Laura Lazzati <laura.lazzati...@gmail.com> writes:
>> What is the file name of “guix” when running in permissive mode? We >> need to know this to adjust the policy. >> > After running `which guix` I get: > /usr/local/bin/guix > I tried to add another label for it but it didn't work. I was going to ask > you for a good tutorial for writing the policies but I have just found > https://github.com/SELinuxProject/cil/wiki, I will read it the next days :) > > I am attaching the diff file. Thanks! (Please use “diff -u” in the future; it’s clearer when you’re used to git diffs.) I see this: < (filecon "@storedir@/.../bin/guix" < file (system_u object_r guix_client_exec_t (low low))) And that’s not right because "@storedir@/.../bin/guix" is not a correct file name pattern. That’s why I wrote that these names need to be checked and can’t be used as is. Is /usr/local/bin/guix a link? What about what “guix pull” installs? These will be used by people, so our policy needs to cover them. -- Ricardo
