From mboxrd@z Thu Jan 1 00:00:00 1970 From: Catonano Subject: Re: [PATCH] Add SELinux policy for guix-daemon. Date: Fri, 26 Jan 2018 12:18:09 +0100 Message-ID: References: Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="001a11431bec2db8ff0563ac0dad" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:32774) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ef9Cl-0000d9-H2 for guix-devel@gnu.org; Fri, 26 Jan 2018 13:58:28 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ef9Ck-0006wm-IZ for guix-devel@gnu.org; Fri, 26 Jan 2018 13:58:27 -0500 Received: from mail-yb0-x22e.google.com ([2607:f8b0:4002:c09::22e]:33907) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1ef9Ck-0006wW-CD for guix-devel@gnu.org; Fri, 26 Jan 2018 13:58:26 -0500 Received: by mail-yb0-x22e.google.com with SMTP id u35so554010ybi.1 for ; Fri, 26 Jan 2018 10:58:26 -0800 (PST) In-Reply-To: List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Ricardo Wurmus Cc: guix-devel --001a11431bec2db8ff0563ac0dad Content-Type: text/plain; charset="UTF-8" 2018-01-25 17:17 GMT+01:00 Ricardo Wurmus : > Hi Guix, > > attached is a patch that adds an SELinux policy for the guix-daemon. > The policy defines the guix_daemon_t domain and specifies what labels > may be accessed and how by processes running in that domain. > > These file labels are defined: > > * guix_daemon_conf_t > for Guix configuration files (in localstatedir and sysconfdir) > * guix_daemon_exec_t > for executables spawned by the daemon (which are allowed to run in the > guix_daemon_t domain) > * guix_daemon_socket_t > for the daemon socket file > * guix_profiles_t > for the contents of the profiles directory > I' m not sure I understand: is this meant to allow Guix to run in foreign distros like Fedora ? Or is this meant to have SELinux running inside the GuixSD environment ? I might be interested in runnig Guix on my Fedora installation. Also, Ricardo, I remember you posted a link to an introduction to SELinux for human beings, some months ago. Maybe on the irc channel, maybe on some meiling list I searched here and found nothing Should you be able to post that lik again, I' d be grateful I promise I will bookmark it this time Thanks ! Ciao --001a11431bec2db8ff0563ac0dad Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


2018-01-25 17:17 GMT+01:00 Ricardo Wurmus <ricardo.wurmus@m= dc-berlin.de>:
Hi Guix,

attached is a patch that adds an SELinux policy for the guix-daemon.
The policy defines the guix_daemon_t domain and specifies what labels
may be accessed and how by processes running in that domain.

These file labels are defined:

* guix_daemon_conf_t
=C2=A0 for Guix configuration files (in localstatedir and sysconfdir)
* guix_daemon_exec_t
=C2=A0 for executables spawned by the daemon (which are allowed to run in t= he
=C2=A0 guix_daemon_t domain)
* guix_daemon_socket_t
=C2=A0 for the daemon socket file
* guix_profiles_t
=C2=A0 for the contents of the profiles directory

=
I' m not sure I understand: is this meant to allow Guix to r= un in foreign distros like Fedora ?

Or is this mea= nt to have SELinux running inside the GuixSD environment ?

I might be interested in runnig Guix on my Fedora installation.

Also, Ricardo, I remember you posted a link to a= n introduction to SELinux for human beings, some months ago.

=
Maybe on the irc channel, maybe on some meiling list
<= br>
I searched here and found nothing

Sh= ould you be able to post that lik again, I' d be grateful
I p= romise I will bookmark it this time

Thanks !
=
Ciao

--001a11431bec2db8ff0563ac0dad--