2018-01-25 17:17 GMT+01:00 Ricardo Wurmus <ricardo.wurmus@mdc-berlin.de>:

> Hi Guix,
>
> attached is a patch that adds an SELinux policy for the guix-daemon.
> The policy defines the guix_daemon_t domain and specifies what labels
> may be accessed and how by processes running in that domain.
>
> These file labels are defined:
>
> * guix_daemon_conf_t
>   for Guix configuration files (in localstatedir and sysconfdir)
> * guix_daemon_exec_t
>   for executables spawned by the daemon (which are allowed to run in the
>   guix_daemon_t domain)
> * guix_daemon_socket_t
>   for the daemon socket file
> * guix_profiles_t
>   for the contents of the profiles directory
>
> The “filecon” statements near the bottom of the file specify which
> labels are to be used for what file names.
>
> I tested this with “guix build --no-grafts --check hello”, “guix build
> samtools”, “guix gc -C 1k”, and “guix package -p ~/foo -i hello”;
> no operations were blocked by SELinux.
>
> If you want to test this on Fedora, set SELinux to permissive, and make
> sure to configure Guix properly (i.e. set localstatedir, prefix, and
> sysconfdir).  Then install the policy with “sudo semodule -i
> etc/guix-daemon.cil”.  Then relabel the filesystem (at least /gnu,
> $localstatedir, $sysconfdir, and $prefix) with something like this:
>
>     sudo restorecon -R /gnu $localstatedir $sysconfdir $prefix
>

can I do this with the binary installation made with Sharlatan's script ?

$localstatedir is /var, I suppose

But I don' t know about $sysconfdir and $prefix