guix_mirror_bot pushed a commit to branch master
in repository guix.
commit 1b59b93602d034d75882b0ca076a732cd1865d98
Author: Thiago Jung Bauermann <[email protected]>
AuthorDate: Mon Dec 8 00:12:09 2025 -0300
etc: SELinux: Add missing permissions.
With the changes in this commit, I can use "guix pull" and
"guix install <package>" successfully and without generating SELinux
denial erros in the system log.
* etc/guix-daemon.cil.in: Add missing rules for guix pull/guix install.
Change-Id: I40b5ed2c458b275804bc073fb72286947ecb0283
Signed-off-by: Rutherther <[email protected]>
---
etc/guix-daemon.cil.in | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/etc/guix-daemon.cil.in b/etc/guix-daemon.cil.in
index e79236571b..0a0e4927ad 100644
--- a/etc/guix-daemon.cil.in
+++ b/etc/guix-daemon.cil.in
@@ -175,6 +175,10 @@
(file (execute
execute_no_trans read write open entrypoint map
getattr link unlink)))
+ ;; Needed to execute the 'newgidmap' helper.
+ (allow guix_daemon_t
+ bin_t
+ (file (execute execute_no_trans map)))
;; Remounting /gnu/store read-write.
(allow guix_daemon_t
@@ -322,7 +326,7 @@
map
getattr setattr
unlink
- open read write)))
+ open read write append)))
(allow guix_daemon_t
guix_daemon_conf_t
(lnk_file (create getattr rename unlink read)))
@@ -367,7 +371,7 @@
;; Allow use of user namespaces
(allow guix_daemon_t
self
- (cap_userns (sys_admin net_admin sys_chroot)))
+ (cap_userns (setgid sys_admin net_admin sys_chroot)))
(allow guix_daemon_t
self
(user_namespace (create)))
