[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] Add SELinux policy for guix-daemon.
From: |
Ricardo Wurmus |
Subject: |
Re: [PATCH] Add SELinux policy for guix-daemon. |
Date: |
Thu, 15 Feb 2018 16:32:02 +0100 |
User-agent: |
mu4e 0.9.18; emacs 25.3.1 |
Alex Vong <address@hidden> writes:
>> No, the script won’t install the SELinux policy. It wouldn’t work on
>> all systems, only on those where a suitable SELinux base policy is
>> available.
>>
> So it won't work on Debian? I think Debian and Fedora uses different
> base policy, right?
I don’t know much about SELinux on Debian, I’m afraid.
> If this is the case, should we also include an
> apparmor profile?
That’s unrelated, but sure, why not.
I would suggest writing a minimal base policy. SELinux is not an
all-or-nothing affair. That base policy only needs to provide the few
types that we care about for the guix-daemon. It wouldn’t be too hard.
The resulting policy could then be used on GuixSD or any other system
that doesn’t have a full SELinux configuration.
> Which paths does guix-daemon need to have r/w access
> to? From your SELinux profile, we know the following is needed:
>
> @guix_sysconfdir@/guix(/.*)?
> @guix_localstatedir@/guix(/.*)?
> @guix_localstatedir@/guix/profiles(/.*)?
> /gnu
> @storedir@(/.+)?
> @storedir@/[^/]+/.+
> @prefix@/bin/guix-daemon
> @storedir@/.+-(guix-.+|profile)/bin/guix-daemon
> @storedir@/.+-(guix-.+|profile)/libexec/guix-authenticate
> @storedir@/.+-(guix-.+|profile)/libexec/guix/(.*)?
> @guix_localstatedir@/guix/daemon-socket/socket
These are not things that the daemon needs to have access to. These are
paths that are to be labeled. The daemon is executed in a certain
context, and processes in that context may have certain permissions on
some of the files that have been labeled.
--
Ricardo
GPG: BCA6 89B6 3655 3801 C3C6 2150 197A 5888 235F ACAC
https://elephly.net