etc: SELinux: Add missing permissions.

With the changes in this commit, I can use "guix pull" and "guix install <package>" successfully and without generating SELinux denial erros in the system log. * etc/guix-daemon.cil.in: Add missing rules for guix pull/guix install. Change-Id: I40b5ed2c458b275804bc073fb72286947ecb0283 Signed-off-by: Rutherther <rutherther@ditigal.xyz>
2026-04-06 13:10:33 +02:00 · 2025-12-08 00:12:09 -03:00
parent 1850ff7a3f
commit 1b59b93602
1 changed files with 6 additions and 2 deletions
--- a/etc/guix-daemon.cil.in
+++ b/etc/guix-daemon.cil.in
@@ -175,6 +175,10 @@
         (file (execute
                execute_no_trans read write open entrypoint map
                getattr link unlink)))
+  ;; Needed to execute the 'newgidmap' helper.
+  (allow guix_daemon_t
+         bin_t
+         (file (execute execute_no_trans map)))

  ;; Remounting /gnu/store read-write.
  (allow guix_daemon_t
@@ -322,7 +326,7 @@
                map
                getattr setattr
                unlink
-                open read write)))
+                open read write append)))
  (allow guix_daemon_t
         guix_daemon_conf_t
         (lnk_file (create getattr rename unlink read)))
@@ -367,7 +371,7 @@
  ;; Allow use of user namespaces
  (allow guix_daemon_t
         self
-         (cap_userns (sys_admin net_admin sys_chroot)))
+         (cap_userns (setgid sys_admin net_admin sys_chroot)))
  (allow guix_daemon_t
         self
         (user_namespace (create)))