Re: [PATCH] Add SELinux policy for guix-daemon.

[Catonano]

2018-01-25 17:17 GMT+01:00 Ricardo Wurmus <address@hidden>:

Hi Guix,

attached is a patch that adds an SELinux policy for the guix-daemon.
The policy defines the guix_daemon_t domain and specifies what labels
may be accessed and how by processes running in that domain.

These file labels are defined:

* guix_daemon_conf_t
  for Guix configuration files (in localstatedir and sysconfdir)
* guix_daemon_exec_t
  for executables spawned by the daemon (which are allowed to run in the
  guix_daemon_t domain)
* guix_daemon_socket_t
  for the daemon socket file
* guix_profiles_t
  for the contents of the profiles directory

The “filecon” statements near the bottom of the file specify which
labels are to be used for what file names.

I tested this with “guix build --no-grafts --check hello”, “guix build
samtools”, “guix gc -C 1k”, and “guix package -p ~/foo -i hello”;
no operations were blocked by SELinux.

If you want to test this on Fedora, set SELinux to permissive, and make
sure to configure Guix properly (i.e. set localstatedir, prefix, and
sysconfdir).  Then install the policy with “sudo semodule -i
etc/guix-daemon.cil”.  Then relabel the filesystem (at least /gnu,
$localstatedir, $sysconfdir, and $prefix) with something like this:

    sudo restorecon -R /gnu $localstatedir $sysconfdir $prefix

can I do this with the binary installation made with Sharlatan's script ?

$localstatedir is /var, I suppose

But I don' t know about $sysconfdir and $prefix