From 402ebffe195890c9826cfa7519034dd12a48ae6a Mon Sep 17 00:00:00 2001 From: Marius Bakke Date: Thu, 26 Nov 2020 00:29:53 +0100 Subject: [PATCH] etc: Add more SELinux permissions for the daemon. * etc/guix-daemon.cil.in (guix_daemon): Permit file appending, setattr, read/write UDP sockets, access to tmpfs and hugetlbfs, and connecting to PostgreSQL. --- etc/guix-daemon.cil.in | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/etc/guix-daemon.cil.in b/etc/guix-daemon.cil.in index 0d7945843e..8ff6716038 100644 --- a/etc/guix-daemon.cil.in +++ b/etc/guix-daemon.cil.in @@ -264,6 +264,7 @@ link unlink map rename + append open read write relabelfrom))) (allow guix_daemon_t guix_store_content_t @@ -277,7 +278,7 @@ (fifo_file (create getattr open read unlink write))) (allow guix_daemon_t guix_store_content_t - (sock_file (create getattr unlink write))) + (sock_file (create getattr setattr unlink write))) ;; Access to configuration files and directories (allow guix_daemon_t @@ -362,7 +363,7 @@ (tcp_socket (name_bind name_connect accept listen))) (allow guix_daemon_t self - (udp_socket (connect getattr bind getopt setopt))) + (udp_socket (connect getattr bind getopt setopt read write))) (allow guix_daemon_t self (fifo_file (write read))) @@ -376,6 +377,7 @@ self (unix_dgram_socket (create bind connect sendto read write))) + ;; For some esoteric build jobs (i.e. PostgreSQL). (allow guix_daemon_t node_t (tcp_socket (node_bind))) @@ -385,6 +387,15 @@ (allow guix_daemon_t port_t (tcp_socket (name_connect))) + (allow guix_daemon_t + tmpfs_t + (file (map read write))) + (allow guix_daemon_t + hugetlbfs_t + (file (map read write))) + (allow guix_daemon_t + postgresql_port_t + (tcp_socket (name_connect name_bind))) (allow guix_daemon_t rtp_media_port_t (udp_socket (name_bind)))