From 4a134ed32e69ba888d988d2ed924a1531a54551b Mon Sep 17 00:00:00 2001 From: Ricardo Wurmus Date: Fri, 23 Dec 2022 16:47:11 +0100 Subject: [PATCH] etc: SELinux: Allow daemon to search run state directories. * etc/guix-daemon.cil.in: Import types init_var_run_t and system_dbusd_var_run_t; add rules. --- etc/guix-daemon.cil.in | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/etc/guix-daemon.cil.in b/etc/guix-daemon.cil.in index ba100a4535..0245c36231 100644 --- a/etc/guix-daemon.cil.in +++ b/etc/guix-daemon.cil.in @@ -1,6 +1,6 @@ ; -*- lisp -*- ;;; GNU Guix --- Functional package management for GNU -;;; Copyright © 2018 Ricardo Wurmus +;;; Copyright © 2018, 2022 Ricardo Wurmus ;;; Copyright © 2020 Daniel Brooks ;;; Copyright © 2020 Marius Bakke ;;; @@ -37,11 +37,13 @@ (block guix_daemon ;; Require existing types - (typeattributeset cil_gen_require init_t) - (typeattributeset cil_gen_require tmp_t) - (typeattributeset cil_gen_require nscd_var_run_t) - (typeattributeset cil_gen_require var_log_t) (typeattributeset cil_gen_require domain) + (typeattributeset cil_gen_require init_t) + (typeattributeset cil_gen_require init_var_run_t) + (typeattributeset cil_gen_require nscd_var_run_t) + (typeattributeset cil_gen_require system_dbusd_var_run_t) + (typeattributeset cil_gen_require tmp_t) + (typeattributeset cil_gen_require var_log_t) ;; Declare own types (type guix_daemon_t) @@ -284,6 +286,14 @@ guix_store_content_t (sock_file (create getattr setattr unlink write))) + ;; Access to run state directories + (allow guix_daemon_t + system_dbusd_var_run_t + (dir (search))) + (allow guix_daemon_t + init_var_run_t + (dir (search))) + ;; Access to configuration files and directories (allow guix_daemon_t guix_daemon_conf_t