Ricardo Wurmus <rek...@elephly.net> writes: > Alex Vong <alexvong1...@gmail.com> writes: > >>> No, the script won’t install the SELinux policy. It wouldn’t work on >>> all systems, only on those where a suitable SELinux base policy is >>> available. >>> >> So it won't work on Debian? I think Debian and Fedora uses different >> base policy, right? > > I don’t know much about SELinux on Debian, I’m afraid. > >> If this is the case, should we also include an >> apparmor profile? > > That’s unrelated, but sure, why not. > > I would suggest writing a minimal base policy. SELinux is not an > all-or-nothing affair. That base policy only needs to provide the few > types that we care about for the guix-daemon. It wouldn’t be too hard. > > The resulting policy could then be used on GuixSD or any other system > that doesn’t have a full SELinux configuration. > >> Which paths does guix-daemon need to have r/w access >> to? From your SELinux profile, we know the following is needed: >> >> @guix_sysconfdir@/guix(/.*)? >> @guix_localstatedir@/guix(/.*)? >> @guix_localstatedir@/guix/profiles(/.*)? >> /gnu >> @storedir@(/.+)? >> @storedir@/[^/]+/.+ >> @prefix@/bin/guix-daemon >> @storedir@/.+-(guix-.+|profile)/bin/guix-daemon >> @storedir@/.+-(guix-.+|profile)/libexec/guix-authenticate >> @storedir@/.+-(guix-.+|profile)/libexec/guix/(.*)? >> @guix_localstatedir@/guix/daemon-socket/socket > > These are not things that the daemon needs to have access to. These are > paths that are to be labeled. The daemon is executed in a certain > context, and processes in that context may have certain permissions on > some of the files that have been labeled. > I will have to read the colour book when I have time to understand what do you mean!
> -- > Ricardo > > GPG: BCA6 89B6 3655 3801 C3C6 2150 197A 5888 235F ACAC > https://elephly.net