how to understand this SELinux stuff?

how to understand this SELinux stuff?

[znavko]

Hello! I am translating SELinux info messages. There are some hard formulations, but this is the best:

#. type: enumerate
#: doc/guix.texi:1291
msgid "We could generate a much more restrictive policy at installation time, so that only the @emph{exact} file name of the currently installed @code{guix-daemon} executable would be labelled with @code{guix_daemon_exec_t}, instead of using a broad regular expression. The downside is that root would have to install or upgrade the policy at installation time whenever the Guix package that provides the effectively running @code{guix-daemon} executable is upgraded."

I cannot understand the latter sentence. What is the 'guix package that provides the effectively running guix-damon'? Can I say just: if guix-daemon's executable was upgraded?

Re: how to understand this SELinux stuff?

[pelzflorian (Florian Pelz)]

On Sat, May 04, 2019 at 04:42:52PM +0000, znavko@disroot.org wrote:
> Hello! I am translating SELinux info messages. There are some hard formulations, but this is the best:
> 
> #. type: enumerate
> #: doc/guix.texi:1291
> msgid "We could generate a much more restrictive policy at installation time, so that only the @emph{exact} file name of the currently installed @code{guix-daemon} executable would be labelled with @code{guix_daemon_exec_t}, instead of using a broad regular expression. The downside is that root would have to install or upgrade the policy at installation time whenever the Guix package that provides the effectively running @code{guix-daemon} executable is upgraded."
> 
> I cannot understand the latter sentence. What is the 'guix package that provides the effectively running guix-damon'? Can I say just: if guix-daemon's executable was upgraded?


The running guix-daemon is not necessarily the currently pulled
version.  When using a foreign distro with the systemd service file as
per the manual, the running daemon apparently is root’s pulled Guix
version /var/guix/profiles/per-user/root/current-guix/bin/guix-daemon
but e.g. on Guix System the daemon is the version defined in
gnu/packages/package-management.scm.

florian@florianmacbook ~$ ps -Af | grep guix-daemon
root       209     1  0 11:19 ?        00:00:00 /gnu/store/cwlghngrh03igf8cfsp2mf49c2l9fnf5-guix-1.0.0-1.326dcbf/bin/guix-daemon --build-users-group guixbuild --max-silent-time 0 --timeout 0 --log-compression bzip2 --substitute-urls https://ci.guix.gnu.org
root     14425   209  0 18:45 ?        00:00:02 /gnu/store/cwlghngrh03igf8cfsp2mf49c2l9fnf5-guix-1.0.0-1.326dcbf/bin/guix-daemon 14421               guixbuild --max-silent-time 0 --timeout 0 --log-compression bzip2 --substitute-urls https://ci.guix.gnu.org
florian  14617 14440  0 19:03 pts/1    00:00:00 grep --color=auto guix-daemon
florian@florianmacbook ~$ guix build guix
/gnu/store/cwlghngrh03igf8cfsp2mf49c2l9fnf5-guix-1.0.0-1.326dcbf


(Please correct me if I am wrong though.)

Regards,
Florian

Re: how to understand this SELinux stuff?

[Ricardo Wurmus]

> #. type: enumerate
> #: doc/guix.texi:1291
> msgid "We could generate a much more restrictive policy at installation time, so that only the @emph{exact} file name of the currently installed @code{guix-daemon} executable would be labelled with @code{guix_daemon_exec_t}, instead of using a broad regular expression. The downside is that root would have to install or upgrade the policy at installation time whenever the Guix package that provides the effectively running @code{guix-daemon} executable is upgraded."
>
> I cannot understand the latter sentence. What is the 'guix package that provides the effectively running guix-damon'? Can I say just: if guix-daemon's executable was upgraded?

The point here is that the absolute file name of “guix-daemon” may very
well differ over time.  You may be running
/gnu/store/abcdefg…-guix-…/bin/guix-daemon today and
/gnu/store/xyz…-guix-…/bin/guix-daemon tomorrow.  SELinux policies work
by defining rules matching absolute file names, so if the rule were to
attached to a *specific* item in the store it would have to be updated
whenever the daemon would be used from a *different* location in the
store, such as after upgrades.

--
Ricardo

Re: how to understand this SELinux stuff?

[znavko]

I think your words are most clear. Thank you, Ricardo Wurmus!

May 4, 2019 7:58 PM, "Ricardo Wurmus" <rekado@elephly.net> wrote:

>> #. type: enumerate
>> #: doc/guix.texi:1291
>> msgid "We could generate a much more restrictive policy at installation time, so that only the
>> @emph{exact} file name of the currently installed @code{guix-daemon} executable would be labelled
>> with @code{guix_daemon_exec_t}, instead of using a broad regular expression. The downside is that
>> root would have to install or upgrade the policy at installation time whenever the Guix package
>> that provides the effectively running @code{guix-daemon} executable is upgraded."
>> 
>> I cannot understand the latter sentence. What is the 'guix package that provides the effectively
>> running guix-damon'? Can I say just: if guix-daemon's executable was upgraded?
> 
> The point here is that the absolute file name of “guix-daemon” may very
> well differ over time. You may be running
> /gnu/store/abcdefg…-guix-…/bin/guix-daemon today and
> /gnu/store/xyz…-guix-…/bin/guix-daemon tomorrow. SELinux policies work
> by defining rules matching absolute file names, so if the rule were to
> attached to a *specific* item in the store it would have to be updated
> whenever the daemon would be used from a *different* location in the
> store, such as after upgrades.
> 
> --
> Ricardo