etc: SELinux: Add permissions to allow garbage collection.

There may be an improvement to be made to guix-daemon to avoid some spurious denial audit messages, as described in the FIXME. * etc/guix-daemon.cil.in: Add missing rules for guix gc. Change-Id: I3651c4523528649048c7135fabd3000c8e78b1ff Signed-off-by: Rutherther <rutherther@ditigal.xyz>
2026-01-25 03:55:08 -06:00 · 2025-12-08 01:35:05 -03:00 · 2025-12-08 01:35:05 -03:00 · 53808b13b8
commit 53808b13b8
parent 1b59b93602
1 changed files with 21 additions and 0 deletions
--- a/etc/guix-daemon.cil.in
+++ b/etc/guix-daemon.cil.in
@ -455,6 +455,27 @@
         vnc_port_t
         (tcp_socket (name_bind)))

+  ;; 'guix gc' needs to go through /proc entries for all processes that are
+  ;; running.  Strictly speaking, it means guix-daemon needs access to all
+  ;; process types in the SELinux policy.  In practice, only processes from
+  ;; programs in the /gnu/store are relevant for finding roots for garbage
+  ;; collection.  Since Guix currently doesn't install any SELinux policy for
+  ;; its packages, we can assume that all the processes it needs to access run
+  ;; as unconfined_t.
+  ;;
+  ;; FIXME: This doesn't stop 'guix gc' from generating a lot of unnecessary
+  ;; AVC denied audit messages.  Perhaps guix-daemon could test whether it has
+  ;; access to the proc entry before trying to access it?
+  (allow guix_daemon_t
+         unconfined_t
+         (dir (search)))
+  (allow guix_daemon_t
+         unconfined_t
+         (file (read)))
+  (allow guix_daemon_t
+         unconfined_t
+         (lnk_file (read)))
+
  ;; I guess sometimes it needs random numbers
  (allow guix_daemon_t
         random_device_t