From mboxrd@z Thu Jan 1 00:00:00 1970 From: Ricardo Wurmus Subject: bug#39172: SElinux guix-daemon.cil file Date: Mon, 20 Jan 2020 11:35:36 +0100 Message-ID: <87iml6wh3b.fsf@elephly.net> References: <87h80qij75.fsf@gnu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:470:142:3::10]:37711) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1itUPe-0005yD-Fc for bug-guix@gnu.org; Mon, 20 Jan 2020 05:36:10 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1itUPa-0002Xn-Lg for bug-guix@gnu.org; Mon, 20 Jan 2020 05:36:06 -0500 Received: from debbugs.gnu.org ([209.51.188.43]:38436) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1itUPa-0002Xd-IR for bug-guix@gnu.org; Mon, 20 Jan 2020 05:36:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1itUPa-0004WD-FA for bug-guix@gnu.org; Mon, 20 Jan 2020 05:36:02 -0500 Sender: "Debbugs-submit" Resent-Message-ID: In-reply-to: <87h80qij75.fsf@gnu.org> List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane-mx.org@gnu.org Sender: "bug-Guix" To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: 39172@debbugs.gnu.org, Matt Wette Ludovic Court=C3=A8s writes: > Hi Matt, > > Matt Wette skribis: > >> I'm trying to get guix-1.0.1 running on Fedora-30 with its default >> SElinux set up. >> I found (hint from >> https://lists.gnu.org/archive/html/guix-devel/2019-05/msg00109.html) >> that the guix-daemon.cil file seems to be missing a few items. Without >> this patch >> # restorecon -R /gnu/store >> fails. > > OK, thanks for finding it out! > >> --- guix-daemon.cil.orig 2020-01-18 07:08:12.905986299 -0800 >> +++ guix-daemon.cil 2020-01-18 07:09:49.765737261 -0800 >> @@ -34,14 +34,19 @@ >> (roletype object_r guix_daemon_t) >> (type guix_daemon_conf_t) >> (roletype object_r guix_daemon_conf_t) >> + (typeattributeset file_type guix_daemon_conf_t) >> (type guix_daemon_exec_t) >> (roletype object_r guix_daemon_exec_t) >> + (typeattributeset file_type guix_daemon_exec_t) >> (type guix_daemon_socket_t) >> (roletype object_r guix_daemon_socket_t) >> + (typeattributeset file_type guix_daemon_socket_t) >> (type guix_store_content_t) >> (roletype object_r guix_store_content_t) >> + (typeattributeset file_type guix_store_content_t) >> (type guix_profiles_t) >> (roletype object_r guix_profiles_t) >> + (typeattributeset file_type guix_profiles_t) >> >> ;; These types are domains, thereby allowing process rules >> (typeattributeset domain (guix_daemon_t guix_daemon_exec_t)) > > Ricardo, WDYT? I know nothing about this config file so I=E2=80=99d rath= er have > your approval before pushing. Could we also do this in one expression? (typeattributeset file_type (or guix_profiles_t guix_daemon_conf_t guix_daemon_exec_t guix_daemon_socket_t guix_store_content_t)) I also think we need to declare our use of =E2=80=9Cfile_type=E2=80=9D firs= t: (typeattribute file_type) What do you think? --=20 Ricardo