| blob | c0c82d8fbbc3a9dbaab0880719984a92e1ad8c56 |
1 ; -*- lisp -*-
2 ;;; GNU Guix --- Functional package management for GNU
3 ;;; Copyright © 2018 Ricardo Wurmus <rekado@elephly.net>
4 ;;;
5 ;;; This file is part of GNU Guix.
6 ;;;
7 ;;; GNU Guix is free software; you can redistribute it and/or modify it
8 ;;; under the terms of the GNU General Public License as published by
9 ;;; the Free Software Foundation; either version 3 of the License, or (at
10 ;;; your option) any later version.
11 ;;;
12 ;;; GNU Guix is distributed in the hope that it will be useful, but
13 ;;; WITHOUT ANY WARRANTY; without even the implied warranty of
14 ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 ;;; GNU General Public License for more details.
16 ;;;
17 ;;; You should have received a copy of the GNU General Public License
18 ;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
20 ;; This is a specification for SELinux 2.7 written in the SELinux Common
21 ;; Intermediate Language (CIL). It refers to types that must be defined in
22 ;; the system's base policy.
24 (block guix_daemon
25 ;; Require existing types
26 (typeattributeset cil_gen_require init_t)
27 (typeattributeset cil_gen_require tmp_t)
28 (typeattributeset cil_gen_require nscd_var_run_t)
29 (typeattributeset cil_gen_require var_log_t)
30 (typeattributeset cil_gen_require domain)
32 ;; Declare own types
33 (type guix_daemon_t)
34 (roletype object_r guix_daemon_t)
35 (type guix_daemon_conf_t)
36 (roletype object_r guix_daemon_conf_t)
37 (type guix_daemon_exec_t)
38 (roletype object_r guix_daemon_exec_t)
39 (type guix_daemon_socket_t)
40 (roletype object_r guix_daemon_socket_t)
41 (type guix_store_content_t)
42 (roletype object_r guix_store_content_t)
43 (type guix_profiles_t)
44 (roletype object_r guix_profiles_t)
46 ;; These types are domains, thereby allowing process rules
47 (typeattributeset domain (guix_daemon_t guix_daemon_exec_t))
49 (level low (s0))
51 ;; When a process in init_t or guix_store_content_t spawns a
52 ;; guix_daemon_exec_t process, let it run in the guix_daemon_t context
53 (typetransition init_t guix_daemon_exec_t
54 process guix_daemon_t)
55 (typetransition guix_store_content_t guix_daemon_exec_t
56 process guix_daemon_t)
58 ;; Permit communication with NSCD
59 (allow guix_daemon_t
60 nscd_var_run_t
61 (file (map read)))
62 (allow guix_daemon_t
63 nscd_var_run_t
64 (dir (search)))
65 (allow guix_daemon_t
66 nscd_var_run_t
67 (sock_file (write)))
68 (allow guix_daemon_t
69 nscd_t
70 (fd (use)))
71 (allow guix_daemon_t
72 nscd_t
73 (unix_stream_socket (connectto)))
75 ;; Permit logging and temp file access
76 (allow guix_daemon_t
77 tmp_t
78 (lnk_file (setattr unlink)))
79 (allow guix_daemon_t
80 tmp_t
81 (dir (create
82 rmdir
83 add_name remove_name
84 open read write
85 getattr setattr
86 search)))
87 (allow guix_daemon_t
88 var_log_t
89 (file (create getattr open write)))
90 (allow guix_daemon_t
91 var_log_t
92 (dir (getattr write add_name)))
93 (allow guix_daemon_t
94 var_run_t
95 (lnk_file (read)))
96 (allow guix_daemon_t
97 var_run_t
98 (dir (search)))
100 ;; Spawning processes, execute helpers
101 (allow guix_daemon_t
102 self
103 (process (fork)))
104 (allow guix_daemon_t
105 guix_daemon_exec_t
106 (file (execute execute_no_trans read open)))
108 ;; TODO: unknown
109 (allow guix_daemon_t
110 root_t
111 (dir (mounton)))
112 (allow guix_daemon_t
113 fs_t
114 (filesystem (getattr)))
115 (allow guix_daemon_conf_t
116 fs_t
117 (filesystem (associate)))
119 ;; Build isolation
120 (allow guix_daemon_t
121 guix_store_content_t
122 (file (mounton)))
123 (allow guix_store_content_t
124 fs_t
125 (filesystem (associate)))
126 (allow guix_daemon_t
127 guix_store_content_t
128 (dir (mounton)))
129 (allow guix_daemon_t
130 guix_daemon_t
131 (capability (net_admin
132 fsetid fowner
133 chown setuid setgid
134 dac_override dac_read_search
135 sys_chroot)))
136 (allow guix_daemon_t
137 fs_t
138 (filesystem (unmount)))
139 (allow guix_daemon_t
140 devpts_t
141 (filesystem (mount)))
142 (allow guix_daemon_t
143 devpts_t
144 (chr_file (setattr getattr)))
145 (allow guix_daemon_t
146 tmpfs_t
147 (filesystem (mount)))
148 (allow guix_daemon_t
149 tmpfs_t
150 (dir (getattr)))
151 (allow guix_daemon_t
152 proc_t
153 (filesystem (mount)))
154 (allow guix_daemon_t
155 null_device_t
156 (chr_file (getattr open read write)))
157 (allow guix_daemon_t
158 kvm_device_t
159 (chr_file (getattr)))
160 (allow guix_daemon_t
161 zero_device_t
162 (chr_file (getattr)))
163 (allow guix_daemon_t
164 urandom_device_t
165 (chr_file (getattr)))
166 (allow guix_daemon_t
167 random_device_t
168 (chr_file (getattr)))
169 (allow guix_daemon_t
170 devtty_t
171 (chr_file (getattr)))
173 ;; Access to store items
174 (allow guix_daemon_t
175 guix_store_content_t
176 (dir (reparent
177 create
178 getattr setattr
179 search rename
180 add_name remove_name
181 open write
182 rmdir)))
183 (allow guix_daemon_t
184 guix_store_content_t
185 (file (create
186 lock
187 setattr getattr
188 execute execute_no_trans
189 link unlink
190 map
191 rename
192 open read write)))
193 (allow guix_daemon_t
194 guix_store_content_t
195 (lnk_file (create
196 getattr setattr
197 link unlink
198 read
199 rename)))
201 ;; Access to configuration files and directories
202 (allow guix_daemon_t
203 guix_daemon_conf_t
204 (dir (search
205 setattr getattr
206 add_name remove_name
207 open read write)))
208 (allow guix_daemon_t
209 guix_daemon_conf_t
210 (file (create
211 lock
212 map
213 getattr setattr
214 unlink
215 open read write)))
216 (allow guix_daemon_t
217 guix_daemon_conf_t
218 (lnk_file (create getattr rename unlink)))
220 ;; Access to profiles
221 (allow guix_daemon_t
222 guix_profiles_t
223 (dir (getattr setattr read open)))
224 (allow guix_daemon_t
225 guix_profiles_t
226 (lnk_file (read getattr)))
228 ;; Access to profile links in the home directory
229 ;; TODO: allow access to profile links *anywhere* on the filesystem
230 (allow guix_daemon_t
231 user_home_t
232 (lnk_file (read getattr)))
233 (allow guix_daemon_t
234 user_home_t
235 (dir (search)))
237 ;; Socket operations
238 (allow guix_daemon_t
239 init_t
240 (fd (use)))
241 (allow guix_daemon_t
242 init_t
243 (unix_stream_socket (write)))
244 (allow guix_daemon_t
245 guix_daemon_conf_t
246 (unix_stream_socket (listen)))
247 (allow guix_daemon_t
248 guix_daemon_conf_t
249 (sock_file (create unlink)))
250 (allow guix_daemon_t
251 self
252 (unix_stream_socket (create
253 read write
254 connect bind accept
255 getopt setopt)))
256 (allow guix_daemon_t
257 self
258 (fifo_file (write read)))
259 (allow guix_daemon_t
260 self
261 (udp_socket (ioctl create)))
263 ;; Label file system
264 (filecon "@guix_sysconfdir@/guix(/.*)?"
265 any (system_u object_r guix_daemon_conf_t (low low)))
266 (filecon "@guix_localstatedir@/guix(/.*)?"
267 any (system_u object_r guix_daemon_conf_t (low low)))
268 (filecon "@guix_localstatedir@/guix/profiles(/.*)?"
269 any (system_u object_r guix_profiles_t (low low)))
270 (filecon "/gnu"
271 dir (unconfined_u object_r guix_store_content_t (low low)))
272 (filecon "@storedir@(/.+)?"
273 any (unconfined_u object_r guix_store_content_t (low low)))
274 (filecon "@storedir@/[^/]+/.+"
275 any (unconfined_u object_r guix_store_content_t (low low)))
276 (filecon "@prefix@/bin/guix-daemon"
277 file (system_u object_r guix_daemon_exec_t (low low)))
278 (filecon "@storedir@/.+-(guix-.+|profile)/bin/guix-daemon"
279 file (system_u object_r guix_daemon_exec_t (low low)))
280 (filecon "@storedir@/.+-(guix-.+|profile)/libexec/guix-authenticate"
281 file (system_u object_r guix_daemon_exec_t (low low)))
282 (filecon "@storedir@/.+-(guix-.+|profile)/libexec/guix/(.*)?"
283 any (system_u object_r guix_daemon_exec_t (low low)))
284 (filecon "@guix_localstatedir@/guix/daemon-socket/socket"
285 any (system_u object_r guix_daemon_socket_t (low low))))