nix-selinux-policy: init at 1.0 #46612
Conversation
|
Why not add it to Nix itself? |
|
@jtojnar I was considering just that. There are pros and cons: On the one hand, this SELinux module is directly tied to nix-store and what it does. On the other hand, decoupling it from the Nix project itself means it's much easier to develop and release separately. A simple tweak on the policy would mean that all of Nix would have to be re-compiled, the version bumped and released, even though nothing changed in Nix itself. The same holds true vice versa: Version bumps in Nix don't mean that the policy needs to be changed, rebuild and deployed. Lastly, this is also what Fedora does: Most policies are pre-integrated with the OS, and special needs policies for specific packages come as separately versioned and built packages. |
outergod
force-pushed
the
pkgs/nix-selinux-policy-1.0
branch
from
9d04d6a
to
059ced2
Compare
outergod
force-pushed
the
pkgs/nix-selinux-policy-1.0
branch
from
059ced2
to
5149147
Compare
| @@ -0,0 +1,674 @@ | |||
| GNU GENERAL PUBLIC LICENSE | |||
There was a problem hiding this comment.
IMHO individual Nix expressions in Nixpkgs should not have different licenses.
There was a problem hiding this comment.
Custom license removed, and since there's no upstream project, I applied nixpkgs' MIT license.
|
IMHO the main criterion to decide whether to upstream the file is whether it can be reused by other distributions like desktop files, manual pages or appstream metadata can. Not sure if SELinux policies fall into this category. |
|
@jtojnar the policy, in fact, is currently only of use for other distributions than NixOS. However it has to be loaded into the host system's SELinux configuration and there is no mechanism to do this yet except for the one I added to Nix' installer in NixOS/nix#2670, plus files have to be re-labeled unless they had been previously been installed by Nix. Keeping the policy separate from Nix has purely pragmatic advantages: It can thus be modified without requiring a separate release of Nix. The effect of the policy, once fully integrated, is global: It affects the future labeling of all files in the Nix store and makes it at least possible to run systemd services based on files from the Nix store on SELinux systems. I should've probably explained this much earlier, in the description. In any case, the resulting file has to be inserted using If you still think it shouldn't go to nixpkgs but Nix, I'm perfectly fine with closing the PR and moving the policy to the aforementioned PR to Nix. However hosting the policy with Nix will complicate future updates to the policy, and I think there are no advantages in not having the policy in nixpkgs except for purely idealistic ones. |
|
I ultimately decided to move the policy into the related Nix PR itself. |
Motivation for this change
This basic SELinux policy for files in
/nixis required to support running Nix in multi-user mode on SELinux-enabled systems.To test the output of this derivation, run
semodule -i result/nix.ppafter building andrestorecon -von files in/nixto verify that the contexts defined innix.fcare applied.Required to fix NixOS/nix#2374.
Things done
sandboxinnix.confon non-NixOS)nix-shell -p nox --run "nox-review wip"./result/bin/)nix path-info -Sbefore and after)