guix_mirror_bot pushed a commit to branch master
in repository guix.
commit 53808b13b8c91826a0871bf49a9957b8228c4086
Author: Thiago Jung Bauermann <[email protected]>
AuthorDate: Mon Dec 8 01:35:05 2025 -0300
etc: SELinux: Add permissions to allow garbage collection.
There may be an improvement to be made to guix-daemon to avoid some
spurious denial audit messages, as described in the FIXME.
* etc/guix-daemon.cil.in: Add missing rules for guix gc.
Change-Id: I3651c4523528649048c7135fabd3000c8e78b1ff
Signed-off-by: Rutherther <[email protected]>
---
etc/guix-daemon.cil.in | 21 +++++++++++++++++++++
1 file changed, 21 insertions(+)
diff --git a/etc/guix-daemon.cil.in b/etc/guix-daemon.cil.in
index 0a0e4927ad..5231893bf2 100644
--- a/etc/guix-daemon.cil.in
+++ b/etc/guix-daemon.cil.in
@@ -455,6 +455,27 @@
vnc_port_t
(tcp_socket (name_bind)))
+ ;; 'guix gc' needs to go through /proc entries for all processes that are
+ ;; running. Strictly speaking, it means guix-daemon needs access to all
+ ;; process types in the SELinux policy. In practice, only processes from
+ ;; programs in the /gnu/store are relevant for finding roots for garbage
+ ;; collection. Since Guix currently doesn't install any SELinux policy for
+ ;; its packages, we can assume that all the processes it needs to access run
+ ;; as unconfined_t.
+ ;;
+ ;; FIXME: This doesn't stop 'guix gc' from generating a lot of unnecessary
+ ;; AVC denied audit messages. Perhaps guix-daemon could test whether it has
+ ;; access to the proc entry before trying to access it?
+ (allow guix_daemon_t
+ unconfined_t
+ (dir (search)))
+ (allow guix_daemon_t
+ unconfined_t
+ (file (read)))
+ (allow guix_daemon_t
+ unconfined_t
+ (lnk_file (read)))
+
;; I guess sometimes it needs random numbers
(allow guix_daemon_t
random_device_t
