From mboxrd@z Thu Jan  1 00:00:00 1970
From: Alex Vong <alexvong1995@gmail.com>
Subject: Re: [PATCH] Add SELinux policy for guix-daemon.
Date: Thu, 15 Feb 2018 22:00:07 +0800
Message-ID: <87k1ve2w0o.fsf@gmail.com>
References: <idjefmd6hh1.fsf@bimsb-sys02.mdc-berlin.net>
	<CAJ98PDzivagAJeofZ4++-ULFwiX+FXtvgFQ7010wbKyQJ+P9bQ@mail.gmail.com>
	<87zi4fiqzk.fsf@mdc-berlin.de>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:53873)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <alexvong1995@gmail.com>) id 1emK5L-0002yr-Qg
	for guix-devel@gnu.org; Thu, 15 Feb 2018 09:00:29 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <alexvong1995@gmail.com>) id 1emK5F-0006zr-Qu
	for guix-devel@gnu.org; Thu, 15 Feb 2018 09:00:27 -0500
Received: from mail-pl0-x230.google.com ([2607:f8b0:400e:c01::230]:36399)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <alexvong1995@gmail.com>)
	id 1emK5F-0006y6-GG
	for guix-devel@gnu.org; Thu, 15 Feb 2018 09:00:21 -0500
Received: by mail-pl0-x230.google.com with SMTP id v3so10453402plg.3
	for <guix-devel@gnu.org>; Thu, 15 Feb 2018 06:00:21 -0800 (PST)
In-Reply-To: <87zi4fiqzk.fsf@mdc-berlin.de> (Ricardo Wurmus's message of "Sun,
	11 Feb 2018 14:40:47 +0100")
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: Ricardo Wurmus <ricardo.wurmus@mdc-berlin.de>
Cc: guix-devel <guix-devel@gnu.org>

Hello,

Ricardo Wurmus <ricardo.wurmus@mdc-berlin.de> writes:

> Catonano <catonano@gmail.com> writes:
>
>>> If you want to test this on Fedora, set SELinux to permissive, and make
>>> sure to configure Guix properly (i.e. set localstatedir, prefix, and
>>> sysconfdir).  Then install the policy with =E2=80=9Csudo semodule -i
>>> etc/guix-daemon.cil=E2=80=9D.  Then relabel the filesystem (at least /g=
nu,
>>> $localstatedir, $sysconfdir, and $prefix) with something like this:
>>>
>>>     sudo restorecon -R /gnu $localstatedir $sysconfdir $prefix
>>>
>>
>> can I do this with the binary installation made with Sharlatan's script ?
>
> No, the script won=E2=80=99t install the SELinux policy.  It wouldn=E2=80=
=99t work on
> all systems, only on those where a suitable SELinux base policy is
> available.
>
So it won't work on Debian? I think Debian and Fedora uses different
base policy, right? If this is the case, should we also include an
apparmor profile? Which paths does guix-daemon need to have r/w access
to? From your SELinux profile, we know the following is needed:

  @guix_sysconfdir@/guix(/.*)?
  @guix_localstatedir@/guix(/.*)?
  @guix_localstatedir@/guix/profiles(/.*)?
  /gnu
  @storedir@(/.+)?
  @storedir@/[^/]+/.+
  @prefix@/bin/guix-daemon
  @storedir@/.+-(guix-.+|profile)/bin/guix-daemon
  @storedir@/.+-(guix-.+|profile)/libexec/guix-authenticate
  @storedir@/.+-(guix-.+|profile)/libexec/guix/(.*)?
  @guix_localstatedir@/guix/daemon-socket/socket

Also, access to $HOME will also be needed. What else?

>> $localstatedir is /var, I suppose
>>
>> But I don' t know about $sysconfdir and $prefix
>
> /etc and /.  But you=E2=80=99d be better off just relabeling everything. =
 On
> Fedora you can touch a certain file and have everything relabeled on
> reboot.  Takes a long time, though.
>
> --
> Ricardo