|
| From: | Gábor Boskovits |
| Subject: | Re: [PATCH] Add SELinux policy for guix-daemon. |
| Date: | Fri, 16 Feb 2018 13:54:21 +0100 |
Ricardo Wurmus <address@hidden> writes:
> Alex Vong <address@hidden> writes:
>
>>> No, the script won’t install the SELinux policy. It wouldn’t work on
>>> all systems, only on those where a suitable SELinux base policy is
>>> available.
>>>
>> So it won't work on Debian? I think Debian and Fedora uses different
>> base policy, right?
>
> I don’t know much about SELinux on Debian, I’m afraid.
>
>> If this is the case, should we also include an
>> apparmor profile?
>
> That’s unrelated, but sure, why not.
>
> I would suggest writing a minimal base policy. SELinux is not an
> all-or-nothing affair. That base policy only needs to provide the few
> types that we care about for the guix-daemon. It wouldn’t be too hard.
>
> The resulting policy could then be used on GuixSD or any other system
> that doesn’t have a full SELinux configuration.
I will have to read the colour book when I have time to understand what>
>> Which paths does guix-daemon need to have r/w access
>> to? From your SELinux profile, we know the following is needed:
>>
>> address@hidden@/guix(/.*)?
>> address@hidden@/guix(/.*)?
>> address@hidden@/guix/profiles(/.*)?
>> /gnu
>> address@hidden@(/.+)?
>> address@hidden@/[^/]+/.+
>> address@hidden@/bin/guix-daemon
>> address@hidden@/.+-(guix-.+|profile)/bin/guix-daemon
>> address@hidden@/.+-(guix-.+|profile)/libexec/guix- authenticate
>> address@hidden@/.+-(guix-.+|profile)/libexec/guix/(.*)?
>> address@hidden@/guix/daemon-socket/socket
>
> These are not things that the daemon needs to have access to. These are
> paths that are to be labeled. The daemon is executed in a certain
> context, and processes in that context may have certain permissions on
> some of the files that have been labeled.
>
do you mean!
| [Prev in Thread] | Current Thread | [Next in Thread] |