> #. type: enumerate
> #: doc/guix.texi:1291
> msgid "We could generate a much more restrictive policy at installation time,
> so that only the @emph{exact} file name of the currently installed
> @code{guix-daemon} executable would be labelled with
> @code{guix_daemon_exec_t}, instead of using a broad regular expression. The
> downside is that root would have to install or upgrade the policy at
> installation time whenever the Guix package that provides the effectively
> running @code{guix-daemon} executable is upgraded."
>
> I cannot understand the latter sentence. What is the 'guix package that
> provides the effectively running guix-damon'? Can I say just: if
> guix-daemon's executable was upgraded?
The point here is that the absolute file name of “guix-daemon” may very
well differ over time. You may be running
/gnu/store/abcdefg…-guix-…/bin/guix-daemon today and
/gnu/store/xyz…-guix-…/bin/guix-daemon tomorrow. SELinux policies work
by defining rules matching absolute file names, so if the rule were to
attached to a *specific* item in the store it would have to be updated
whenever the daemon would be used from a *different* location in the
store, such as after upgrades.
--
Ricardo
