Previous: , Up: 设置后台进程   [Contents][Index]

2.2.3 SELinux的支持

Guix附带一个SELinux策略文件,位置在etc/guix-daemon.cil,它可以在启用SELinux的系统上安装,为Guix的文件添加标签及指定后台进程的期望行为。由于Guix系统不提供SELinux基础策略,这个后台进程策略不能在Guix系统上使用。

2.2.3.1 安装SELinux策略

注: The guix-install.sh binary installation script offers to perform the steps below for you (see 二进制文件安装).

用root用户执行这个命令以安装策略: 

semodule -i /var/guix/profiles/per-user/root/current-guix/share/selinux/guix-daemon.cil

Then, as root, relabel the file system, possibly after making it writable: 

mount -o remount,rw /gnu/store
restorecon -R /gnu /var/guix

At this point you can start or restart guix-daemon; on a distribution that uses systemd as its service manager, you can do that with: 

systemctl restart guix-daemon

一旦安装好策略,为文件系统重新打好标签,并且重启了后台进程,它应该在guix_daemon_t环境里运行。你可以用下面这个命令确认: 

ps -Zax | grep guix-daemon

运行guix build hello之类的命令并监控SELinux日志以说服你自己SELinux允许所有的操作。

2.2.3.2 限制

这个策略不是完美的。这里有一个关于限制和缺陷的列表,当为Guix后台进程部署提供的SELinux策略时该认真考虑。

  1. guix_daemon_socket_t isn’t actually used. None of the socket operations involve contexts that have anything to do with guix_daemon_socket_t. It doesn’t hurt to have this unused label, but it would be preferable to define socket rules for only this label.
  2. guix gc cannot access arbitrary links to profiles. By design, the file label of the destination of a symlink is independent of the file label of the link itself. Although all profiles under $localstatedir are labelled, the links to these profiles inherit the label of the directory they are in. For links in the user’s home directory this will be user_home_t. But for links from the root user’s home directory, or /tmp, or the HTTP server’s working directory, etc, this won’t work. guix gc would be prevented from reading and following these links.
  3. 后台进程监听TCP连接的功能不再可用。这可能需要额外的规则,因为SELinux区别对待网络套接字和文件。
  4. 目前,所有匹配正则表达式/gnu/store/.+-(guix-.+|profile)/bin/guix-daemon的文件都被赋予guix_daemon_exec_t标签;这意味着任何profile里的任何有这样名字的的文件都会被允许在guix_daemon_t域里执行。这不够理想。一个攻击者可以构建提供这个可执行程序的软件包,并说服一个用户安装、运行它,以此进入guix_daemon_t域。那时,SELinux无法阻止它访问所在域的进程可以访问的文件。

    You will need to relabel the store directory after all upgrades to guix-daemon, such as after running guix pull. Assuming the store is in /gnu, you can do this with restorecon -vR /gnu, or by other means provided by your operating system.

    我们可以在安装时生成一个更严格的策略,仅当前安装的guix-daemon精确的的文件名会被打上guix_daemon_exec_t标签,而不是用一个宽泛的正则表达式。这样的缺点是root必须在每次安装提供guix-daemon的Guix软件包时安装或升级策略。

Previous: 使用任务下发设施, Up: 设置后台进程   [Contents][Index]