From 53808b13b8c91826a0871bf49a9957b8228c4086 Mon Sep 17 00:00:00 2001 From: Thiago Jung Bauermann Date: Mon, 8 Dec 2025 01:35:05 -0300 Subject: [PATCH] etc: SELinux: Add permissions to allow garbage collection. There may be an improvement to be made to guix-daemon to avoid some spurious denial audit messages, as described in the FIXME. * etc/guix-daemon.cil.in: Add missing rules for guix gc. Change-Id: I3651c4523528649048c7135fabd3000c8e78b1ff Signed-off-by: Rutherther --- etc/guix-daemon.cil.in | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/etc/guix-daemon.cil.in b/etc/guix-daemon.cil.in index 0a0e4927ad8..5231893bf2b 100644 --- a/etc/guix-daemon.cil.in +++ b/etc/guix-daemon.cil.in @@ -455,6 +455,27 @@ vnc_port_t (tcp_socket (name_bind))) + ;; 'guix gc' needs to go through /proc entries for all processes that are + ;; running. Strictly speaking, it means guix-daemon needs access to all + ;; process types in the SELinux policy. In practice, only processes from + ;; programs in the /gnu/store are relevant for finding roots for garbage + ;; collection. Since Guix currently doesn't install any SELinux policy for + ;; its packages, we can assume that all the processes it needs to access run + ;; as unconfined_t. + ;; + ;; FIXME: This doesn't stop 'guix gc' from generating a lot of unnecessary + ;; AVC denied audit messages. Perhaps guix-daemon could test whether it has + ;; access to the proc entry before trying to access it? + (allow guix_daemon_t + unconfined_t + (dir (search))) + (allow guix_daemon_t + unconfined_t + (file (read))) + (allow guix_daemon_t + unconfined_t + (lnk_file (read))) + ;; I guess sometimes it needs random numbers (allow guix_daemon_t random_device_t