Alex Vong <alexvong1995@gmail.com> writes:

>> No, the script won’t install the SELinux policy.  It wouldn’t work on
>> all systems, only on those where a suitable SELinux base policy is
>> available.
>>
> So it won't work on Debian? I think Debian and Fedora uses different
> base policy, right?

I don’t know much about SELinux on Debian, I’m afraid.

> If this is the case, should we also include an
> apparmor profile?

That’s unrelated, but sure, why not.

I would suggest writing a minimal base policy.  SELinux is not an
all-or-nothing affair.  That base policy only needs to provide the few
types that we care about for the guix-daemon.  It wouldn’t be too hard.

The resulting policy could then be used on GuixSD or any other system
that doesn’t have a full SELinux configuration.

> Which paths does guix-daemon need to have r/w access
> to? From your SELinux profile, we know the following is needed:
>
>   @guix_sysconfdir@/guix(/.*)?
>   @guix_localstatedir@/guix(/.*)?
>   @guix_localstatedir@/guix/profiles(/.*)?
>   /gnu
>   @storedir@(/.+)?
>   @storedir@/[^/]+/.+
>   @prefix@/bin/guix-daemon
>   @storedir@/.+-(guix-.+|profile)/bin/guix-daemon
>   @storedir@/.+-(guix-.+|profile)/libexec/guix-authenticate
>   @storedir@/.+-(guix-.+|profile)/libexec/guix/(.*)?
>   @guix_localstatedir@/guix/daemon-socket/socket

These are not things that the daemon needs to have access to.  These are
paths that are to be labeled.  The daemon is executed in a certain
context, and processes in that context may have certain permissions on
some of the files that have been labeled.

--
Ricardo

GPG: BCA6 89B6 3655 3801 C3C6  2150 197A 5888 235F ACAC
https://elephly.net