Hello! Ricardo Wurmus <ricardo.wur...@mdc-berlin.de> skribis:
> attached is a patch that adds an SELinux policy for the guix-daemon. > The policy defines the guix_daemon_t domain and specifies what labels > may be accessed and how by processes running in that domain. Impressive! I know nothing about SELinux so I can’t comment on the specifics. > These file labels are defined: [...] > The audit log shouldn’t show you any complaints. At this point you > could probably switch to enforcing mode, but I haven’t tested this > myself for no particular reason. What about putting this text in a new “SELinux Support” section or similar, along with the current limitations? > Open issues: [...] > * A possible problem is that I assign all files with a name matching > “/gnu/store/.+-(guix-.+|profile)/bin/guix-daemon” the label > “guix_daemon_exec_t”; this means that *any* file with that name in any > profile would be permitted to run in the guix_daemon_t domain. This > is not ideal. An attacker could build a package that provides this > executable and convince a user to install and run it, which lifts it > into the guix_daemon_t domain. At that point SELinux could not > prevent it from accessing files that are allowed for processes in that > domain (such as the actual daemon). > > This makes me wonder if we could do better by generating a much more > restrictive policy at installation time, so that only the *exact* file > name of the currently installed guix-daemon executable would be > labelled with guix_daemon_exec_t, instead of using a regular > expression like that. This means that root would have to > install/upgrade the policy at installation time whenever the Guix > package that provides the effectively running guix-daemon executable > is upgraded. Food for thought. Yeah, guix-daemon.service currently refers to /var/guix/profiles/…/guix-daemon for similar reasons. > From d20bae0953d5d0a6bf1c06ab44505af6dea4df4d Mon Sep 17 00:00:00 2001 > From: Ricardo Wurmus <ricardo.wur...@mdc-berlin.de> > Date: Thu, 25 Jan 2018 15:21:07 +0100 > Subject: [PATCH] etc: Add SELinux policy for the daemon. > > * etc/guix-daemon.cil.in: New file. > * Makefile.am: Add dist_selinux_policy_DATA. > * configure.ac: Handle --with-selinux-policy-dir. [...] > --- /dev/null > +++ b/etc/guix-daemon.cil.in > @@ -0,0 +1,281 @@ > +; -*- lisp -*- Perhaps add a comment like: ;; This is a specification for SELinux X.Y written in the SELinux ;; Common Intermediate Language (CIL). Fun that it uses sexps. :-) Thanks! Ludo’.
