01/02: etc: Add more SELinux permissions for the daemon.

guix-commits

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

01/02: etc: Add more SELinux permissions for the daemon.

From:	guix-commits
Subject:	01/02: etc: Add more SELinux permissions for the daemon.
Date:	Fri, 27 Nov 2020 15:35:27 -0500 (EST)

mbakke pushed a commit to branch master
in repository guix.

commit 1807632393d0723f3085c457517965c32715717a
Author: Marius Bakke <marius@gnu.org>
AuthorDate: Fri Nov 27 19:06:57 2020 +0100

    etc: Add more SELinux permissions for the daemon.
    
    * etc/guix-daemon.cil.in (guix_daemon): Permit more operations required for
    various build jobs.
---
 etc/guix-daemon.cil.in | 21 ++++++++++++++++-----
 1 file changed, 16 insertions(+), 5 deletions(-)

diff --git a/etc/guix-daemon.cil.in b/etc/guix-daemon.cil.in
index 8ff6716..cc8999d 100644
--- a/etc/guix-daemon.cil.in
+++ b/etc/guix-daemon.cil.in
@@ -131,14 +131,16 @@
          (lnk_file (create rename setattr unlink)))
   (allow guix_daemon_t
          tmp_t
-         (file (link rename create execute execute_no_trans write unlink 
setattr map relabelto)))
+         (file (link
+                rename create execute execute_no_trans write
+                unlink setattr map relabelto relabelfrom)))
   (allow guix_daemon_t
          tmp_t
          (fifo_file (open read write create getattr ioctl setattr unlink)))
   (allow guix_daemon_t
          tmp_t
          (dir (create rename
-               rmdir relabelto
+               rmdir relabelto relabelfrom reparent
                add_name remove_name
                open read write
                getattr setattr
@@ -331,7 +333,7 @@
          (dir (add_name write)))
   (allow guix_daemon_t
          self
-         (netlink_route_socket (bind create getattr nlmsg_read read write)))
+         (netlink_route_socket (bind create getattr nlmsg_read read write 
getopt)))
 
   ;; Socket operations
   (allow guix_daemon_t
@@ -377,7 +379,10 @@
          self
          (unix_dgram_socket (create bind connect sendto read write)))
 
-  ;; For some esoteric build jobs (i.e. PostgreSQL).
+  ;; For some esoteric build jobs (i.e. running PostgreSQL, etc).
+  (allow guix_daemon_t
+         self
+         (capability (kill)))
   (allow guix_daemon_t
          node_t
          (tcp_socket (node_bind)))
@@ -389,11 +394,17 @@
          (tcp_socket (name_connect)))
   (allow guix_daemon_t
          tmpfs_t
-         (file (map read write)))
+         (file (map read write link getattr)))
+  (allow guix_daemon_t
+         usermodehelper_t
+         (file (read)))
   (allow guix_daemon_t
          hugetlbfs_t
          (file (map read write)))
   (allow guix_daemon_t
+         proc_net_t
+         (file (read)))
+  (allow guix_daemon_t
          postgresql_port_t
          (tcp_socket (name_connect name_bind)))
   (allow guix_daemon_t

[Prev in Thread]

Current Thread

[Next in Thread]

branch master updated (f43e746 -> 3bbe280), guix-commits, 2020/11/27
- 02/02: gnu: alacritty: Embed absolute references to required libraries., guix-commits, 2020/11/27
- 01/02: etc: Add more SELinux permissions for the daemon., guix-commits <=

Prev by Date: 02/02: gnu: alacritty: Embed absolute references to required libraries.
Next by Date: branch master updated (f43e746 -> 3bbe280)
Previous by thread: 02/02: gnu: alacritty: Embed absolute references to required libraries.
Next by thread: branch master updated: gnu: fet: Update to 5.48.0.
Index(es):
- Date
- Thread