02/07: etc: SELinux: Allow daemon to search run state directories.

[guix-commits]

rekado pushed a commit to branch master
in repository guix.

commit 4a134ed32e69ba888d988d2ed924a1531a54551b
Author: Ricardo Wurmus <rekado@elephly.net>
AuthorDate: Fri Dec 23 16:47:11 2022 +0100

    etc: SELinux: Allow daemon to search run state directories.
    
    * etc/guix-daemon.cil.in: Import types init_var_run_t and
    system_dbusd_var_run_t; add rules.
---
 etc/guix-daemon.cil.in | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/etc/guix-daemon.cil.in b/etc/guix-daemon.cil.in
index ba100a4535..0245c36231 100644
--- a/etc/guix-daemon.cil.in
+++ b/etc/guix-daemon.cil.in
@@ -1,6 +1,6 @@
 ; -*- lisp -*-
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2018 Ricardo Wurmus <rekado@elephly.net>
+;;; Copyright © 2018, 2022 Ricardo Wurmus <rekado@elephly.net>
 ;;; Copyright © 2020 Daniel Brooks <db48x@db48x.net>
 ;;; Copyright © 2020 Marius Bakke <marius@gnu.org>
 ;;;
@@ -37,11 +37,13 @@
 
 (block guix_daemon
   ;; Require existing types
+  (typeattributeset cil_gen_require domain)
   (typeattributeset cil_gen_require init_t)
-  (typeattributeset cil_gen_require tmp_t)
+  (typeattributeset cil_gen_require init_var_run_t)
   (typeattributeset cil_gen_require nscd_var_run_t)
+  (typeattributeset cil_gen_require system_dbusd_var_run_t)
+  (typeattributeset cil_gen_require tmp_t)
   (typeattributeset cil_gen_require var_log_t)
-  (typeattributeset cil_gen_require domain)
 
   ;; Declare own types
   (type guix_daemon_t)
@@ -284,6 +286,14 @@
          guix_store_content_t
          (sock_file (create getattr setattr unlink write)))
 
+  ;; Access to run state directories
+  (allow guix_daemon_t
+         system_dbusd_var_run_t
+         (dir (search)))
+  (allow guix_daemon_t
+         init_var_run_t
+         (dir (search)))
+
   ;; Access to configuration files and directories
   (allow guix_daemon_t
          guix_daemon_conf_t