2018-02-16 8:49 GMT+01:00 Alex Vong <alexvong1...@gmail.com>: > Ricardo Wurmus <rek...@elephly.net> writes: > > > Alex Vong <alexvong1...@gmail.com> writes: > > > >>> No, the script won’t install the SELinux policy. It wouldn’t work on > >>> all systems, only on those where a suitable SELinux base policy is > >>> available. > >>> > >> So it won't work on Debian? I think Debian and Fedora uses different > >> base policy, right? > > > > I don’t know much about SELinux on Debian, I’m afraid. > > > >> If this is the case, should we also include an > >> apparmor profile? > > > > That’s unrelated, but sure, why not. > > > > I would suggest writing a minimal base policy. SELinux is not an > > all-or-nothing affair. That base policy only needs to provide the few > > types that we care about for the guix-daemon. It wouldn’t be too hard. > > > > The resulting policy could then be used on GuixSD or any other system > > that doesn’t have a full SELinux configuration. >
I looked around a little, and it seems, that at least Fedora and Debian has their base policies originated from SELinux reference policy: https://github.com/TresysTechnology/refpolicy/wiki I guess it would be nice to investigate how we could adopt this to GuixSD. WDYT? > > >> Which paths does guix-daemon need to have r/w access > >> to? From your SELinux profile, we know the following is needed: > >> > >> @guix_sysconfdir@/guix(/.*)? > >> @guix_localstatedir@/guix(/.*)? > >> @guix_localstatedir@/guix/profiles(/.*)? > >> /gnu > >> @storedir@(/.+)? > >> @storedir@/[^/]+/.+ > >> @prefix@/bin/guix-daemon > >> @storedir@/.+-(guix-.+|profile)/bin/guix-daemon > >> @storedir@/.+-(guix-.+|profile)/libexec/guix-authenticate > >> @storedir@/.+-(guix-.+|profile)/libexec/guix/(.*)? > >> @guix_localstatedir@/guix/daemon-socket/socket > > > > These are not things that the daemon needs to have access to. These are > > paths that are to be labeled. The daemon is executed in a certain > > context, and processes in that context may have certain permissions on > > some of the files that have been labeled. > > > I will have to read the colour book when I have time to understand what > do you mean! > > > -- > > Ricardo > > > > GPG: BCA6 89B6 3655 3801 C3C6 2150 197A 5888 235F ACAC > > https://elephly.net > >
