Re: how to understand this SELinux stuff?

From: pelzflorian (Florian Pelz)
Subject: Re: how to understand this SELinux stuff?
Date: Sat, 4 May 2019 19:04:59 +0200
On Sat, May 04, 2019 at 04:42:52PM +0000, address@hidden wrote:
> Hello! I am translating SELinux info messages. There are some hard 
> formulations, but this is the best:
> #. type: enumerate
> #: doc/guix.texi:1291
> msgid "We could generate a much more restrictive policy at installation time, 
> so that only the @emph{exact} file name of the currently installed 
> @code{guix-daemon} executable would be labelled with 
> @code{guix_daemon_exec_t}, instead of using a broad regular expression. The 
> downside is that root would have to install or upgrade the policy at 
> installation time whenever the Guix package that provides the effectively 
> running @code{guix-daemon} executable is upgraded."
> I cannot understand the latter sentence. What is the 'guix package that 
> provides the effectively running guix-damon'? Can I say just: if 
> guix-daemon's executable was upgraded?

The running guix-daemon is not necessarily the currently pulled
version.  When using a foreign distro with the systemd service file as
per the manual, the running daemon apparently is root’s pulled Guix
version /var/guix/profiles/per-user/root/current-guix/bin/guix-daemon
but e.g. on Guix System the daemon is the version defined in

address@hidden ~$ ps -Af | grep guix-daemon
root       209     1  0 11:19 ?        00:00:00 
 --build-users-group guixbuild --max-silent-time 0 --timeout 0 
--log-compression bzip2 --substitute-urls
root     14425   209  0 18:45 ?        00:00:02 
 14421               guixbuild --max-silent-time 0 --timeout 0 
--log-compression bzip2 --substitute-urls
florian  14617 14440  0 19:03 pts/1    00:00:00 grep --color=auto guix-daemon
address@hidden ~$ guix build guix

(Please correct me if I am wrong though.)


