diff options
author | Marius Bakke <marius@gnu.org> | 2020-11-26 00:29:53 +0100 |
---|---|---|
committer | Marius Bakke <marius@gnu.org> | 2020-11-26 00:31:47 +0100 |
commit | 402ebffe195890c9826cfa7519034dd12a48ae6a (patch) | |
tree | a68ed4fea73dad10746ffd0ac4df880b4a1430b2 | |
parent | 9b9c6f2594628594f73968e9a8360f9db3aad44b (diff) | |
download | guix-402ebffe195890c9826cfa7519034dd12a48ae6a.tar guix-402ebffe195890c9826cfa7519034dd12a48ae6a.tar.gz |
etc: Add more SELinux permissions for the daemon.
* etc/guix-daemon.cil.in (guix_daemon): Permit file appending, setattr,
read/write UDP sockets, access to tmpfs and hugetlbfs, and connecting to
PostgreSQL.
-rw-r--r-- | etc/guix-daemon.cil.in | 15 |
1 files changed, 13 insertions, 2 deletions
diff --git a/etc/guix-daemon.cil.in b/etc/guix-daemon.cil.in index 0d7945843e..8ff6716038 100644 --- a/etc/guix-daemon.cil.in +++ b/etc/guix-daemon.cil.in @@ -264,6 +264,7 @@ link unlink map rename + append open read write relabelfrom))) (allow guix_daemon_t guix_store_content_t @@ -277,7 +278,7 @@ (fifo_file (create getattr open read unlink write))) (allow guix_daemon_t guix_store_content_t - (sock_file (create getattr unlink write))) + (sock_file (create getattr setattr unlink write))) ;; Access to configuration files and directories (allow guix_daemon_t @@ -362,7 +363,7 @@ (tcp_socket (name_bind name_connect accept listen))) (allow guix_daemon_t self - (udp_socket (connect getattr bind getopt setopt))) + (udp_socket (connect getattr bind getopt setopt read write))) (allow guix_daemon_t self (fifo_file (write read))) @@ -376,6 +377,7 @@ self (unix_dgram_socket (create bind connect sendto read write))) + ;; For some esoteric build jobs (i.e. PostgreSQL). (allow guix_daemon_t node_t (tcp_socket (node_bind))) @@ -386,6 +388,15 @@ port_t (tcp_socket (name_connect))) (allow guix_daemon_t + tmpfs_t + (file (map read write))) + (allow guix_daemon_t + hugetlbfs_t + (file (map read write))) + (allow guix_daemon_t + postgresql_port_t + (tcp_socket (name_connect name_bind))) + (allow guix_daemon_t rtp_media_port_t (udp_socket (name_bind))) (allow guix_daemon_t |