guix-parameters/GUIX/etc/guix-daemon.cil.in

; -*- lisp -*-
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2018, 2022 Ricardo Wurmus <rekado@elephly.net>
;;; Copyright © 2020 Daniel Brooks <db48x@db48x.net>
;;; Copyright © 2020 Marius Bakke <marius@gnu.org>
;;;
;;; This file is part of GNU Guix.
;;;
;;; GNU Guix is free software; you can redistribute it and/or modify it
;;; under the terms of the GNU General Public License as published by
;;; the Free Software Foundation; either version 3 of the License, or (at
;;; your option) any later version.
;;;
;;; GNU Guix is distributed in the hope that it will be useful, but
;;; WITHOUT ANY WARRANTY; without even the implied warranty of
;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
;;; GNU General Public License for more details.
;;;
;;; You should have received a copy of the GNU General Public License
;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.

;; This is a specification for SELinux 2.7 written in the SELinux Common
;; Intermediate Language (CIL).  It refers to types that must be defined in
;; the system's base policy.

;; If you, like me, need advice about fixing an SELinux policy, I recommend
;; reading https://danwalsh.livejournal.com/55324.html

;; In particular, you can run semanage permissive -a guix_daemon.guix_daemon_t
;; to allow guix-daemon to do whatever it wants. SELinux will still check its
;; permissions, and when it doesn't have permission it will still send an
;; audit message to your system logs. This lets you know what permissions it
;; ought to have. Use ausearch --raw to find the permissions violations, then
;; pipe that to audit2allow to generate an updated policy. You'll still need
;; to translate that policy into CIL in order to update this file, but that's
;; fairly straight-forward. Annoying, but easy.

(block guix_daemon
  ;; Require existing types
  (typeattributeset cil_gen_require domain)
  (typeattributeset cil_gen_require init_t)
  (typeattributeset cil_gen_require init_var_run_t)
  (typeattributeset cil_gen_require nscd_var_run_t)
  (typeattributeset cil_gen_require system_dbusd_var_run_t)
  (typeattributeset cil_gen_require tmp_t)
  (typeattributeset cil_gen_require var_log_t)

  ;; Declare own types
  (type guix_daemon_t)
  (roletype object_r guix_daemon_t)
  (type guix_daemon_conf_t)
  (roletype object_r guix_daemon_conf_t)
  (typeattributeset file_type guix_daemon_conf_t)
  (type guix_daemon_exec_t)
  (roletype object_r guix_daemon_exec_t)
  (typeattributeset file_type guix_daemon_exec_t)
  (type guix_daemon_socket_t)
  (roletype object_r guix_daemon_socket_t)
  (typeattributeset file_type guix_daemon_socket_t)
  (type guix_store_content_t)
  (roletype object_r guix_store_content_t)
  (typeattributeset file_type guix_store_content_t)
  (type guix_profiles_t)
  (roletype object_r guix_profiles_t)
  (typeattributeset file_type guix_profiles_t)

  ;; These types are domains, thereby allowing process rules
  (typeattributeset domain (guix_daemon_t guix_daemon_exec_t))

  (level low (s0))

  ;; When a process in init_t or guix_store_content_t spawns a
  ;; guix_daemon_exec_t process, let it run in the guix_daemon_t context
  (typetransition init_t guix_daemon_exec_t
                  process guix_daemon_t)
  (typetransition guix_store_content_t guix_daemon_exec_t
                  process guix_daemon_t)

  (roletype system_r guix_daemon_t)

  ;; allow init_t to read and execute guix files
  (allow init_t
         guix_profiles_t
         (lnk_file (read)))
  (allow init_t
         guix_daemon_exec_t
         (file (execute)))
  (allow init_t
         guix_daemon_t
         (process (transition)))
  (allow init_t
         guix_store_content_t
         (lnk_file (read)))
  (allow init_t
         guix_store_content_t
         (file (open read execute)))
  (allow init_t
         guix_profiles_t
         (dir (setattr)))

  ;; guix-daemon needs to know the names of users
  (allow guix_daemon_t
         passwd_file_t
         (file (getattr open read)))

  ;; Permit communication with NSCD
  (allow guix_daemon_t
         nscd_var_run_t
         (file (map read)))
  (allow guix_daemon_t
         nscd_var_run_t
         (dir (search)))
  (allow guix_daemon_t
         nscd_var_run_t
         (sock_file (write)))
  (allow guix_daemon_t
         nscd_t
         (fd (use)))
  (allow guix_daemon_t
         nscd_t
         (unix_stream_socket (connectto)))
  (allow guix_daemon_t nscd_t
         (nscd (getgrp gethost getpwd getserv shmemgrp shmemhost shmempwd shmemserv)))

  ;; permit downloading packages via HTTP(s)
  (allow guix_daemon_t http_port_t
         (tcp_socket (name_connect)))
  (allow guix_daemon_t ftp_port_t
         (tcp_socket (name_connect)))
  (allow guix_daemon_t ephemeral_port_t
         (tcp_socket (name_connect)))

  ;; Permit logging and temp file access
  (allow guix_daemon_t
         tmp_t
         (lnk_file (create rename setattr unlink)))
  (allow guix_daemon_t
         tmp_t
         (file (link
                rename create execute execute_no_trans write
                unlink setattr map relabelto relabelfrom)))
  (allow guix_daemon_t
         tmp_t
         (fifo_file (open read write create getattr ioctl setattr unlink)))
  (allow guix_daemon_t
         tmp_t
         (dir (create rename
               rmdir relabelto relabelfrom reparent
               add_name remove_name
               open read write
               getattr setattr
               search)))
  (allow guix_daemon_t
         tmp_t
         (sock_file (create getattr setattr unlink write)))
  (allow guix_daemon_t
         var_log_t
         (file (create getattr open write)))
  (allow guix_daemon_t
         var_log_t
         (dir (getattr create write add_name)))
  (allow guix_daemon_t
         var_run_t
         (lnk_file (read)))
  (allow guix_daemon_t
         var_run_t
         (dir (search)))

  ;; Spawning processes, execute helpers
  (allow guix_daemon_t
         self
         (process (fork execmem setrlimit setpgid setsched)))
  (allow guix_daemon_t
         guix_daemon_exec_t
         (file (execute
                execute_no_trans read write open entrypoint map
                getattr link unlink)))

  ;; Remounting /gnu/store read-write.
  (allow guix_daemon_t
         fs_t
         (filesystem (remount)))

  ;; TODO: unknown
  (allow guix_daemon_t
         root_t
         (dir (mounton)))
  (allow guix_daemon_t
         fs_t
         (filesystem (getattr)))
  (allow guix_daemon_conf_t
         fs_t
         (filesystem (associate)))

  ;; Build isolation
  (allow guix_daemon_t
         guix_store_content_t
         (file (ioctl mounton)))
  (allow guix_store_content_t
         fs_t
         (filesystem (associate)))
  (allow guix_daemon_t
         guix_store_content_t
         (dir (read mounton)))
  (allow guix_daemon_t
         guix_daemon_t
         (capability (net_admin
                      fsetid fowner
                      chown setuid setgid
                      dac_override dac_read_search
                      sys_chroot
                      sys_admin)))
  (allow guix_daemon_t
         fs_t
         (filesystem (unmount)))
  (allow guix_daemon_t
         devpts_t
         (dir (search)))
  (allow guix_daemon_t
         devpts_t
         (filesystem (mount)))
  (allow guix_daemon_t
         devpts_t
         (chr_file (ioctl open read write setattr getattr)))
  (allow guix_daemon_t
         tmpfs_t
         (filesystem (getattr mount)))
  (allow guix_daemon_t
         tmpfs_t
         (file (create open read unlink write)))
  (allow guix_daemon_t                          ;same as above, but with tmp_t
         tmp_t
         (file (create open read unlink write)))
  (allow guix_daemon_t
         tmpfs_t
         (dir (getattr add_name remove_name write)))
  (allow guix_daemon_t
         proc_t
         (file (getattr open read)))
  (allow guix_daemon_t
         proc_t
         (dir (read)))
  (allow guix_daemon_t
         proc_t
         (filesystem (associate mount)))
  (allow guix_daemon_t
         null_device_t
         (chr_file (getattr open read write)))
  (allow guix_daemon_t
         kvm_device_t
         (chr_file (getattr)))
  (allow guix_daemon_t
         zero_device_t
         (chr_file (getattr)))
  (allow guix_daemon_t
         urandom_device_t
         (chr_file (getattr)))
  (allow guix_daemon_t
         random_device_t
         (chr_file (getattr)))
  (allow guix_daemon_t
         devtty_t
         (chr_file (getattr)))

  ;; Access to store items
  (allow guix_daemon_t
         guix_store_content_t
         (dir (reparent
               create
               getattr setattr
               search rename
               add_name remove_name
               open write
               rmdir relabelfrom)))
  (allow guix_daemon_t
         guix_store_content_t
         (file (create
                lock
                setattr getattr
                execute execute_no_trans
                link unlink
                map
                rename
                append
                open read write relabelfrom)))
  (allow guix_daemon_t
         guix_store_content_t
         (lnk_file (create
                    getattr setattr
                    link unlink
                    read
                    rename)))
  (allow guix_daemon_t
         guix_store_content_t
         (fifo_file (create getattr open read unlink write)))
  (allow guix_daemon_t
         guix_store_content_t
         (sock_file (create getattr setattr unlink write)))

  ;; Access to run state directories
  (allow guix_daemon_t
         system_dbusd_var_run_t
         (dir (search)))
  (allow guix_daemon_t
         init_var_run_t
         (dir (search)))

  ;; Access to configuration files and directories
  (allow guix_daemon_t
         guix_daemon_conf_t
         (dir (search create
               setattr getattr
               add_name remove_name
               open read write)))
  (allow guix_daemon_t
         guix_daemon_conf_t
         (file (create rename
                lock
                map
                getattr setattr
                unlink
                open read write)))
  (allow guix_daemon_t
         guix_daemon_conf_t
         (lnk_file (create getattr rename unlink read)))
  (allow guix_daemon_t net_conf_t
         (file (getattr open read)))
  (allow guix_daemon_t net_conf_t
         (lnk_file (read)))
  (allow guix_daemon_t NetworkManager_var_run_t
         (dir (search)))

  ;; Access to profiles
  (allow guix_daemon_t
         guix_profiles_t
         (dir (search getattr setattr read write open create add_name)))
  (allow guix_daemon_t
         guix_profiles_t
         (lnk_file (read getattr)))

  ;; Access to profile links in the home directory
  ;; TODO: allow access to profile links *anywhere* on the filesystem
  (allow guix_daemon_t
         user_home_t
         (lnk_file (read getattr)))
  (allow guix_daemon_t
         user_home_t
         (dir (search)))
  (allow guix_daemon_t
         cache_home_t
         (dir (search)))
  (allow guix_daemon_t
         cache_home_t
         (lnk_file (getattr read)))

  ;; self upgrades
  (allow guix_daemon_t
         self
         (dir (add_name write)))
  (allow guix_daemon_t
         self
         (netlink_route_socket (bind create getattr nlmsg_read read write getopt)))

  ;; Socket operations
  (allow guix_daemon_t
         guix_daemon_socket_t
         (sock_file (unlink write)))
  (allow guix_daemon_t
         init_t
         (fd (use)))
  (allow guix_daemon_t
         init_t
         (unix_stream_socket (write)))
  (allow guix_daemon_t
         guix_daemon_conf_t
         (unix_stream_socket (listen)))
  (allow guix_daemon_t
         guix_daemon_conf_t
         (sock_file (create unlink write)))
  (allow guix_daemon_t
         self
         (unix_stream_socket (create
                              read write
                              connect bind accept
                              getopt setopt)))
  (allow guix_daemon_t
         self
         (tcp_socket (accept listen bind connect create setopt getopt getattr ioctl read write shutdown)))
  (allow guix_daemon_t
         unreserved_port_t
         (tcp_socket (name_bind name_connect accept listen)))
  (allow guix_daemon_t
         self
         (udp_socket (connect getattr bind getopt setopt read write)))
  (allow guix_daemon_t
         self
         (fifo_file (write read)))
  (allow guix_daemon_t
         self
         (udp_socket (ioctl create)))
  (allow guix_daemon_t
         self
         (unix_stream_socket (connectto)))
  (allow guix_daemon_t
         self
         (unix_dgram_socket (create bind connect sendto read write)))

  ;; For some esoteric build jobs (i.e. running PostgreSQL, etc).
  (allow guix_daemon_t
         self
         (capability (kill)))
  (allow guix_daemon_t
         node_t
         (tcp_socket (node_bind)))
  (allow guix_daemon_t
         node_t
         (udp_socket (node_bind)))
  (allow guix_daemon_t
         port_t
         (tcp_socket (name_connect)))
  (allow guix_daemon_t
         tmpfs_t
         (file (map read write link getattr)))
  (allow guix_daemon_t
         usermodehelper_t
         (file (read)))
  (allow guix_daemon_t
         hugetlbfs_t
         (file (map read write)))
  (allow guix_daemon_t
         proc_net_t
         (file (read)))
  (allow guix_daemon_t
         postgresql_port_t
         (tcp_socket (name_connect name_bind)))
  (allow guix_daemon_t
         rtp_media_port_t
         (udp_socket (name_bind)))
  (allow guix_daemon_t
         vnc_port_t
         (tcp_socket (name_bind)))

  ;; I guess sometimes it needs random numbers
  (allow guix_daemon_t
         random_device_t
         (chr_file (read)))

  ;; guix system vm
  (allow guix_daemon_t
         kvm_device_t
         (chr_file (ioctl open read write)))
  (allow guix_daemon_t
         kernel_t
         (system (ipc_info)))

  ;; Label file system
  (filecon "@guix_sysconfdir@/guix(/.*)?"
           any (system_u object_r guix_daemon_conf_t (low low)))
  (filecon "@guix_localstatedir@/guix(/.*)?"
           any (system_u object_r guix_daemon_conf_t (low low)))
  (filecon "@guix_localstatedir@/guix/profiles(/.*)?"
           any (system_u object_r guix_profiles_t (low low)))
  (filecon "/gnu"
           dir (unconfined_u object_r guix_store_content_t (low low)))
  (filecon "@storedir@(/.+)?"
           any (unconfined_u object_r guix_store_content_t (low low)))
  (filecon "@storedir@/[^/]+/.+"
           any (unconfined_u object_r guix_store_content_t (low low)))
  (filecon "@prefix@/bin/guix-daemon"
           file (system_u object_r guix_daemon_exec_t (low low)))
  (filecon "@guix_localstatedir@/guix/profiles/per-user/[^/]+/current-guix/bin/guix-daemon"
           file (system_u object_r guix_daemon_exec_t (low low)))
  (filecon "@storedir@/.+-(guix-.+|profile)/bin/guix-daemon"
           file (system_u object_r guix_daemon_exec_t (low low)))
  (filecon "@storedir@/[a-z0-9]+-guix-daemon"
           file (system_u object_r guix_daemon_exec_t (low low)))
  (filecon "@guix_localstatedir@/guix/daemon-socket/socket"
           any (system_u object_r guix_daemon_socket_t (low low))))