#!/bin/sh # Print a version string. scriptversion=2017-01-09.19; # UTC # Copyright (C) 2007-2017 Free Software Foundation, Inc. # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . # This script is derived from GIT-VERSION-GEN from GIT: http://git.or.cz/. # It may be run two ways: # - from a git repository in which the "git describe" command below # produces useful output (thus requiring at least one signed tag) # - from a non-git-repo directory containing a .tarball-version file, which # presumes this script is invoked like "./git-version-gen .tarball-version". # In order to use intra-version strings in your project, you will need two # separate generated version string files: # # .tarball-version - present only in a distribution tarball, and not in # a checked-out repository. Created with contents that were learned at # the last time autoconf was run, and used by git-version-gen. Must not # be present in either $(srcdir) or $(builddir) for git-version-gen to # give accurate answers during normal development with a checked out tree, # but must be present in a tarball when there is no version control system. # Therefore, it cannot be used in any dependencies. GNUmakefile has # hooks to force a reconfigure at distribution time to get the value # correct, without penalizing normal development with extra reconfigures. # # .version - pr; -*- lisp -*- ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2018, 2022 Ricardo Wurmus <rekado@elephly.net> ;;; Copyright © 2020 Daniel Brooks <db48x@db48x.net> ;;; Copyright © 2020 Marius Bakke <marius@gnu.org> ;;; ;;; This file is part of GNU Guix. ;;; ;;; GNU Guix is free software; you can redistribute it and/or modify it ;;; under the terms of the GNU General Public License as published by ;;; the Free Software Foundation; either version 3 of the License, or (at ;;; your option) any later version. ;;; ;;; GNU Guix is distributed in the hope that it will be useful, but ;;; WITHOUT ANY WARRANTY; without even the implied warranty of ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ;;; GNU General Public License for more details. ;;; ;;; You should have received a copy of the GNU General Public License ;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>. ;; This is a specification for SELinux 2.7 written in the SELinux Common ;; Intermediate Language (CIL). It refers to types that must be defined in ;; the system's base policy. ;; If you, like me, need advice about fixing an SELinux policy, I recommend ;; reading https://danwalsh.livejournal.com/55324.html ;; In particular, you can run semanage permissive -a guix_daemon.guix_daemon_t ;; to allow guix-daemon to do whatever it wants. SELinux will still check its ;; permissions, and when it doesn't have permission it will still send an ;; audit message to your system logs. This lets you know what permissions it ;; ought to have. Use ausearch --raw to find the permissions violations, then ;; pipe that to audit2allow to generate an updated policy. You'll still need ;; to translate that policy into CIL in order to update this file, but that's ;; fairly straight-forward. Annoying, but easy. (block guix_daemon ;; Require existing types (typeattributeset cil_gen_require domain) (typeattributeset cil_gen_require init_t) (typeattributeset cil_gen_require init_var_run_t) (typeattributeset cil_gen_require nscd_var_run_t) (typeattributeset cil_gen_require system_dbusd_var_run_t) (typeattributeset cil_gen_require tmp_t) (typeattributeset cil_gen_require var_log_t) ;; Declare own types (type guix_daemon_t) (roletype object_r guix_daemon_t) (type guix_daemon_conf_t) (roletype object_r guix_daemon_conf_t) (typeattributeset file_type guix_daemon_conf_t) (type guix_daemon_exec_t) (roletype object_r guix_daemon_exec_t) (typeattributeset file_type guix_daemon_exec_t) (type guix_daemon_socket_t) (roletype object_r guix_daemon_socket_t) (typeattributeset file_type guix_daemon_socket_t) (type guix_store_content_t) (roletype object_r guix_store_content_t) (typeattributeset file_type guix_store_content_t) (type guix_profiles_t) (roletype object_r guix_profiles_t) (typeattributeset file_type guix_profiles_t) ;; These types are domains, thereby allowing process rules (typeattributeset domain (guix_daemon_t guix_daemon_exec_t)) (level low (s0)) ;; When a process in init_t or guix_store_content_t spawns a ;; guix_daemon_exec_t process, let it run in the guix_daemon_t context (typetransition init_t guix_daemon_exec_t process guix_daemon_t) (typetransition guix_store_content_t guix_daemon_exec_t process guix_daemon_t) (roletype system_r guix_daemon_t) ;; allow init_t to read and execute guix files (allow init_t guix_profiles_t (lnk_file (read))) (allow init_t guix_daemon_exec_t (file (execute))) (allow init_t guix_daemon_t (process (transition))) (allow init_t guix_store_content_t (lnk_file (read))) (allow init_t guix_store_content_t (file (open read execute))) (allow init_t guix_profiles_t (dir (setattr))) ;; guix-daemon needs to know the names of users (allow guix_daemon_t passwd_file_t (file (getattr open read))) ;; Permit communication with NSCD (allow guix_daemon_t nscd_var_run_t (file (map read))) (allow guix_daemon_t nscd_var_run_t (dir (search))) (allow guix_daemon_t nscd_var_run_t (sock_file (write))) (allow guix_daemon_t nscd_t (fd (use))) (allow guix_daemon_t nscd_t (unix_stream_socket (connectto))) (allow guix_daemon_t nscd_t (nscd (getgrp gethost getpwd getserv shmemgrp shmemhost shmempwd shmemserv))) ;; permit downloading packages via HTTP(s) (allow guix_daemon_t http_port_t (tcp_socket (name_connect))) (allow guix_daemon_t ftp_port_t (tcp_socket (name_connect))) (allow guix_daemon_t ephemeral_port_t (tcp_socket (name_connect))) ;; Permit logging and temp file access (allow guix_daemon_t tmp_t (lnk_file (create rename setattr unlink))) (allow guix_daemon_t tmp_t (file (link rename create execute execute_no_trans write unlink setattr map relabelto relabelfrom))) (allow guix_daemon_t tmp_t (fifo_file (open read write create getattr ioctl setattr unlink))) (allow guix_daemon_t tmp_t (dir (create rename rmdir relabelto relabelfrom reparent add_name remove_name open read write getattr setattr search))) (allow guix_daemon_t tmp_t (sock_file (create getattr setattr unlink write))) (allow guix_daemon_t var_log_t (file (create getattr open write))) (allow guix_daemon_t var_log_t (dir (getattr create write add_name))) (allow guix_daemon_t var_run_t (lnk_file (read))) (allow guix_daemon_t var_run_t (dir (search))) ;; Spawning processes, execute helpers (allow guix_daemon_t self (process (fork execmem setrlimit setpgi