02/02: etc: Add more SELinux permissions for the daemon.

guix-commits

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

02/02: etc: Add more SELinux permissions for the daemon.

From:	guix-commits
Subject:	02/02: etc: Add more SELinux permissions for the daemon.
Date:	Wed, 25 Nov 2020 18:33:37 -0500 (EST)

mbakke pushed a commit to branch master
in repository guix.

commit 402ebffe195890c9826cfa7519034dd12a48ae6a
Author: Marius Bakke <marius@gnu.org>
AuthorDate: Thu Nov 26 00:29:53 2020 +0100

    etc: Add more SELinux permissions for the daemon.
    
    * etc/guix-daemon.cil.in (guix_daemon): Permit file appending, setattr,
    read/write UDP sockets, access to tmpfs and hugetlbfs, and connecting to
    PostgreSQL.
---
 etc/guix-daemon.cil.in | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/etc/guix-daemon.cil.in b/etc/guix-daemon.cil.in
index 0d79458..8ff6716 100644
--- a/etc/guix-daemon.cil.in
+++ b/etc/guix-daemon.cil.in
@@ -264,6 +264,7 @@
                 link unlink
                 map
                 rename
+                append
                 open read write relabelfrom)))
   (allow guix_daemon_t
          guix_store_content_t
@@ -277,7 +278,7 @@
          (fifo_file (create getattr open read unlink write)))
   (allow guix_daemon_t
          guix_store_content_t
-         (sock_file (create getattr unlink write)))
+         (sock_file (create getattr setattr unlink write)))
 
   ;; Access to configuration files and directories
   (allow guix_daemon_t
@@ -362,7 +363,7 @@
          (tcp_socket (name_bind name_connect accept listen)))
   (allow guix_daemon_t
          self
-         (udp_socket (connect getattr bind getopt setopt)))
+         (udp_socket (connect getattr bind getopt setopt read write)))
   (allow guix_daemon_t
          self
          (fifo_file (write read)))
@@ -376,6 +377,7 @@
          self
          (unix_dgram_socket (create bind connect sendto read write)))
 
+  ;; For some esoteric build jobs (i.e. PostgreSQL).
   (allow guix_daemon_t
          node_t
          (tcp_socket (node_bind)))
@@ -386,6 +388,15 @@
          port_t
          (tcp_socket (name_connect)))
   (allow guix_daemon_t
+         tmpfs_t
+         (file (map read write)))
+  (allow guix_daemon_t
+         hugetlbfs_t
+         (file (map read write)))
+  (allow guix_daemon_t
+         postgresql_port_t
+         (tcp_socket (name_connect name_bind)))
+  (allow guix_daemon_t
          rtp_media_port_t
          (udp_socket (name_bind)))
   (allow guix_daemon_t

[Prev in Thread]

Current Thread

[Next in Thread]

branch master updated (ae90212 -> 402ebff), guix-commits, 2020/11/25
- 01/02: gnu: xf86-video-intel: Update to 2.99.917-17.ad5540f., guix-commits, 2020/11/25
- 02/02: etc: Add more SELinux permissions for the daemon., guix-commits <=

Prev by Date: 01/02: gnu: xf86-video-intel: Update to 2.99.917-17.ad5540f.
Next by Date: branch master updated (402ebff -> 6a5da0d)
Previous by thread: 01/02: gnu: xf86-video-intel: Update to 2.99.917-17.ad5540f.
Next by thread: branch master updated (402ebff -> 6a5da0d)
Index(es):
- Date
- Thread