etc: Add more SELinux permissions for the daemon.

* etc/guix-daemon.cil.in (guix_daemon): Permit file appending, setattr, read/write UDP sockets, access to tmpfs and hugetlbfs, and connecting to PostgreSQL.
2020-11-26 00:29:53 +01:00 · 2020-11-26 00:29:53 +01:00 · 402ebffe19
parent 9b9c6f2594
commit 402ebffe19
1 changed files with 13 additions and 2 deletions
--- a/etc/guix-daemon.cil.in
+++ b/etc/guix-daemon.cil.in
@ -264,6 +264,7 @@
                link unlink
                map
                rename
+                append
                open read write relabelfrom)))
  (allow guix_daemon_t
         guix_store_content_t
@ -277,7 +278,7 @@
         (fifo_file (create getattr open read unlink write)))
  (allow guix_daemon_t
         guix_store_content_t
-         (sock_file (create getattr unlink write)))
+         (sock_file (create getattr setattr unlink write)))

  ;; Access to configuration files and directories
  (allow guix_daemon_t
@ -362,7 +363,7 @@
         (tcp_socket (name_bind name_connect accept listen)))
  (allow guix_daemon_t
         self
-         (udp_socket (connect getattr bind getopt setopt)))
+         (udp_socket (connect getattr bind getopt setopt read write)))
  (allow guix_daemon_t
         self
         (fifo_file (write read)))
@ -376,6 +377,7 @@
         self
         (unix_dgram_socket (create bind connect sendto read write)))

+  ;; For some esoteric build jobs (i.e. PostgreSQL).
  (allow guix_daemon_t
         node_t
         (tcp_socket (node_bind)))
@ -385,6 +387,15 @@
  (allow guix_daemon_t
         port_t
         (tcp_socket (name_connect)))
+  (allow guix_daemon_t
+         tmpfs_t
+         (file (map read write)))
+  (allow guix_daemon_t
+         hugetlbfs_t
+         (file (map read write)))
+  (allow guix_daemon_t
+         postgresql_port_t
+         (tcp_socket (name_connect name_bind)))
  (allow guix_daemon_t
         rtp_media_port_t
         (udp_socket (name_bind)))