etc: teams: Add scope support.

[jackhill/guix/guix.git] / etc / guix-daemon.cil.in

diff --git a/etc/guix-daemon.cil.in b/etc/guix-daemon.cil.in
index cc8999d..f4767ff 100644 (file)
--- a/etc/guix-daemon.cil.in
+++ b/etc/guix-daemon.cil.in
@@ -167,7 +167,9 @@
          (process (fork execmem setrlimit setpgid setsched)))
   (allow guix_daemon_t
          guix_daemon_exec_t
-         (file (execute execute_no_trans read open entrypoint map)))
+         (file (execute
+                execute_no_trans read write open entrypoint map
+                getattr link unlink)))
 
   ;; TODO: unknown
   (allow guix_daemon_t
@@ -299,7 +301,7 @@
                 open read write)))
   (allow guix_daemon_t
          guix_daemon_conf_t
-         (lnk_file (create getattr rename unlink)))
+         (lnk_file (create getattr rename unlink read)))
   (allow guix_daemon_t net_conf_t
          (file (getattr open read)))
   (allow guix_daemon_t net_conf_t
@@ -326,6 +328,9 @@
   (allow guix_daemon_t
          cache_home_t
          (dir (search)))
+  (allow guix_daemon_t
+         cache_home_t
+         (lnk_file (getattr read)))
 
   ;; self upgrades
   (allow guix_daemon_t
@@ -338,7 +343,7 @@
   ;; Socket operations
   (allow guix_daemon_t
          guix_daemon_socket_t
-         (sock_file (unlink)))
+         (sock_file (unlink write)))
   (allow guix_daemon_t
          init_t
          (fd (use)))
@@ -350,7 +355,7 @@
          (unix_stream_socket (listen)))
   (allow guix_daemon_t
          guix_daemon_conf_t
-         (sock_file (create unlink)))
+         (sock_file (create unlink write)))
   (allow guix_daemon_t
          self
          (unix_stream_socket (create