I think your words are most clear. Thank you, Ricardo Wurmus!
May 4, 2019 7:58 PM, "Ricardo Wurmus" <rek...@elephly.net> wrote:
>> #. type: enumerate
>> #: doc/guix.texi:1291
>> msgid "We could generate a much more restrictive policy at installation
>> time, so that only the
>> @emph{exact} file name of the currently installed @code{guix-daemon}
>> executable would be labelled
>> with @code{guix_daemon_exec_t}, instead of using a broad regular expression.
>> The downside is that
>> root would have to install or upgrade the policy at installation time
>> whenever the Guix package
>> that provides the effectively running @code{guix-daemon} executable is
>> upgraded."
>>
>> I cannot understand the latter sentence. What is the 'guix package that
>> provides the effectively
>> running guix-damon'? Can I say just: if guix-daemon's executable was
>> upgraded?
>
> The point here is that the absolute file name of “guix-daemon” may very
> well differ over time. You may be running
> /gnu/store/abcdefg…-guix-…/bin/guix-daemon today and
> /gnu/store/xyz…-guix-…/bin/guix-daemon tomorrow. SELinux policies work
> by defining rules matching absolute file names, so if the rule were to
> attached to a *specific* item in the store it would have to be updated
> whenever the daemon would be used from a *different* location in the
> store, such as after upgrades.
>
> --
> Ricardo
