From 1807632393d0723f3085c457517965c32715717a Mon Sep 17 00:00:00 2001 From: Marius Bakke Date: Fri, 27 Nov 2020 19:06:57 +0100 Subject: etc: Add more SELinux permissions for the daemon. * etc/guix-daemon.cil.in (guix_daemon): Permit more operations required for various build jobs. --- etc/guix-daemon.cil.in | 21 ++++++++++++++++----- 1 file changed, 16 insertions(+), 5 deletions(-) (limited to 'etc') diff --git a/etc/guix-daemon.cil.in b/etc/guix-daemon.cil.in index 8ff6716038..cc8999d9a8 100644 --- a/etc/guix-daemon.cil.in +++ b/etc/guix-daemon.cil.in @@ -131,14 +131,16 @@ (lnk_file (create rename setattr unlink))) (allow guix_daemon_t tmp_t - (file (link rename create execute execute_no_trans write unlink setattr map relabelto))) + (file (link + rename create execute execute_no_trans write + unlink setattr map relabelto relabelfrom))) (allow guix_daemon_t tmp_t (fifo_file (open read write create getattr ioctl setattr unlink))) (allow guix_daemon_t tmp_t (dir (create rename - rmdir relabelto + rmdir relabelto relabelfrom reparent add_name remove_name open read write getattr setattr @@ -331,7 +333,7 @@ (dir (add_name write))) (allow guix_daemon_t self - (netlink_route_socket (bind create getattr nlmsg_read read write))) + (netlink_route_socket (bind create getattr nlmsg_read read write getopt))) ;; Socket operations (allow guix_daemon_t @@ -377,7 +379,10 @@ self (unix_dgram_socket (create bind connect sendto read write))) - ;; For some esoteric build jobs (i.e. PostgreSQL). + ;; For some esoteric build jobs (i.e. running PostgreSQL, etc). + (allow guix_daemon_t + self + (capability (kill))) (allow guix_daemon_t node_t (tcp_socket (node_bind))) @@ -389,10 +394,16 @@ (tcp_socket (name_connect))) (allow guix_daemon_t tmpfs_t - (file (map read write))) + (file (map read write link getattr))) + (allow guix_daemon_t + usermodehelper_t + (file (read))) (allow guix_daemon_t hugetlbfs_t (file (map read write))) + (allow guix_daemon_t + proc_net_t + (file (read))) (allow guix_daemon_t postgresql_port_t (tcp_socket (name_connect name_bind))) -- cgit v1.2.3