2018-02-15 16:32 GMT+01:00 Ricardo Wurmus : > > Alex Vong writes: > > >> No, the script won’t install the SELinux policy. It wouldn’t work on > >> all systems, only on those where a suitable SELinux base policy is > >> available. > >> > > So it won't work on Debian? I think Debian and Fedora uses different > > base policy, right? > > I don’t know much about SELinux on Debian, I’m afraid. > > > If this is the case, should we also include an > > apparmor profile? > > That’s unrelated, but sure, why not. > > I would suggest writing a minimal base policy. SELinux is not an > all-or-nothing affair. That base policy only needs to provide the few > types that we care about for the guix-daemon. It wouldn’t be too hard. > > The resulting policy could then be used on GuixSD or any other system > that doesn’t have a full SELinux configuration. > > I would be interested in doing that. It would be great if we could use SELinux on GuixSD. I also like the apparmor idea. These would be great enablers for me. Do we have any policy how we do these, or should I check how it is done on other distros? > > Which paths does guix-daemon need to have r/w access > > to? From your SELinux profile, we know the following is needed: > > > > @guix_sysconfdir@/guix(/.*)? > > @guix_localstatedir@/guix(/.*)? > > @guix_localstatedir@/guix/profiles(/.*)? > > /gnu > > @storedir@(/.+)? > > @storedir@/[^/]+/.+ > > @prefix@/bin/guix-daemon > > @storedir@/.+-(guix-.+|profile)/bin/guix-daemon > > @storedir@/.+-(guix-.+|profile)/libexec/guix-authenticate > > @storedir@/.+-(guix-.+|profile)/libexec/guix/(.*)? > > @guix_localstatedir@/guix/daemon-socket/socket > > These are not things that the daemon needs to have access to. These are > paths that are to be labeled. The daemon is executed in a certain > context, and processes in that context may have certain permissions on > some of the files that have been labeled. > > -- > Ricardo > > GPG: BCA6 89B6 3655 3801 C3C6 2150 197A 5888 235F ACAC > https://elephly.net > > > >