From mboxrd@z Thu Jan  1 00:00:00 1970
From: Ricardo Wurmus <rekado@elephly.net>
Subject: Re: SELinux log
Date: Thu, 13 Jun 2019 20:52:30 +0200
Message-ID: <87r27xqpw1.fsf@elephly.net>
References: <CAPNLzUMak3sEm53s=DScGaKSG2ffx6dbPs6aMkpetNzW+5g11A@mail.gmail.com>
 <CAPNLzUMu=LYRxc_c5fJAmFv+Ef7nk8iBXUF1ZAGqsjypGk+vgQ@mail.gmail.com>
 <87a7es8spi.fsf@elephly.net>
 <CAPNLzUNbWzw2NkA+n-jxtY5XZcpb_OaxhWprcbwTdbcZg8kMTQ@mail.gmail.com>
 <87r284cer2.fsf@elephly.net>
 <CAPNLzUNiKiz7rT=vN+PtRVmUj97WftH3rPgmumtZdDFyK9kwpw@mail.gmail.com>
 <87muisc8x8.fsf@elephly.net>
 <CAPNLzUPpzp2PL+k3zw_4FaBpO_4VT8T1PYnUHJaV1B_xzRvmOw@mail.gmail.com>
 <CAPNLzUMdJa1nbOeqQLpz9WG==2F=WfbXN052fPOVnd9=-S--Ow@mail.gmail.com>
 <87ef41dfkc.fsf@elephly.net>
 <CAPNLzUN6WD+Y8uKkNGbLDffeZmiaemB9DRDwqRfXaD5zS5VKUA@mail.gmail.com>
 <87tvcw9upi.fsf@elephly.net>
 <CAPNLzUOJ3ajGa+vKs6MTOaODgktjt3NpLyNRTmhMvR5_9Z3-Yw@mail.gmail.com>
 <87h88v9udy.fsf@elephly.net>
 <CAPNLzUNShaCi0qmTOFLa9t9H7L4v-kviVN4ySkQnt_iSAtkRaQ@mail.gmail.com>
 <87y3277wri.fsf@elephly.net>
 <CAPNLzUORBNi-0FNa1UZnaV2WX+ak4r4OB6N==qTvHKSJVP9EwA@mail.gmail.com>
 <87v9xa8sx6.fsf@elephly.net>
 <CAPNLzUOBGVp3qxdMOTf6+v-AiGBCcmej_MgeSpuVW8Rj2z3cvA@mail.gmail.com>
 <87a7em9dyh.fsf@elephly.net>
 <CAPNLzUOg4knG-mfAWWzB-yXyqa2aPFquCxMJRJek8-0EMfY_UA@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:470:142:3::10]:37789)
 by lists.gnu.org with esmtp (Exim 4.86_2)
 (envelope-from <rekado@elephly.net>) id 1hbUpz-0005xY-QD
 for guix-devel@gnu.org; Thu, 13 Jun 2019 14:52:41 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <rekado@elephly.net>) id 1hbUpx-0008DN-E1
 for guix-devel@gnu.org; Thu, 13 Jun 2019 14:52:39 -0400
Received: from sender-of-o51.zoho.com ([135.84.80.216]:21244)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <rekado@elephly.net>) id 1hbUpw-0008Cb-Ve
 for guix-devel@gnu.org; Thu, 13 Jun 2019 14:52:37 -0400
In-reply-to: <CAPNLzUOg4knG-mfAWWzB-yXyqa2aPFquCxMJRJek8-0EMfY_UA@mail.gmail.com>
List-Id: "Development of GNU Guix and the GNU System distribution."
 <guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: Laura Lazzati <laura.lazzati.15@gmail.com>
Cc: Guix-devel <guix-devel@gnu.org>


Laura Lazzati <laura.lazzati.15@gmail.com> writes:

>> What is the file name of =E2=80=9Cguix=E2=80=9D when running in permissi=
ve mode?  We
>> need to know this to adjust the policy.
>>
> After running `which guix` I get:
> /usr/local/bin/guix
> I tried to add another label for it but it didn't work. I was going to ask
> you for a good tutorial for writing the policies but I have just found
> https://github.com/SELinuxProject/cil/wiki, I will read it the next days =
:)
>
> I am attaching the diff file.

Thanks!  (Please use =E2=80=9Cdiff -u=E2=80=9D in the future; it=E2=80=99s =
clearer when you=E2=80=99re
used to git diffs.)

I see this:

<   (filecon "@storedir@/.../bin/guix"
<            file (system_u object_r guix_client_exec_t (low low)))

And that=E2=80=99s not right because "@storedir@/.../bin/guix" is not a cor=
rect
file name pattern.  That=E2=80=99s why I wrote that these names need to be
checked and can=E2=80=99t be used as is.

Is /usr/local/bin/guix a link?  What about what =E2=80=9Cguix pull=E2=80=9D=
 installs?
These will be used by people, so our policy needs to cover them.

--=20
Ricardo