From 3bf612eaa13cc39caab64567660b8a02d206d19a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= <ludo@gnu.org>
Date: Thu, 25 May 2023 11:37:35 +0200
Subject: [PATCH] etc: SELinux: Update policy file.

Tested on Rocky Linux 9, as discussed
at <https://issues.guix.gnu.org/62487>.

* etc/guix-daemon.cil.in: Add rules for /gnu/store remount and file
creation in /tmp.
---
 etc/guix-daemon.cil.in | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/etc/guix-daemon.cil.in b/etc/guix-daemon.cil.in
index f55ef226c1..b221e31094 100644
--- a/etc/guix-daemon.cil.in
+++ b/etc/guix-daemon.cil.in
@@ -176,6 +176,11 @@
                 execute_no_trans read write open entrypoint map
                 getattr link unlink)))
 
+  ;; Remounting /gnu/store read-write.
+  (allow guix_daemon_t
+         fs_t
+         (filesystem (remount)))
+
   ;; TODO: unknown
   (allow guix_daemon_t
          root_t
@@ -223,6 +228,9 @@
   (allow guix_daemon_t
          tmpfs_t
          (file (create open read unlink write)))
+  (allow guix_daemon_t                          ;same as above, but with tmp_t
+         tmp_t
+         (file (create open read unlink write)))
   (allow guix_daemon_t
          tmpfs_t
          (dir (getattr add_name remove_name write)))