There may be an improvement to be made to guix-daemon to avoid some
spurious denial audit messages, as described in the FIXME.
* etc/guix-daemon.cil.in: Add missing rules for guix gc.
Change-Id: I3651c4523528649048c7135fabd3000c8e78b1ff
Signed-off-by: Rutherther <rutherther@ditigal.xyz>
With the changes in this commit, I can use "guix pull" and
"guix install <package>" successfully and without generating SELinux
denial erros in the system log.
* etc/guix-daemon.cil.in: Add missing rules for guix pull/guix install.
Change-Id: I40b5ed2c458b275804bc073fb72286947ecb0283
Signed-off-by: Rutherther <rutherther@ditigal.xyz>
Tested on Rocky Linux 9, as discussed
at <https://issues.guix.gnu.org/62487>.
* etc/guix-daemon.cil.in: Add rules for /gnu/store remount and file
creation in /tmp.
* etc/guix-daemon.cil.in (guix_daemon): Permit file appending, setattr,
read/write UDP sockets, access to tmpfs and hugetlbfs, and connecting to
PostgreSQL.
* etc/guix-daemon.cil.in (guix_daemon): Specify more permissions for
guix-daemon to account for daemon updates and newer SELinux.
I can't promise that this is a complete list of everything that guix-daemon
needs, but it's probably most of them. It can search for, install, upgrade,
and remove packages, create virtual machines and containers, update itself,
and so on.
Signed-off-by: Marius Bakke <marius@gnu.org>
