From mboxrd@z Thu Jan 1 00:00:00 1970 From: "pelzflorian (Florian Pelz)" Subject: Re: how to understand this SELinux stuff? Date: Sat, 4 May 2019 19:04:59 +0200 Message-ID: <20190504170459.cloz4ksdywkoyev3@pelzflorian.localdomain> References: <29974c7468844bd9eeed7dfa362b4bc4@disroot.org> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([209.51.188.92]:54471) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1hMy67-0006qL-IE for help-guix@gnu.org; Sat, 04 May 2019 13:05:16 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1hMy65-0003af-Ig for help-guix@gnu.org; Sat, 04 May 2019 13:05:15 -0400 Received: from pelzflorian.de ([5.45.111.108]:54826 helo=mail.pelzflorian.de) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1hMy61-0003Zx-PH for help-guix@gnu.org; Sat, 04 May 2019 13:05:10 -0400 Content-Disposition: inline In-Reply-To: <29974c7468844bd9eeed7dfa362b4bc4@disroot.org> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org Sender: "Help-Guix" To: znavko@disroot.org Cc: help-guix On Sat, May 04, 2019 at 04:42:52PM +0000, znavko@disroot.org wrote: > Hello! I am translating SELinux info messages. There are some hard form= ulations, but this is the best: >=20 > #. type: enumerate > #: doc/guix.texi:1291 > msgid "We could generate a much more restrictive policy at installation= time, so that only the @emph{exact} file name of the currently installed= @code{guix-daemon} executable would be labelled with @code{guix_daemon_e= xec_t}, instead of using a broad regular expression. The downside is that= root would have to install or upgrade the policy at installation time wh= enever the Guix package that provides the effectively running @code{guix-= daemon} executable is upgraded." >=20 > I cannot understand the latter sentence. What is the 'guix package that= provides the effectively running guix-damon'? Can I say just: if guix-da= emon's executable was upgraded? The running guix-daemon is not necessarily the currently pulled version. When using a foreign distro with the systemd service file as per the manual, the running daemon apparently is root=E2=80=99s pulled Gu= ix version /var/guix/profiles/per-user/root/current-guix/bin/guix-daemon but e.g. on Guix System the daemon is the version defined in gnu/packages/package-management.scm. florian@florianmacbook ~$ ps -Af | grep guix-daemon root 209 1 0 11:19 ? 00:00:00 /gnu/store/cwlghngrh03igf= 8cfsp2mf49c2l9fnf5-guix-1.0.0-1.326dcbf/bin/guix-daemon --build-users-gro= up guixbuild --max-silent-time 0 --timeout 0 --log-compression bzip2 --su= bstitute-urls https://ci.guix.gnu.org root 14425 209 0 18:45 ? 00:00:02 /gnu/store/cwlghngrh03igf= 8cfsp2mf49c2l9fnf5-guix-1.0.0-1.326dcbf/bin/guix-daemon 14421 = guixbuild --max-silent-time 0 --timeout 0 --log-compression bzip2 --su= bstitute-urls https://ci.guix.gnu.org florian 14617 14440 0 19:03 pts/1 00:00:00 grep --color=3Dauto guix-= daemon florian@florianmacbook ~$ guix build guix /gnu/store/cwlghngrh03igf8cfsp2mf49c2l9fnf5-guix-1.0.0-1.326dcbf (Please correct me if I am wrong though.) Regards, Florian