon "@guix_localstatedir@/guix/profiles(/.*)?"
|
|
any (system_u object_r guix_profiles_t (low low)))
|
|
(filecon "/gnu"
|
|
dir (unconfined_u object_r guix_store_content_t (low low)))
|
|
(filecon "@storedir@(/.+)?"
|
|
any (unconfined_u object_r guix_store_content_t (low low)))
|
|
(filecon "@storedir@/[^/]+/.+"
|
|
any (unconfined_u object_r guix_store_content_t (low low)))
|
|
(filecon "@prefix@/bin/guix-daemon"
|
|
file (system_u object_r guix_daemon_exec_t (low low)))
|
|
(filecon "@storedir@/.+-(guix-.+|profile)/bin/guix-daemon"
|
|
file (system_u object_r guix_daemon_exec_t (low low)))
|
|
(filecon "@storedir@/.+-(guix-.+|profile)/libexec/guix-authenticate"
|
|
file (system_u object_r guix_daemon_exec_t (low low)))
|
|
(filecon "@storedir@/.+-(guix-.+|profile)/libexec/guix/(.*)?"
|
|
any (system_u object_r guix_daemon_exec_t (low low)))
|
|
(filecon "@guix_localstatedir@/guix/daemon-socket/socket"
|
|
any (system_u object_r guix_daemon_socket_t (low low))))
|