From bd2edc9e435402b48fd201b56ab486151512717a Mon Sep 17 00:00:00 2001
From: Rutherther <rutherther@ditigal.xyz>
Date: Sat, 29 Nov 2025 17:58:54 +0100
Subject: [PATCH] etc: Update SELinux rule file to support unprivileged daemon.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Fixes: #3576.

* etc/guix-daemon.cil.in: Add rules for unprivileged daemon.

Change-Id: Ic0c561036230d397f7071daef33ca8181684d014
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
---
 etc/guix-daemon.cil.in | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/etc/guix-daemon.cil.in b/etc/guix-daemon.cil.in
index b221e310942..e79236571bd 100644
--- a/etc/guix-daemon.cil.in
+++ b/etc/guix-daemon.cil.in
@@ -185,6 +185,9 @@
   (allow guix_daemon_t
          root_t
          (dir (mounton)))
+  (allow init_t
+         guix_daemon.guix_store_content_t
+         (dir (mounton)))
   (allow guix_daemon_t
          fs_t
          (filesystem (getattr)))
@@ -361,6 +364,14 @@
          self
          (netlink_route_socket (bind create getattr nlmsg_read read write getopt)))
 
+  ;; Allow use of user namespaces
+  (allow guix_daemon_t
+         self
+         (cap_userns (sys_admin net_admin sys_chroot)))
+  (allow guix_daemon_t
+         self
+         (user_namespace (create)))
+
   ;; Socket operations
   (allow guix_daemon_t
          guix_daemon_socket_t