~ruther/guix-local: etc: Update SELinux rule file to support unprivileged daemon.

bd2edc9e435402b48fd201b56ab486151512717a — Rutherther 5 months ago f29cd88

etc: Update SELinux rule file to support unprivileged daemon.

Fixes: #3576.

* etc/guix-daemon.cil.in: Add rules for unprivileged daemon.

Change-Id: Ic0c561036230d397f7071daef33ca8181684d014
Signed-off-by: Ludovic Courtès <ludo@gnu.org>

patch browse .tar.gz

1 files changed, 11 insertions(+), 0 deletions(-)

M etc/guix-daemon.cil.in

M etc/guix-daemon.cil.in => etc/guix-daemon.cil.in +11 -0

@@ 185,6 185,9 @@
   (allow guix_daemon_t
          root_t
          (dir (mounton)))
+  (allow init_t
+         guix_daemon.guix_store_content_t
+         (dir (mounton)))
   (allow guix_daemon_t
          fs_t
          (filesystem (getattr)))


@@ 361,6 364,14 @@
          self
          (netlink_route_socket (bind create getattr nlmsg_read read write getopt)))
 
+  ;; Allow use of user namespaces
+  (allow guix_daemon_t
+         self
+         (cap_userns (sys_admin net_admin sys_chroot)))
+  (allow guix_daemon_t
+         self
+         (user_namespace (create)))
+
   ;; Socket operations
   (allow guix_daemon_t
          guix_daemon_socket_t