[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
01/02: etc: Add more SELinux permissions for the daemon.
From: |
guix-commits |
Subject: |
01/02: etc: Add more SELinux permissions for the daemon. |
Date: |
Fri, 27 Nov 2020 15:35:27 -0500 (EST) |
mbakke pushed a commit to branch master
in repository guix.
commit 1807632393d0723f3085c457517965c32715717a
Author: Marius Bakke <marius@gnu.org>
AuthorDate: Fri Nov 27 19:06:57 2020 +0100
etc: Add more SELinux permissions for the daemon.
* etc/guix-daemon.cil.in (guix_daemon): Permit more operations required for
various build jobs.
---
etc/guix-daemon.cil.in | 21 ++++++++++++++++-----
1 file changed, 16 insertions(+), 5 deletions(-)
diff --git a/etc/guix-daemon.cil.in b/etc/guix-daemon.cil.in
index 8ff6716..cc8999d 100644
--- a/etc/guix-daemon.cil.in
+++ b/etc/guix-daemon.cil.in
@@ -131,14 +131,16 @@
(lnk_file (create rename setattr unlink)))
(allow guix_daemon_t
tmp_t
- (file (link rename create execute execute_no_trans write unlink
setattr map relabelto)))
+ (file (link
+ rename create execute execute_no_trans write
+ unlink setattr map relabelto relabelfrom)))
(allow guix_daemon_t
tmp_t
(fifo_file (open read write create getattr ioctl setattr unlink)))
(allow guix_daemon_t
tmp_t
(dir (create rename
- rmdir relabelto
+ rmdir relabelto relabelfrom reparent
add_name remove_name
open read write
getattr setattr
@@ -331,7 +333,7 @@
(dir (add_name write)))
(allow guix_daemon_t
self
- (netlink_route_socket (bind create getattr nlmsg_read read write)))
+ (netlink_route_socket (bind create getattr nlmsg_read read write
getopt)))
;; Socket operations
(allow guix_daemon_t
@@ -377,7 +379,10 @@
self
(unix_dgram_socket (create bind connect sendto read write)))
- ;; For some esoteric build jobs (i.e. PostgreSQL).
+ ;; For some esoteric build jobs (i.e. running PostgreSQL, etc).
+ (allow guix_daemon_t
+ self
+ (capability (kill)))
(allow guix_daemon_t
node_t
(tcp_socket (node_bind)))
@@ -389,11 +394,17 @@
(tcp_socket (name_connect)))
(allow guix_daemon_t
tmpfs_t
- (file (map read write)))
+ (file (map read write link getattr)))
+ (allow guix_daemon_t
+ usermodehelper_t
+ (file (read)))
(allow guix_daemon_t
hugetlbfs_t
(file (map read write)))
(allow guix_daemon_t
+ proc_net_t
+ (file (read)))
+ (allow guix_daemon_t
postgresql_port_t
(tcp_socket (name_connect name_bind)))
(allow guix_daemon_t