|
From: | Gábor Boskovits |
Subject: | Re: [PATCH] Add SELinux policy for guix-daemon. |
Date: | Fri, 16 Feb 2018 07:50:35 +0100 |
Alex Vong <address@hidden> writes:
>> No, the script won’t install the SELinux policy. It wouldn’t work on
>> all systems, only on those where a suitable SELinux base policy is
>> available.
>>
> So it won't work on Debian? I think Debian and Fedora uses different
> base policy, right?
I don’t know much about SELinux on Debian, I’m afraid.
> If this is the case, should we also include an
> apparmor profile?
That’s unrelated, but sure, why not.
I would suggest writing a minimal base policy. SELinux is not an
all-or-nothing affair. That base policy only needs to provide the few
types that we care about for the guix-daemon. It wouldn’t be too hard.
The resulting policy could then be used on GuixSD or any other system
that doesn’t have a full SELinux configuration.
> Which paths does guix-daemon need to have r/w access
> to? From your SELinux profile, we know the following is needed:
>
> address@hidden@/guix(/.*)?
> address@hidden@/guix(/.*)? These are not things that the daemon needs to have access to. These are
> address@hidden@/guix/profiles(/.*)?
> /gnu
> address@hidden@(/.+)?
> address@hidden@/[^/]+/.+
> address@hidden@/bin/guix-daemon
> address@hidden@/.+-(guix-.+|profile)/bin/guix-daemon
> address@hidden@/.+-(guix-.+|profile)/libexec/guix- authenticate
> address@hidden@/.+-(guix-.+|profile)/libexec/guix/(.*)?
> address@hidden@/guix/daemon-socket/socket
paths that are to be labeled. The daemon is executed in a certain
context, and processes in that context may have certain permissions on
some of the files that have been labeled.
--
Ricardo
GPG: BCA6 89B6 3655 3801 C3C6 2150 197A 5888 235F ACAC
https://elephly.net
[Prev in Thread] | Current Thread | [Next in Thread] |