GNU bug report logs -
#39172
SElinux guix-daemon.cil file
Previous Next
To reply to this bug, email your comments to 39172 AT debbugs.gnu.org.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-guix <at> gnu.org:
bug#39172; Package
guix.
(Sat, 18 Jan 2020 15:41:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Matt Wette <matt.wette <at> gmail.com>:
New bug report received and forwarded. Copy sent to
bug-guix <at> gnu.org.
(Sat, 18 Jan 2020 15:41:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
Hi All,
I appologize for the formatting. I use tbird and I can't find a way to
do plain-text mode.
I'm trying to get guix-1.0.1 running on Fedora-30 with its default
SElinux set up.
I found (hint from
https://lists.gnu.org/archive/html/guix-devel/2019-05/msg00109.html)
that the guix-daemon.cil file seems to be missing a few items. Without
this patch
# restorecon -R /gnu/store
fails.
--- guix-daemon.cil.orig 2020-01-18 07:08:12.905986299 -0800
+++ guix-daemon.cil 2020-01-18 07:09:49.765737261 -0800
@@ -34,14 +34,19 @@
(roletype object_r guix_daemon_t)
(type guix_daemon_conf_t)
(roletype object_r guix_daemon_conf_t)
+ (typeattributeset file_type guix_daemon_conf_t)
(type guix_daemon_exec_t)
(roletype object_r guix_daemon_exec_t)
+ (typeattributeset file_type guix_daemon_exec_t)
(type guix_daemon_socket_t)
(roletype object_r guix_daemon_socket_t)
+ (typeattributeset file_type guix_daemon_socket_t)
(type guix_store_content_t)
(roletype object_r guix_store_content_t)
+ (typeattributeset file_type guix_store_content_t)
(type guix_profiles_t)
(roletype object_r guix_profiles_t)
+ (typeattributeset file_type guix_profiles_t)
;; These types are domains, thereby allowing process rules
(typeattributeset domain (guix_daemon_t guix_daemon_exec_t))
Information forwarded
to
bug-guix <at> gnu.org:
bug#39172; Package
guix.
(Mon, 20 Jan 2020 09:15:01 GMT)
Full text and
rfc822 format available.
Message #8 received at 39172 <at> debbugs.gnu.org (full text, mbox):
Hi Matt,
Matt Wette <matt.wette <at> gmail.com> skribis:
> I'm trying to get guix-1.0.1 running on Fedora-30 with its default
> SElinux set up.
> I found (hint from
> https://lists.gnu.org/archive/html/guix-devel/2019-05/msg00109.html)
> that the guix-daemon.cil file seems to be missing a few items. Without
> this patch
> # restorecon -R /gnu/store
> fails.
OK, thanks for finding it out!
> --- guix-daemon.cil.orig 2020-01-18 07:08:12.905986299 -0800
> +++ guix-daemon.cil 2020-01-18 07:09:49.765737261 -0800
> @@ -34,14 +34,19 @@
> (roletype object_r guix_daemon_t)
> (type guix_daemon_conf_t)
> (roletype object_r guix_daemon_conf_t)
> + (typeattributeset file_type guix_daemon_conf_t)
> (type guix_daemon_exec_t)
> (roletype object_r guix_daemon_exec_t)
> + (typeattributeset file_type guix_daemon_exec_t)
> (type guix_daemon_socket_t)
> (roletype object_r guix_daemon_socket_t)
> + (typeattributeset file_type guix_daemon_socket_t)
> (type guix_store_content_t)
> (roletype object_r guix_store_content_t)
> + (typeattributeset file_type guix_store_content_t)
> (type guix_profiles_t)
> (roletype object_r guix_profiles_t)
> + (typeattributeset file_type guix_profiles_t)
>
> ;; These types are domains, thereby allowing process rules
> (typeattributeset domain (guix_daemon_t guix_daemon_exec_t))
Ricardo, WDYT? I know nothing about this config file so I’d rather have
your approval before pushing.
Ludo’.
Information forwarded
to
bug-guix <at> gnu.org:
bug#39172; Package
guix.
(Mon, 20 Jan 2020 10:36:02 GMT)
Full text and
rfc822 format available.
Message #11 received at 39172 <at> debbugs.gnu.org (full text, mbox):
Ludovic Courtès <ludo <at> gnu.org> writes:
> Hi Matt,
>
> Matt Wette <matt.wette <at> gmail.com> skribis:
>
>> I'm trying to get guix-1.0.1 running on Fedora-30 with its default
>> SElinux set up.
>> I found (hint from
>> https://lists.gnu.org/archive/html/guix-devel/2019-05/msg00109.html)
>> that the guix-daemon.cil file seems to be missing a few items. Without
>> this patch
>> # restorecon -R /gnu/store
>> fails.
>
> OK, thanks for finding it out!
>
>> --- guix-daemon.cil.orig 2020-01-18 07:08:12.905986299 -0800
>> +++ guix-daemon.cil 2020-01-18 07:09:49.765737261 -0800
>> @@ -34,14 +34,19 @@
>> (roletype object_r guix_daemon_t)
>> (type guix_daemon_conf_t)
>> (roletype object_r guix_daemon_conf_t)
>> + (typeattributeset file_type guix_daemon_conf_t)
>> (type guix_daemon_exec_t)
>> (roletype object_r guix_daemon_exec_t)
>> + (typeattributeset file_type guix_daemon_exec_t)
>> (type guix_daemon_socket_t)
>> (roletype object_r guix_daemon_socket_t)
>> + (typeattributeset file_type guix_daemon_socket_t)
>> (type guix_store_content_t)
>> (roletype object_r guix_store_content_t)
>> + (typeattributeset file_type guix_store_content_t)
>> (type guix_profiles_t)
>> (roletype object_r guix_profiles_t)
>> + (typeattributeset file_type guix_profiles_t)
>>
>> ;; These types are domains, thereby allowing process rules
>> (typeattributeset domain (guix_daemon_t guix_daemon_exec_t))
>
> Ricardo, WDYT? I know nothing about this config file so I’d rather have
> your approval before pushing.
Could we also do this in one expression?
(typeattributeset file_type (or guix_profiles_t
guix_daemon_conf_t
guix_daemon_exec_t
guix_daemon_socket_t
guix_store_content_t))
I also think we need to declare our use of “file_type” first:
(typeattribute file_type)
What do you think?
--
Ricardo
Information forwarded
to
bug-guix <at> gnu.org:
bug#39172; Package
guix.
(Mon, 27 Jan 2020 21:51:01 GMT)
Full text and
rfc822 format available.
Message #14 received at 39172 <at> debbugs.gnu.org (full text, mbox):
Hello,
Ricardo Wurmus <rekado <at> elephly.net> skribis:
> Could we also do this in one expression?
>
> (typeattributeset file_type (or guix_profiles_t
> guix_daemon_conf_t
> guix_daemon_exec_t
> guix_daemon_socket_t
> guix_store_content_t))
>
> I also think we need to declare our use of “file_type” first:
>
> (typeattribute file_type)
>
> What do you think?
Matt, does what Ricardo proposes work for you?
TIA,
Ludo’.
Information forwarded
to
bug-guix <at> gnu.org:
bug#39172; Package
guix.
(Tue, 28 Jan 2020 13:46:01 GMT)
Full text and
rfc822 format available.
Message #17 received at 39172 <at> debbugs.gnu.org (full text, mbox):
On 1/27/20 1:50 PM, Ludovic Courtès wrote:
> Hello,
>
> Ricardo Wurmus <rekado <at> elephly.net> skribis:
>
>> Could we also do this in one expression?
>>
>> (typeattributeset file_type (or guix_profiles_t
>> guix_daemon_conf_t
>> guix_daemon_exec_t
>> guix_daemon_socket_t
>> guix_store_content_t))
>>
>> I also think we need to declare our use of “file_type” first:
>>
>> (typeattribute file_type)
>>
>> What do you think?
> Matt, does what Ricardo proposes work for you?
>
I can add that and see if it helps. I am just coming up to speed on this.
There are other changes I may be proposing.
Note that use of
(block guix_daemon
... guix_daemon_conf_t
)
results in the type guix_daemon.guix_daemon_conf_t. According to
https://github.com/SELinuxProject/cil/wiki
the convention is something like the following, with added typealias
(block guix
... daemon_conf
)
(typealias guix.daemon_conf guix_daemon_conf_t)
This bug report was last modified 5 years and 135 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.