GNU bug report logs -
#44549
[PATCH] etc: updates for the guix-daemon SELinux policy
Previous Next
Reported by: Daniel Brooks <db48x <at> db48x.net>
Date: Tue, 10 Nov 2020 09:43:02 UTC
Severity: normal
Tags: patch
Done: Marius Bakke <marius <at> gnu.org>
Bug is archived. No further changes may be made.
Full log
View this message in rfc822 format
[0001-doc-add-a-note-about-relabling-after-upgrades-to-the.patch (text/x-patch, inline)]
From b29749885c93811f901d0ec4e13de38f70f8c100 Mon Sep 17 00:00:00 2001
From: Daniel Brooks <db48x <at> db48x.net>
Date: Sat, 14 Nov 2020 08:04:30 -0800
Subject: [PATCH v4] doc: add a note about relabling after upgrades to the
SELinux Support section of the manual
* doc/guix.texi (SELinux Support): add note about upgrades
---
doc/guix.texi | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/doc/guix.texi b/doc/guix.texi
index 8440ffffc7..67f5155b9f 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -1398,6 +1398,11 @@ install and run it, which lifts it into the @code{guix_daemon_t} domain.
At that point SELinux could not prevent it from accessing files that are
allowed for processes in that domain.
+You will need to relabel the @file{/gnu} directory after all upgrades to
+@file{guix-daemon}, such as with @code{guix pull}. You can do this with
+@code{restorecon -vR /gnu}, or by other means provided by your operating
+system.
+
We could generate a much more restrictive policy at installation time,
so that only the @emph{exact} file name of the currently installed
@code{guix-daemon} executable would be labelled with
--
2.26.2
This bug report was last modified 4 years and 248 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.