From 1b59b93602d034d75882b0ca076a732cd1865d98 Mon Sep 17 00:00:00 2001
From: Thiago Jung Bauermann <bauermann@kolabnow.com>
Date: Mon, 8 Dec 2025 00:12:09 -0300
Subject: [PATCH] etc: SELinux: Add missing permissions.

With the changes in this commit, I can use "guix pull" and
"guix install <package>" successfully and without generating SELinux
denial erros in the system log.

* etc/guix-daemon.cil.in: Add missing rules for guix pull/guix install.

Change-Id: I40b5ed2c458b275804bc073fb72286947ecb0283
Signed-off-by: Rutherther <rutherther@ditigal.xyz>
---
 etc/guix-daemon.cil.in | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/etc/guix-daemon.cil.in b/etc/guix-daemon.cil.in
index e79236571bd..0a0e4927ad8 100644
--- a/etc/guix-daemon.cil.in
+++ b/etc/guix-daemon.cil.in
@@ -175,6 +175,10 @@
          (file (execute
                 execute_no_trans read write open entrypoint map
                 getattr link unlink)))
+  ;; Needed to execute the 'newgidmap' helper.
+  (allow guix_daemon_t
+         bin_t
+         (file (execute execute_no_trans map)))
 
   ;; Remounting /gnu/store read-write.
   (allow guix_daemon_t
@@ -322,7 +326,7 @@
                 map
                 getattr setattr
                 unlink
-                open read write)))
+                open read write append)))
   (allow guix_daemon_t
          guix_daemon_conf_t
          (lnk_file (create getattr rename unlink read)))
@@ -367,7 +371,7 @@
   ;; Allow use of user namespaces
   (allow guix_daemon_t
          self
-         (cap_userns (sys_admin net_admin sys_chroot)))
+         (cap_userns (setgid sys_admin net_admin sys_chroot)))
   (allow guix_daemon_t
          self
          (user_namespace (create)))