aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMarius Bakke <marius@gnu.org>2020-11-26 00:29:53 +0100
committerMarius Bakke <marius@gnu.org>2020-11-26 00:31:47 +0100
commit402ebffe195890c9826cfa7519034dd12a48ae6a (patch)
treea68ed4fea73dad10746ffd0ac4df880b4a1430b2
parent9b9c6f2594628594f73968e9a8360f9db3aad44b (diff)
downloadguix-402ebffe195890c9826cfa7519034dd12a48ae6a.tar
guix-402ebffe195890c9826cfa7519034dd12a48ae6a.tar.gz
etc: Add more SELinux permissions for the daemon.
* etc/guix-daemon.cil.in (guix_daemon): Permit file appending, setattr, read/write UDP sockets, access to tmpfs and hugetlbfs, and connecting to PostgreSQL.
-rw-r--r--etc/guix-daemon.cil.in15
1 files changed, 13 insertions, 2 deletions
diff --git a/etc/guix-daemon.cil.in b/etc/guix-daemon.cil.in
index 0d7945843e..8ff6716038 100644
--- a/etc/guix-daemon.cil.in
+++ b/etc/guix-daemon.cil.in
@@ -264,6 +264,7 @@
link unlink
map
rename
+ append
open read write relabelfrom)))
(allow guix_daemon_t
guix_store_content_t
@@ -277,7 +278,7 @@
(fifo_file (create getattr open read unlink write)))
(allow guix_daemon_t
guix_store_content_t
- (sock_file (create getattr unlink write)))
+ (sock_file (create getattr setattr unlink write)))
;; Access to configuration files and directories
(allow guix_daemon_t
@@ -362,7 +363,7 @@
(tcp_socket (name_bind name_connect accept listen)))
(allow guix_daemon_t
self
- (udp_socket (connect getattr bind getopt setopt)))
+ (udp_socket (connect getattr bind getopt setopt read write)))
(allow guix_daemon_t
self
(fifo_file (write read)))
@@ -376,6 +377,7 @@
self
(unix_dgram_socket (create bind connect sendto read write)))
+ ;; For some esoteric build jobs (i.e. PostgreSQL).
(allow guix_daemon_t
node_t
(tcp_socket (node_bind)))
@@ -386,6 +388,15 @@
port_t
(tcp_socket (name_connect)))
(allow guix_daemon_t
+ tmpfs_t
+ (file (map read write)))
+ (allow guix_daemon_t
+ hugetlbfs_t
+ (file (map read write)))
+ (allow guix_daemon_t
+ postgresql_port_t
+ (tcp_socket (name_connect name_bind)))
+ (allow guix_daemon_t
rtp_media_port_t
(udp_socket (name_bind)))
(allow guix_daemon_t