etc: Update SELinux rule file to support unprivileged daemon.

Fixes: #3576. * etc/guix-daemon.cil.in: Add rules for unprivileged daemon. Change-Id: Ic0c561036230d397f7071daef33ca8181684d014 Signed-off-by: Ludovic Courtès <ludo@gnu.org>
2026-04-06 13:10:33 +02:00 · 2025-11-29 17:58:54 +01:00
parent f29cd8868e
commit bd2edc9e43
1 changed files with 11 additions and 0 deletions
--- a/etc/guix-daemon.cil.in
+++ b/etc/guix-daemon.cil.in
@@ -185,6 +185,9 @@
  (allow guix_daemon_t
         root_t
         (dir (mounton)))
+  (allow init_t
+         guix_daemon.guix_store_content_t
+         (dir (mounton)))
  (allow guix_daemon_t
         fs_t
         (filesystem (getattr)))
@@ -361,6 +364,14 @@
         self
         (netlink_route_socket (bind create getattr nlmsg_read read write getopt)))

+  ;; Allow use of user namespaces
+  (allow guix_daemon_t
+         self
+         (cap_userns (sys_admin net_admin sys_chroot)))
+  (allow guix_daemon_t
+         self
+         (user_namespace (create)))
+
  ;; Socket operations
  (allow guix_daemon_t
         guix_daemon_socket_t