1.2.0rc0 tarball includes guix-daemon.cil.in

  • Done
  • quality assurance status badge
Details
4 participants
  • Daniel Brooks
  • Ludovic Courtès
  • Marius Bakke
  • Tobias Geerinckx-Rice
Owner
unassigned
Submitted by
Daniel Brooks
Severity
normal
D
D
Daniel Brooks wrote on 15 Nov 2020 01:51
(address . bug-guix@gnu.org)
87wnyn4f3v.fsf@db48x.net
It should instead include the guix-daemon.cil file which was built from
it. The .in file has unsubstituted variabels in it which make it useless
as an SELinux policy.
M
M
Marius Bakke wrote on 15 Nov 2020 15:56
(name . Ludovic Courtès)(address . ludo@gnu.org)
87ft5abrd7.fsf@gnu.org
Daniel Brooks <db48x@db48x.net> writes:

Toggle quote (4 lines)
> It should instead include the guix-daemon.cil file which was built from
> it. The .in file has unsubstituted variabels in it which make it useless
> as an SELinux policy.

Actually I think both should be included. The processed file will work
for 99% of users, and the template is needed for the 1% that use a
different store directory.

@Ludo: WDYT about the attached patch for version-1.2.0?
From 8b77d853a4c9503df61fb75190d562206d1de1d2 Mon Sep 17 00:00:00 2001
From: Marius Bakke <marius@gnu.org>
Date: Sun, 15 Nov 2020 15:56:04 +0100
Subject: [PATCH] maint: Install the processed SELinux policy file in addition
to the template.

Reported by Daniel Brooks <db48x@db48x.net>.

* Makefile.am (dist_selinux_policy_DATA): New target.
---
Makefile.am | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)

Toggle diff (18 lines)
diff --git a/Makefile.am b/Makefile.am
index 5b84d74f08..4c061db3ca 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -561,8 +561,10 @@ dist_zshcompletion_DATA = etc/completion/zsh/_guix
# Fish completion file.
dist_fishcompletion_DATA = etc/completion/fish/guix.fish
-# SELinux policy
+# SELinux policy. Install both the template and the compiled version so
+# it works "out of the box", but can be rebuilt as necessary.
nodist_selinux_policy_DATA = etc/guix-daemon.cil.in
+dist_selinux_policy_DATA = etc/guix-daemon.cil
EXTRA_DIST += \
HACKING \
--
2.29.2
-----BEGIN PGP SIGNATURE-----

iQFDBAEBCgAtFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAl+xQbQPHG1hcml1c0Bn
bnUub3JnAAoJEKKgbfKjOlT6avoIAJFgPmentThk0fzQF1mEWVgHVKPn9IaTDrI2
UtSs5W87CFmRkfF5VwTP5+L2i0L9pggMXytLvlLG02zmGldlkzG6SUHOHQvr1+Ar
qpNdlqD96+80mniIdBOqLrDHNRBUs9XHrTOdFiG/gnLf0332NH2L8ZQud5mTHZyF
pWV+dRyF+MX5dByH4dlEax4PnXwkdKTyt2QKYldRzpNrt0OUURFsBb+LXOvWdWxD
E4O3ugrbyLZMX0RpmNxUJuqfi6C844aoaEAlYom9T7T5dF2Oet9E+ipQvZnoP0oe
DzhaS/MFh/nuem5nqfcPNGNDqIDw89YXUFINjIuCYq/ENFtOEBY=
=afba
-----END PGP SIGNATURE-----

D
D
Daniel Brooks wrote on 15 Nov 2020 16:08
(name . Marius Bakke)(address . marius@gnu.org)
87o8jy4pyz.fsf@db48x.net
Marius Bakke <marius@gnu.org> writes:

Toggle quote (4 lines)
> Actually I think both should be included. The processed file will work
> for 99% of users, and the template is needed for the 1% that use a
> different store directory.

Fair enough.
L
L
Ludovic Courtès wrote on 15 Nov 2020 21:19
(name . Daniel Brooks)(address . db48x@db48x.net)
87361a8jbc.fsf@gnu.org
Hi,

Daniel Brooks <db48x@db48x.net> skribis:

Toggle quote (4 lines)
> It should instead include the guix-daemon.cil file which was built from
> it. The .in file has unsubstituted variabels in it which make it useless
> as an SELinux policy.

Yes, but running “./configure” gives you the ‘etc/guix-daemon.cil’ for
your configuration. What’s wrong with that?

Marius: common practice is to not include instantiated templates; we
wouldn’t use templates in the first place if contents were always the
same. :-)

Thanks,
Ludo’.
T
T
Tobias Geerinckx-Rice wrote on 15 Nov 2020 22:02
(name . Daniel Brooks)(address . db48x@db48x.net)
875z66xrj5.fsf@nckx
Daniel Brooks ???
Toggle quote (10 lines)
> Marius Bakke <marius@gnu.org> writes:
>
>> Actually I think both should be included. The processed file
>> will work
>> for 99% of users, and the template is needed for the 1% that
>> use a
>> different store directory.
>
> Fair enough.

Is a pre-generated .cil file required to run ./configure at all on
some systems? How's it different from, say, the Makefile which is
also generated later?

Kind regards,

T G-R
-----BEGIN PGP SIGNATURE-----

iIMEARYKACsWIQT12iAyS4c9C3o4dnINsP+IT1VteQUCX7GXXg0cbWVAdG9iaWFz
LmdyAAoJEA2w/4hPVW15R3UA/j1RD5Ki/V/wuD1r/RyQV2Jl26bnFP+0kYi6I78F
qNvyAQDhKHn/rcKdOyp3crrIR+T0JoFqBaqYrhFFdQYouo0nDw==
=Us6J
-----END PGP SIGNATURE-----

D
D
Daniel Brooks wrote on 15 Nov 2020 22:24
(name . Ludovic Courtès)(address . ludo@gnu.org)
87blfy48l0.fsf@db48x.net
Ludovic Courtès <ludo@gnu.org> writes:

Toggle quote (7 lines)
> Yes, but running “./configure” gives you the ‘etc/guix-daemon.cil’ for
> your configuration. What’s wrong with that?
>
> Marius: common practice is to not include instantiated templates; we
> wouldn’t use templates in the first place if contents were always the
> same. :-)

That's true; I'd forgotten about that. The reason I mention it is that
it would be nice if guix-install.sh could set up the selinux policy. I
guess this is the only step that would need to run configure.

db48x
M
M
Marius Bakke wrote on 15 Nov 2020 23:26
(address . 44649-done@debbugs.gnu.org)
87tutq9ryp.fsf@gnu.org
Ludovic Courtès <ludo@gnu.org> writes:

Toggle quote (15 lines)
> Hi,
>
> Daniel Brooks <db48x@db48x.net> skribis:
>
>> It should instead include the guix-daemon.cil file which was built from
>> it. The .in file has unsubstituted variabels in it which make it useless
>> as an SELinux policy.
>
> Yes, but running “./configure” gives you the ‘etc/guix-daemon.cil’ for
> your configuration. What’s wrong with that?
>
> Marius: common practice is to not include instantiated templates; we
> wouldn’t use templates in the first place if contents were always the
> same. :-)

Yes indeed; somehow I thought the bootstrapped tarball also had run
"configure" with the common options, but obviously that's incorrect.

Closing this bug, as there is no reason to special-case this one file.
-----BEGIN PGP SIGNATURE-----

iQFDBAEBCgAtFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAl+xqy8PHG1hcml1c0Bn
bnUub3JnAAoJEKKgbfKjOlT6BzAH/jYV+StXYdmx6THzYbtZNyyGWpPH0/2h7NAC
sc6ukT3KppdcCi2k/uDzGTQkMNLVubRYb1g69pmPmH85d7dmq2GrHM8NvsdMABUT
JHmDhWDeWP/J6QAr0KwFLx33/HwD3f2v/QnPfNx4p9FmoKzmS8UWBDuoEQUwH9bS
84YXPXkxlky0qS43isoJ13w56bqz64o2dcinTqTDF/Ih9YlIjwB0gPXCimwMMKq4
eaDDBj94zGlv3XEe8oAIY6sfgFmVOImQU2XX2yMa/keN+hAGixzjIqg+IiM2gtER
nRw+MBn/ciDN43ecqESKBGavObSYmXwZ4utggFFGS6xfx3mQFJI=
=9vqZ
-----END PGP SIGNATURE-----

Closed
L
L
Ludovic Courtès wrote on 16 Nov 2020 09:12
(name . Daniel Brooks)(address . db48x@db48x.net)
87lff14t52.fsf@gnu.org
Hi Daniel,

Daniel Brooks <db48x@db48x.net> skribis:

Toggle quote (13 lines)
> Ludovic Courtès <ludo@gnu.org> writes:
>
>> Yes, but running “./configure” gives you the ‘etc/guix-daemon.cil’ for
>> your configuration. What’s wrong with that?
>>
>> Marius: common practice is to not include instantiated templates; we
>> wouldn’t use templates in the first place if contents were always the
>> same. :-)
>
> That's true; I'd forgotten about that. The reason I mention it is that
> it would be nice if guix-install.sh could set up the selinux policy. I
> guess this is the only step that would need to run configure.

Good point! The installed ‘guix’ has that file under
share/selinux/guix-daemon.cil, so perhaps the script could copy it from
there?

HTH,
Ludo’.
D
D
Daniel Brooks wrote on 16 Nov 2020 13:12
(name . Ludovic Courtès)(address . ludo@gnu.org)
87y2j133h6.fsf@db48x.net
Ludovic Courtès <ludo@gnu.org> writes:

Toggle quote (4 lines)
> Good point! The installed ‘guix’ has that file under
> share/selinux/guix-daemon.cil, so perhaps the script could copy it from
> there?

It only has it if you run configure first.

db48x
L
L
Ludovic Courtès wrote on 16 Nov 2020 13:53
(name . Daniel Brooks)(address . db48x@db48x.net)
87d00dxy1n.fsf@gnu.org
Daniel Brooks <db48x@db48x.net> skribis:

Toggle quote (8 lines)
> Ludovic Courtès <ludo@gnu.org> writes:
>
>> Good point! The installed ‘guix’ has that file under
>> share/selinux/guix-daemon.cil, so perhaps the script could copy it from
>> there?
>
> It only has it if you run configure first.

“The installed ‘guix’” here refers to the one
/var/guix/profiles/per-user/root that ‘guix-install.sh’ installed.

HTH,
Ludo’.
D
D
Daniel Brooks wrote on 16 Nov 2020 14:15
(name . Ludovic Courtès)(address . ludo@gnu.org)
87tutp30k7.fsf@db48x.net
Ludovic Courtès <ludo@gnu.org> writes:

Toggle quote (9 lines)
>>> Good point! The installed ‘guix’ has that file under
>>> share/selinux/guix-daemon.cil, so perhaps the script could copy it from
>>> there?
>>
>> It only has it if you run configure first.
>
> “The installed ‘guix’” here refers to the one
> /var/guix/profiles/per-user/root that ‘guix-install.sh’ installed.

It only has what's in the tarball, which is just guix-daemon.cil.in.

db48x
L
L
Ludovic Courtès wrote on 16 Nov 2020 17:15
(name . Daniel Brooks)(address . db48x@db48x.net)
87mtzhuvk2.fsf@gnu.org
Daniel Brooks <db48x@db48x.net> skribis:

Toggle quote (13 lines)
> Ludovic Courtès <ludo@gnu.org> writes:
>
>>>> Good point! The installed ‘guix’ has that file under
>>>> share/selinux/guix-daemon.cil, so perhaps the script could copy it from
>>>> there?
>>>
>>> It only has it if you run configure first.
>>
>> “The installed ‘guix’” here refers to the one
>> /var/guix/profiles/per-user/root that ‘guix-install.sh’ installed.
>
> It only has what's in the tarball, which is just guix-daemon.cil.in.

Oh, got it; now that’s a bug, sorry if I had misunderstood all along!

Now fixed in d4031410375834349bc0d56630be86b076a1d704.

Ludo’.
Closed
?