Package: guix-patches;
Reported by: Daniel Brooks <db48x <at> db48x.net>
Date: Tue, 10 Nov 2020 09:43:02 UTC
Severity: normal
Tags: patch
Done: Marius Bakke <marius <at> gnu.org>
Bug is archived. No further changes may be made.
View this message in rfc822 format
From: help-debbugs <at> gnu.org (GNU bug Tracking System) To: Daniel Brooks <db48x <at> db48x.net> Subject: bug#44549: closed (Re: [bug#44549] [PATCH v4] etc: updates for the guix-daemon SELinux policy) Date: Sun, 15 Nov 2020 22:21:02 +0000
[Message part 1 (text/plain, inline)]
Your bug report #44549: [PATCH] etc: updates for the guix-daemon SELinux policy which was filed against the guix-patches package, has been closed. The explanation is attached below, along with your original report. If you require more details, please reply to 44549 <at> debbugs.gnu.org. -- 44549: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=44549 GNU Bug Tracking System Contact help-debbugs <at> gnu.org with problems
[Message part 2 (message/rfc822, inline)]
From: Marius Bakke <marius <at> gnu.org> To: Daniel Brooks <db48x <at> db48x.net>, 44549-done <at> debbugs.gnu.org Subject: Re: [bug#44549] [PATCH v4] etc: updates for the guix-daemon SELinux policy Date: Sun, 15 Nov 2020 23:19:59 +0100[Message part 3 (text/plain, inline)]Daniel Brooks <db48x <at> db48x.net> writes: > This update adds a filecon rule for the guix-daemon shell script in the store. > >>From 8858b4df306e7846a1709c420ba7f7b194f05a97 Mon Sep 17 00:00:00 2001 > From: Daniel Brooks <db48x <at> db48x.net> > Date: Mon, 9 Nov 2020 07:03:42 -0800 > Subject: [PATCH v4] etc: updates for the guix-daemon SELinux policy > > * etc/guix-daemon.cil.in (guix_daemon): Specify more permissions for > guix-daemon to account for daemon updates and newer SELinux. > > I can't promise that this is a complete list of everything that guix-daemon > needs, but it's probably most of them. It can search for, install, upgrade, > and remove packages, create virtual machines and containers, update itself, > and so on. Pushed to the 'version-1.2.0' branch, which will show up on 'master' eventually. Thank you![signature.asc (application/pgp-signature, inline)]
[Message part 5 (message/rfc822, inline)]
From: Daniel Brooks <db48x <at> db48x.net> To: Guix Patches List <guix-patches <at> gnu.org> Subject: [PATCH] etc: updates for the guix-daemon SELinux policy Date: Tue, 10 Nov 2020 01:42:16 -0800[0001-etc-updates-for-the-guix-daemon-SELinux-policy.patch (text/x-patch, inline)]From 7dd9ed6da01c5bf125c95592f4978b579198731a Mon Sep 17 00:00:00 2001 From: Daniel Brooks <db48x <at> db48x.net> Date: Mon, 9 Nov 2020 07:03:42 -0800 Subject: [PATCH] etc: updates for the guix-daemon SELinux policy * etc/guix-daemon.cil.in: I can't promise that this is a complete list of everything that guix-daemon needs, but it's probably most of them. It can search for, install, upgrade, and remove packages, create virtual machines, update itself, and so on. I haven't tried creating containers yet, which might reveal more things to add. --- etc/guix-daemon.cil.in | 170 ++++++++++++++++++++++++++++++++++++----- 1 file changed, 152 insertions(+), 18 deletions(-) diff --git a/etc/guix-daemon.cil.in b/etc/guix-daemon.cil.in index e0c9113498..666e5677a3 100644 --- a/etc/guix-daemon.cil.in +++ b/etc/guix-daemon.cil.in @@ -21,6 +21,18 @@ ;; Intermediate Language (CIL). It refers to types that must be defined in ;; the system's base policy. +;; If you, like me, need advice about fixing an SELinux policy, I recommend +;; reading https://danwalsh.livejournal.com/55324.html + +;; In particular, you can run semanage permissive -a guix_daemon.guix_daemon_t +;; to allow guix-daemon to do whatever it wants. SELinux will still check its +;; permissions, and when it doesn't have permission it will still send an +;; audit message to your system logs. This lets you know what permissions it +;; ought to have. Use ausearch --raw to find the permissions violations, then +;; pipe that to audit2allow to generate an updated policy. You'll still need +;; to translate that policy into CIL in order to update this file, but that's +;; fairly straight-forward. Annoying, but easy. + (block guix_daemon ;; Require existing types (typeattributeset cil_gen_require init_t) @@ -34,14 +46,19 @@ (roletype object_r guix_daemon_t) (type guix_daemon_conf_t) (roletype object_r guix_daemon_conf_t) + (typeattributeset file_type guix_daemon_conf_t) (type guix_daemon_exec_t) (roletype object_r guix_daemon_exec_t) + (typeattributeset file_type guix_daemon_exec_t) (type guix_daemon_socket_t) (roletype object_r guix_daemon_socket_t) + (typeattributeset file_type guix_daemon_socket_t) (type guix_store_content_t) (roletype object_r guix_store_content_t) + (typeattributeset file_type guix_store_content_t) (type guix_profiles_t) (roletype object_r guix_profiles_t) + (typeattributeset file_type guix_profiles_t) ;; These types are domains, thereby allowing process rules (typeattributeset domain (guix_daemon_t guix_daemon_exec_t)) @@ -55,6 +72,27 @@ (typetransition guix_store_content_t guix_daemon_exec_t process guix_daemon_t) + (roletype system_r guix_daemon_t) + + ;; allow init_t to read and execute guix files + (allow init_t + guix_profiles_t + (lnk_file (read))) + (allow init_t + guix_daemon_exec_t + (file (execute))) + (allow init_t + guix_daemon_t + (process (transition))) + (allow init_t + guix_store_content_t + (file (open read execute))) + + ;; guix-daemon needs to know the names of users + (allow guix_daemon_t + passwd_file_t + (file (getattr open read))) + ;; Permit communication with NSCD (allow guix_daemon_t nscd_var_run_t @@ -71,25 +109,44 @@ (allow guix_daemon_t nscd_t (unix_stream_socket (connectto))) + (allow guix_daemon_t nscd_t + (nscd (getgrp gethost getpwd getserv shmemgrp shmemhost shmempwd shmemserv))) + + ;; permit downloading packages via HTTP(s) + (allow guix_daemon_t http_port_t + (tcp_socket (name_connect))) + (allow guix_daemon_t ftp_port_t + (tcp_socket (name_connect))) + (allow guix_daemon_t ephemeral_port_t + (tcp_socket (name_connect))) ;; Permit logging and temp file access (allow guix_daemon_t tmp_t - (lnk_file (setattr unlink))) + (lnk_file (create rename setattr unlink))) + (allow guix_daemon_t + tmp_t + (file (link rename create execute execute_no_trans write unlink setattr map relabelto))) + (allow guix_daemon_t + tmp_t + (fifo_file (open read write create getattr ioctl setattr unlink))) (allow guix_daemon_t tmp_t - (dir (create - rmdir + (dir (create rename + rmdir relabelto add_name remove_name open read write getattr setattr search))) + (allow guix_daemon_t + tmp_t + (sock_file (create getattr setattr unlink write))) (allow guix_daemon_t var_log_t (file (create getattr open write))) (allow guix_daemon_t var_log_t - (dir (getattr write add_name))) + (dir (getattr create write add_name))) (allow guix_daemon_t var_run_t (lnk_file (read))) @@ -100,10 +157,10 @@ ;; Spawning processes, execute helpers (allow guix_daemon_t self - (process (fork))) + (process (fork execmem setrlimit setpgid setsched))) (allow guix_daemon_t guix_daemon_exec_t - (file (execute execute_no_trans read open))) + (file (execute execute_no_trans read open entrypoint map))) ;; TODO: unknown (allow guix_daemon_t @@ -119,38 +176,51 @@ ;; Build isolation (allow guix_daemon_t guix_store_content_t - (file (mounton))) + (file (ioctl mounton))) (allow guix_store_content_t fs_t (filesystem (associate))) (allow guix_daemon_t guix_store_content_t - (dir (mounton))) + (dir (read mounton))) (allow guix_daemon_t guix_daemon_t (capability (net_admin fsetid fowner chown setuid setgid dac_override dac_read_search - sys_chroot))) + sys_chroot + sys_admin))) (allow guix_daemon_t fs_t (filesystem (unmount))) + (allow guix_daemon_t + devpts_t + (dir (search))) (allow guix_daemon_t devpts_t (filesystem (mount))) (allow guix_daemon_t devpts_t - (chr_file (setattr getattr))) + (chr_file (ioctl open read write setattr getattr))) (allow guix_daemon_t tmpfs_t - (filesystem (mount))) + (filesystem (getattr mount))) + (allow guix_daemon_t + tmpfs_t + (file (create open read unlink write))) (allow guix_daemon_t tmpfs_t - (dir (getattr))) + (dir (getattr add_name remove_name write))) (allow guix_daemon_t proc_t - (filesystem (mount))) + (file (getattr open read))) + (allow guix_daemon_t + proc_t + (dir (read))) + (allow guix_daemon_t + proc_t + (filesystem (associate mount))) (allow guix_daemon_t null_device_t (chr_file (getattr open read write))) @@ -179,7 +249,7 @@ search rename add_name remove_name open write - rmdir))) + rmdir relabelfrom))) (allow guix_daemon_t guix_store_content_t (file (create @@ -189,7 +259,7 @@ link unlink map rename - open read write))) + open read write relabelfrom))) (allow guix_daemon_t guix_store_content_t (lnk_file (create @@ -197,17 +267,23 @@ link unlink read rename))) + (allow guix_daemon_t + guix_store_content_t + (fifo_file (create getattr open read unlink write))) + (allow guix_daemon_t + guix_store_content_t + (sock_file (create getattr unlink write))) ;; Access to configuration files and directories (allow guix_daemon_t guix_daemon_conf_t - (dir (search + (dir (search create setattr getattr add_name remove_name open read write))) (allow guix_daemon_t guix_daemon_conf_t - (file (create + (file (create rename lock map getattr setattr @@ -216,11 +292,17 @@ (allow guix_daemon_t guix_daemon_conf_t (lnk_file (create getattr rename unlink))) + (allow guix_daemon_t net_conf_t + (file (getattr open read))) + (allow guix_daemon_t net_conf_t + (lnk_file (read))) + (allow guix_daemon_t NetworkManager_var_run_t + (dir (search))) ;; Access to profiles (allow guix_daemon_t guix_profiles_t - (dir (getattr setattr read open))) + (dir (search getattr setattr read write open create add_name))) (allow guix_daemon_t guix_profiles_t (lnk_file (read getattr))) @@ -233,6 +315,17 @@ (allow guix_daemon_t user_home_t (dir (search))) + (allow guix_daemon_t + cache_home_t + (dir (search))) + + ;; self upgrades + (allow guix_daemon_t + self + (dir (add_name write))) + (allow guix_daemon_t + self + (netlink_route_socket (bind create getattr nlmsg_read))) ;; Socket operations (allow guix_daemon_t @@ -253,12 +346,53 @@ read write connect bind accept getopt setopt))) + (allow guix_daemon_t + self + (tcp_socket (accept listen bind connect create setopt getopt getattr ioctl))) + (allow guix_daemon_t + unreserved_port_t + (tcp_socket (name_bind name_connect accept listen))) + (allow guix_daemon_t + self + (udp_socket (connect getattr bind getopt setopt))) (allow guix_daemon_t self (fifo_file (write read))) (allow guix_daemon_t self (udp_socket (ioctl create))) + (allow guix_daemon_t + self + (unix_stream_socket (connectto))) + + (allow guix_daemon_t + node_t + (tcp_socket (node_bind))) + (allow guix_daemon_t + node_t + (udp_socket (node_bind))) + (allow guix_daemon_t + port_t + (tcp_socket (name_connect))) + (allow guix_daemon_t + rtp_media_port_t + (udp_socket (name_bind))) + (allow guix_daemon_t + vnc_port_t + (tcp_socket (name_bind))) + + ;; I guess sometimes it needs random numbers + (allow guix_daemon_t + random_device_t + (chr_file (read))) + + ;; guix system vm + (allow guix_daemon_t + kvm_device_t + (chr_file (ioctl open read write))) + (allow guix_daemon_t + kernel_t + (system (ipc_info))) ;; Label file system (filecon "@guix_sysconfdir@/guix(/.*)?" -- 2.26.2
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.