2018-01-25 17:17 GMT+01:00 Ricardo Wurmus <ricardo.wur...@mdc-berlin.de>:
> Hi Guix, > > attached is a patch that adds an SELinux policy for the guix-daemon. > The policy defines the guix_daemon_t domain and specifies what labels > may be accessed and how by processes running in that domain. > > These file labels are defined: > > * guix_daemon_conf_t > for Guix configuration files (in localstatedir and sysconfdir) > * guix_daemon_exec_t > for executables spawned by the daemon (which are allowed to run in the > guix_daemon_t domain) > * guix_daemon_socket_t > for the daemon socket file > * guix_profiles_t > for the contents of the profiles directory > > The “filecon” statements near the bottom of the file specify which > labels are to be used for what file names. > > I tested this with “guix build --no-grafts --check hello”, “guix build > samtools”, “guix gc -C 1k”, and “guix package -p ~/foo -i hello”; > no operations were blocked by SELinux. > > If you want to test this on Fedora, set SELinux to permissive, and make > sure to configure Guix properly (i.e. set localstatedir, prefix, and > sysconfdir). Then install the policy with “sudo semodule -i > etc/guix-daemon.cil”. Then relabel the filesystem (at least /gnu, > $localstatedir, $sysconfdir, and $prefix) with something like this: > > sudo restorecon -R /gnu $localstatedir $sysconfdir $prefix > can I do this with the binary installation made with Sharlatan's script ? $localstatedir is /var, I suppose But I don' t know about $sysconfdir and $prefix
