Re: how to understand this SELinux stuff?

unofficial mirror of help-guix@gnu.org 
 help / color / mirror / Atom feed

From: znavko@disroot.org
To: Ricardo Wurmus <rekado@elephly.net>
Cc: help-guix@gnu.org
Subject: Re: how to understand this SELinux stuff?
Date: Sat, 04 May 2019 20:09:54 +0000	[thread overview]
Message-ID: <543c59ffbf9faa3bda35ad7afe8616fd@disroot.org> (raw)
In-Reply-To: <8736lukn51.fsf@elephly.net>

I think your words are most clear. Thank you, Ricardo Wurmus!

May 4, 2019 7:58 PM, "Ricardo Wurmus" <rekado@elephly.net> wrote:

>> #. type: enumerate
>> #: doc/guix.texi:1291
>> msgid "We could generate a much more restrictive policy at installation time, so that only the
>> @emph{exact} file name of the currently installed @code{guix-daemon} executable would be labelled
>> with @code{guix_daemon_exec_t}, instead of using a broad regular expression. The downside is that
>> root would have to install or upgrade the policy at installation time whenever the Guix package
>> that provides the effectively running @code{guix-daemon} executable is upgraded."
>> 
>> I cannot understand the latter sentence. What is the 'guix package that provides the effectively
>> running guix-damon'? Can I say just: if guix-daemon's executable was upgraded?
> 
> The point here is that the absolute file name of “guix-daemon” may very
> well differ over time. You may be running
> /gnu/store/abcdefg…-guix-…/bin/guix-daemon today and
> /gnu/store/xyz…-guix-…/bin/guix-daemon tomorrow. SELinux policies work
> by defining rules matching absolute file names, so if the rule were to
> attached to a *specific* item in the store it would have to be updated
> whenever the daemon would be used from a *different* location in the
> store, such as after upgrades.
> 
> --
> Ricardo

     prev parent reply	other threads:[~2019-05-04 20:10 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-05-04 16:42 how to understand this SELinux stuff? znavko
2019-05-04 17:04 ` pelzflorian (Florian Pelz)
2019-05-04 19:58 ` Ricardo Wurmus
2019-05-04 20:09 ` znavko [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://guix.gnu.org/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=543c59ffbf9faa3bda35ad7afe8616fd@disroot.org \
    --to=znavko@disroot.org \
    --cc=help-guix@gnu.org \
    --cc=rekado@elephly.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).