Hello, Ricardo Wurmus <ricardo.wur...@mdc-berlin.de> writes:
> Catonano <caton...@gmail.com> writes: > >>> If you want to test this on Fedora, set SELinux to permissive, and make >>> sure to configure Guix properly (i.e. set localstatedir, prefix, and >>> sysconfdir). Then install the policy with “sudo semodule -i >>> etc/guix-daemon.cil”. Then relabel the filesystem (at least /gnu, >>> $localstatedir, $sysconfdir, and $prefix) with something like this: >>> >>> sudo restorecon -R /gnu $localstatedir $sysconfdir $prefix >>> >> >> can I do this with the binary installation made with Sharlatan's script ? > > No, the script won’t install the SELinux policy. It wouldn’t work on > all systems, only on those where a suitable SELinux base policy is > available. > So it won't work on Debian? I think Debian and Fedora uses different base policy, right? If this is the case, should we also include an apparmor profile? Which paths does guix-daemon need to have r/w access to? From your SELinux profile, we know the following is needed: @guix_sysconfdir@/guix(/.*)? @guix_localstatedir@/guix(/.*)? @guix_localstatedir@/guix/profiles(/.*)? /gnu @storedir@(/.+)? @storedir@/[^/]+/.+ @prefix@/bin/guix-daemon @storedir@/.+-(guix-.+|profile)/bin/guix-daemon @storedir@/.+-(guix-.+|profile)/libexec/guix-authenticate @storedir@/.+-(guix-.+|profile)/libexec/guix/(.*)? @guix_localstatedir@/guix/daemon-socket/socket Also, access to $HOME will also be needed. What else? >> $localstatedir is /var, I suppose >> >> But I don' t know about $sysconfdir and $prefix > > /etc and /. But you’d be better off just relabeling everything. On > Fedora you can touch a certain file and have everything relabeled on > reboot. Takes a long time, though. > > -- > Ricardo
