From mboxrd@z Thu Jan  1 00:00:00 1970
From: Ricardo Wurmus <ricardo.wurmus@mdc-berlin.de>
Subject: Re: [PATCH] Add SELinux policy for guix-daemon.
Date: Sun, 11 Feb 2018 14:40:47 +0100
Message-ID: <87zi4fiqzk.fsf@mdc-berlin.de>
References: <idjefmd6hh1.fsf@bimsb-sys02.mdc-berlin.net>
	<CAJ98PDzivagAJeofZ4++-ULFwiX+FXtvgFQ7010wbKyQJ+P9bQ@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:39573)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Ricardo.Wurmus@mdc-berlin.de>) id 1ekrsQ-00058g-K4
	for guix-devel@gnu.org; Sun, 11 Feb 2018 08:41:08 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Ricardo.Wurmus@mdc-berlin.de>) id 1ekrsM-0000W1-MJ
	for guix-devel@gnu.org; Sun, 11 Feb 2018 08:41:06 -0500
Received: from venus.bbbm.mdc-berlin.de ([141.80.25.30]:56416)
	by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
	(Exim 4.71) (envelope-from <Ricardo.Wurmus@mdc-berlin.de>)
	id 1ekrsM-0000Sb-D6
	for guix-devel@gnu.org; Sun, 11 Feb 2018 08:41:02 -0500
In-Reply-To: <CAJ98PDzivagAJeofZ4++-ULFwiX+FXtvgFQ7010wbKyQJ+P9bQ@mail.gmail.com>
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: Catonano <catonano@gmail.com>
Cc: guix-devel <guix-devel@gnu.org>


Catonano <catonano@gmail.com> writes:

>> If you want to test this on Fedora, set SELinux to permissive, and mak=
e
>> sure to configure Guix properly (i.e. set localstatedir, prefix, and
>> sysconfdir).  Then install the policy with =E2=80=9Csudo semodule -i
>> etc/guix-daemon.cil=E2=80=9D.  Then relabel the filesystem (at least /=
gnu,
>> $localstatedir, $sysconfdir, and $prefix) with something like this:
>>
>>     sudo restorecon -R /gnu $localstatedir $sysconfdir $prefix
>>
>
> can I do this with the binary installation made with Sharlatan's script=
 ?

No, the script won=E2=80=99t install the SELinux policy.  It wouldn=E2=80=
=99t work on
all systems, only on those where a suitable SELinux base policy is
available.

> $localstatedir is /var, I suppose
>
> But I don' t know about $sysconfdir and $prefix

/etc and /.  But you=E2=80=99d be better off just relabeling everything. =
 On
Fedora you can touch a certain file and have everything relabeled on
reboot.  Takes a long time, though.

--
Ricardo