Re: [PATCH] Add SELinux policy for guix-daemon.

2018-02-16 Thread Ricardo Wurmus
Alex Vong writes: >> These are not things that the daemon needs to have access to. These are >> paths that are to be labeled. The daemon is executed in a certain >> context, and processes in that context may have certain permissions on >> some of the files that have

Re: [PATCH] Add SELinux policy for guix-daemon.

2018-02-16 Thread Ricardo Wurmus
Gábor Boskovits writes: >> > The resulting policy could then be used on GuixSD or any other system >> > that doesn’t have a full SELinux configuration. >> > > I looked around a little, and it seems, that at least Fedora and Debian > has their base policies originated from

Re: [PATCH] Add SELinux policy for guix-daemon.

2018-02-15 Thread Alex Vong
Ricardo Wurmus writes: > Alex Vong writes: > >>> No, the script won’t install the SELinux policy. It wouldn’t work on >>> all systems, only on those where a suitable SELinux base policy is >>> available. >>> >> So it won't work on Debian? I think

Re: [PATCH] Add SELinux policy for guix-daemon.

2018-02-15 Thread Alex Vong
Gábor Boskovits writes: > 2018-02-15 16:32 GMT+01:00 Ricardo Wurmus : > > Alex Vong writes: > > >> No, the script won’t install the SELinux policy. It wouldn’t work on > >> all systems, only on those where a suitable SELinux

Re: [PATCH] Add SELinux policy for guix-daemon.

2018-02-15 Thread Gábor Boskovits
2018-02-15 16:32 GMT+01:00 Ricardo Wurmus : > > Alex Vong writes: > > >> No, the script won’t install the SELinux policy. It wouldn’t work on > >> all systems, only on those where a suitable SELinux base policy is > >> available. > >> > > So it won't

Re: [PATCH] Add SELinux policy for guix-daemon.

2018-02-15 Thread Ricardo Wurmus
Alex Vong writes: >> No, the script won’t install the SELinux policy. It wouldn’t work on >> all systems, only on those where a suitable SELinux base policy is >> available. >> > So it won't work on Debian? I think Debian and Fedora uses different > base policy, right?

Re: [PATCH] Add SELinux policy for guix-daemon.

2018-02-15 Thread Alex Vong
Hello, Ricardo Wurmus writes: > Catonano writes: > >>> If you want to test this on Fedora, set SELinux to permissive, and make >>> sure to configure Guix properly (i.e. set localstatedir, prefix, and >>> sysconfdir). Then install the policy

Re: [PATCH] Add SELinux policy for guix-daemon.

2018-02-13 Thread Leo Famulari
On Tue, Feb 13, 2018 at 09:46:53PM +0200, Efraim Flashner wrote: > Should etc/guix-daemon.cil be added to .gitignore? Yes, rekado confirmed this to me yesterday on #guix. Can you do it? :) signature.asc Description: PGP signature

Re: [PATCH] Add SELinux policy for guix-daemon.

2018-02-13 Thread Efraim Flashner
Should etc/guix-daemon.cil be added to .gitignore? -- Efraim Flashner אפרים פלשנר GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencrypted signature.asc Description: PGP signature

Re: [PATCH] Add SELinux policy for guix-daemon.

2018-02-13 Thread Ricardo Wurmus
Catonano writes: > While processing > > guix build --no-grafts --check hello > > I got some violations, an example follows > > SELinux impedisce a .guix-real un accesso write su sock_file > /var/guix/daemon-socket/socket. Ah, the wrapper! I suppose we need to either merge

Re: [PATCH] Add SELinux policy for guix-daemon.

2018-02-13 Thread Catonano
2018-01-25 17:17 GMT+01:00 Ricardo Wurmus : > Hi Guix, > > attached is a patch that adds an SELinux policy for the guix-daemon. > The policy defines the guix_daemon_t domain and specifies what labels > may be accessed and how by processes running in that domain. > >

Re: [PATCH] Add SELinux policy for guix-daemon.

2018-02-11 Thread Ricardo Wurmus
Catonano writes: >> If you want to test this on Fedora, set SELinux to permissive, and make >> sure to configure Guix properly (i.e. set localstatedir, prefix, and >> sysconfdir). Then install the policy with “sudo semodule -i >> etc/guix-daemon.cil”. Then relabel the

Re: [PATCH] Add SELinux policy for guix-daemon.

2018-02-11 Thread Catonano
2018-01-25 17:17 GMT+01:00 Ricardo Wurmus : > Hi Guix, > > attached is a patch that adds an SELinux policy for the guix-daemon. > The policy defines the guix_daemon_t domain and specifies what labels > may be accessed and how by processes running in that domain. > >

Re: [PATCH] Add SELinux policy for guix-daemon.

2018-01-26 Thread Catonano
2018-01-25 17:17 GMT+01:00 Ricardo Wurmus : > Hi Guix, > > attached is a patch that adds an SELinux policy for the guix-daemon. > The policy defines the guix_daemon_t domain and specifies what labels > may be accessed and how by processes running in that domain. > >

Re: [PATCH] Add SELinux policy for guix-daemon.

2018-01-26 Thread Ricardo Wurmus
Hi, Catonano writes: > I' m not sure I understand: is this meant to allow Guix to run in foreign > distros like Fedora ? > > Or is this meant to have SELinux running inside the GuixSD environment ? On GuixSD we don’t have a base policy yet, so it would not work on GuixSD.

Re: [PATCH] Add SELinux policy for guix-daemon.

2018-01-25 Thread Ludovic Courtès
Hello! Ricardo Wurmus skribis: > attached is a patch that adds an SELinux policy for the guix-daemon. > The policy defines the guix_daemon_t domain and specifies what labels > may be accessed and how by processes running in that domain. Impressive! I know nothing

[PATCH] Add SELinux policy for guix-daemon.

2018-01-25 Thread Ricardo Wurmus
Hi Guix, attached is a patch that adds an SELinux policy for the guix-daemon. The policy defines the guix_daemon_t domain and specifies what labels may be accessed and how by processes running in that domain. These file labels are defined: * guix_daemon_conf_t for Guix configuration files (in