~ruther/guix-local: etc: SELinux: Add missing permissions.

1b59b93602d034d75882b0ca076a732cd1865d98 — Thiago Jung Bauermann 2 months ago 1850ff7

etc: SELinux: Add missing permissions.

With the changes in this commit, I can use "guix pull" and
"guix install <package>" successfully and without generating SELinux
denial erros in the system log.

* etc/guix-daemon.cil.in: Add missing rules for guix pull/guix install.

Change-Id: I40b5ed2c458b275804bc073fb72286947ecb0283
Signed-off-by: Rutherther <rutherther@ditigal.xyz>

patch browse .tar.gz

1 files changed, 6 insertions(+), 2 deletions(-)

M etc/guix-daemon.cil.in

M etc/guix-daemon.cil.in => etc/guix-daemon.cil.in +6 -2

@@ 175,6 175,10 @@
          (file (execute
                 execute_no_trans read write open entrypoint map
                 getattr link unlink)))
+  ;; Needed to execute the 'newgidmap' helper.
+  (allow guix_daemon_t
+         bin_t
+         (file (execute execute_no_trans map)))
 
   ;; Remounting /gnu/store read-write.
   (allow guix_daemon_t


@@ 322,7 326,7 @@
                 map
                 getattr setattr
                 unlink
-                open read write)))
+                open read write append)))
   (allow guix_daemon_t
          guix_daemon_conf_t
          (lnk_file (create getattr rename unlink read)))


@@ 367,7 371,7 @@
   ;; Allow use of user namespaces
   (allow guix_daemon_t
          self
-         (cap_userns (sys_admin net_admin sys_chroot)))
+         (cap_userns (setgid sys_admin net_admin sys_chroot)))
   (allow guix_daemon_t
          self
          (user_namespace (create)))