~ruther/guix-local: etc: SELinux: Add permissions to allow garbage collection.

53808b13b8c91826a0871bf49a9957b8228c4086 — Thiago Jung Bauermann 2 months ago 1b59b93

etc: SELinux: Add permissions to allow garbage collection.

There may be an improvement to be made to guix-daemon to avoid some
spurious denial audit messages, as described in the FIXME.

* etc/guix-daemon.cil.in: Add missing rules for guix gc.

Change-Id: I3651c4523528649048c7135fabd3000c8e78b1ff
Signed-off-by: Rutherther <rutherther@ditigal.xyz>

patch browse .tar.gz

1 files changed, 21 insertions(+), 0 deletions(-)

M etc/guix-daemon.cil.in

M etc/guix-daemon.cil.in => etc/guix-daemon.cil.in +21 -0

@@ 455,6 455,27 @@
          vnc_port_t
          (tcp_socket (name_bind)))
 
+  ;; 'guix gc' needs to go through /proc entries for all processes that are
+  ;; running.  Strictly speaking, it means guix-daemon needs access to all
+  ;; process types in the SELinux policy.  In practice, only processes from
+  ;; programs in the /gnu/store are relevant for finding roots for garbage
+  ;; collection.  Since Guix currently doesn't install any SELinux policy for
+  ;; its packages, we can assume that all the processes it needs to access run
+  ;; as unconfined_t.
+  ;;
+  ;; FIXME: This doesn't stop 'guix gc' from generating a lot of unnecessary
+  ;; AVC denied audit messages.  Perhaps guix-daemon could test whether it has
+  ;; access to the proc entry before trying to access it?
+  (allow guix_daemon_t
+         unconfined_t
+         (dir (search)))
+  (allow guix_daemon_t
+         unconfined_t
+         (file (read)))
+  (allow guix_daemon_t
+         unconfined_t
+         (lnk_file (read)))
+
   ;; I guess sometimes it needs random numbers
   (allow guix_daemon_t
          random_device_t