From mboxrd@z Thu Jan 1 00:00:00 1970 From: Alex Vong Subject: Re: [PATCH] Add SELinux policy for guix-daemon. Date: Fri, 16 Feb 2018 15:49:03 +0800 Message-ID: <87inaxl6hc.fsf@gmail.com> References: <87zi4fiqzk.fsf@mdc-berlin.de> <87k1ve2w0o.fsf@gmail.com> <87inay6zgt.fsf@elephly.net> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:56484) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1emalb-0005qJ-VT for guix-devel@gnu.org; Fri, 16 Feb 2018 02:49:13 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1emalX-0005VC-00 for guix-devel@gnu.org; Fri, 16 Feb 2018 02:49:12 -0500 Received: from mail-pl0-x22a.google.com ([2607:f8b0:400e:c01::22a]:35527) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1emalW-0005Ua-O5 for guix-devel@gnu.org; Fri, 16 Feb 2018 02:49:06 -0500 Received: by mail-pl0-x22a.google.com with SMTP id bb3so1277110plb.2 for ; Thu, 15 Feb 2018 23:49:06 -0800 (PST) In-Reply-To: <87inay6zgt.fsf@elephly.net> (Ricardo Wurmus's message of "Thu, 15 Feb 2018 16:32:02 +0100") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Ricardo Wurmus Cc: guix-devel , Ricardo Wurmus Ricardo Wurmus writes: > Alex Vong writes: > >>> No, the script won=E2=80=99t install the SELinux policy. It wouldn=E2= =80=99t work on >>> all systems, only on those where a suitable SELinux base policy is >>> available. >>> >> So it won't work on Debian? I think Debian and Fedora uses different >> base policy, right? > > I don=E2=80=99t know much about SELinux on Debian, I=E2=80=99m afraid. > >> If this is the case, should we also include an >> apparmor profile? > > That=E2=80=99s unrelated, but sure, why not. > > I would suggest writing a minimal base policy. SELinux is not an > all-or-nothing affair. That base policy only needs to provide the few > types that we care about for the guix-daemon. It wouldn=E2=80=99t be too= hard. > > The resulting policy could then be used on GuixSD or any other system > that doesn=E2=80=99t have a full SELinux configuration. > >> Which paths does guix-daemon need to have r/w access >> to? From your SELinux profile, we know the following is needed: >> >> @guix_sysconfdir@/guix(/.*)? >> @guix_localstatedir@/guix(/.*)? >> @guix_localstatedir@/guix/profiles(/.*)? >> /gnu >> @storedir@(/.+)? >> @storedir@/[^/]+/.+ >> @prefix@/bin/guix-daemon >> @storedir@/.+-(guix-.+|profile)/bin/guix-daemon >> @storedir@/.+-(guix-.+|profile)/libexec/guix-authenticate >> @storedir@/.+-(guix-.+|profile)/libexec/guix/(.*)? >> @guix_localstatedir@/guix/daemon-socket/socket > > These are not things that the daemon needs to have access to. These are > paths that are to be labeled. The daemon is executed in a certain > context, and processes in that context may have certain permissions on > some of the files that have been labeled. > I will have to read the colour book when I have time to understand what do you mean! > -- > Ricardo > > GPG: BCA6 89B6 3655 3801 C3C6 2150 197A 5888 235F ACAC > https://elephly.net