Alex Vong <alexvong1...@gmail.com> writes: >> No, the script won’t install the SELinux policy. It wouldn’t work on >> all systems, only on those where a suitable SELinux base policy is >> available. >> > So it won't work on Debian? I think Debian and Fedora uses different > base policy, right?
I don’t know much about SELinux on Debian, I’m afraid. > If this is the case, should we also include an > apparmor profile? That’s unrelated, but sure, why not. I would suggest writing a minimal base policy. SELinux is not an all-or-nothing affair. That base policy only needs to provide the few types that we care about for the guix-daemon. It wouldn’t be too hard. The resulting policy could then be used on GuixSD or any other system that doesn’t have a full SELinux configuration. > Which paths does guix-daemon need to have r/w access > to? From your SELinux profile, we know the following is needed: > > @guix_sysconfdir@/guix(/.*)? > @guix_localstatedir@/guix(/.*)? > @guix_localstatedir@/guix/profiles(/.*)? > /gnu > @storedir@(/.+)? > @storedir@/[^/]+/.+ > @prefix@/bin/guix-daemon > @storedir@/.+-(guix-.+|profile)/bin/guix-daemon > @storedir@/.+-(guix-.+|profile)/libexec/guix-authenticate > @storedir@/.+-(guix-.+|profile)/libexec/guix/(.*)? > @guix_localstatedir@/guix/daemon-socket/socket These are not things that the daemon needs to have access to. These are paths that are to be labeled. The daemon is executed in a certain context, and processes in that context may have certain permissions on some of the files that have been labeled. -- Ricardo GPG: BCA6 89B6 3655 3801 C3C6 2150 197A 5888 235F ACAC https://elephly.net
