From mboxrd@z Thu Jan  1 00:00:00 1970
From: znavko@disroot.org
Subject: Re: how to understand this SELinux stuff?
Date: Sat, 04 May 2019 20:09:54 +0000
Message-ID: <543c59ffbf9faa3bda35ad7afe8616fd@disroot.org>
References: <8736lukn51.fsf@elephly.net>
	<29974c7468844bd9eeed7dfa362b4bc4@disroot.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Return-path: <help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([209.51.188.92]:32770)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <znavko@disroot.org>) id 1hN0z0-0007Yb-Cn
	for help-guix@gnu.org; Sat, 04 May 2019 16:10:07 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <znavko@disroot.org>) id 1hN0yw-0002Cb-IW
	for help-guix@gnu.org; Sat, 04 May 2019 16:10:06 -0400
Received: from knopi.disroot.org ([178.21.23.139]:42312)
	by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
	(Exim 4.71) (envelope-from <znavko@disroot.org>) id 1hN0yt-0002B1-M5
	for help-guix@gnu.org; Sat, 04 May 2019 16:10:01 -0400
In-Reply-To: <8736lukn51.fsf@elephly.net>
List-Id: <help-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/help-guix>,
	<mailto:help-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/help-guix/>
List-Post: <mailto:help-guix@gnu.org>
List-Help: <mailto:help-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/help-guix>,
	<mailto:help-guix-request@gnu.org?subject=subscribe>
Errors-To: help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org
Sender: "Help-Guix" <help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org>
To: Ricardo Wurmus <rekado@elephly.net>
Cc: help-guix@gnu.org

I think your words are most clear. Thank you, Ricardo Wurmus!=0A=0AMay 4,=
 2019 7:58 PM, "Ricardo Wurmus" <rekado@elephly.net> wrote:=0A=0A>> #. ty=
pe: enumerate=0A>> #: doc/guix.texi:1291=0A>> msgid "We could generate a =
much more restrictive policy at installation time, so that only the=0A>> =
@emph{exact} file name of the currently installed @code{guix-daemon} exec=
utable would be labelled=0A>> with @code{guix_daemon_exec_t}, instead of =
using a broad regular expression. The downside is that=0A>> root would ha=
ve to install or upgrade the policy at installation time whenever the Gui=
x package=0A>> that provides the effectively running @code{guix-daemon} e=
xecutable is upgraded."=0A>> =0A>> I cannot understand the latter sentenc=
e. What is the 'guix package that provides the effectively=0A>> running g=
uix-damon'? Can I say just: if guix-daemon's executable was upgraded?=0A>=
 =0A> The point here is that the absolute file name of =E2=80=9Cguix-daem=
on=E2=80=9D may very=0A> well differ over time. You may be running=0A> /g=
nu/store/abcdefg=E2=80=A6-guix-=E2=80=A6/bin/guix-daemon today and=0A> /g=
nu/store/xyz=E2=80=A6-guix-=E2=80=A6/bin/guix-daemon tomorrow. SELinux po=
licies work=0A> by defining rules matching absolute file names, so if the=
 rule were to=0A> attached to a *specific* item in the store it would hav=
e to be updated=0A> whenever the daemon would be used from a *different* =
location in the=0A> store, such as after upgrades.=0A> =0A> --=0A> Ricard=
o