New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nix-selinux-policy: init at 1.0 #46612
Conversation
Why not add it to Nix itself? |
@jtojnar I was considering just that. There are pros and cons: On the one hand, this SELinux module is directly tied to nix-store and what it does. On the other hand, decoupling it from the Nix project itself means it's much easier to develop and release separately. A simple tweak on the policy would mean that all of Nix would have to be re-compiled, the version bumped and released, even though nothing changed in Nix itself. The same holds true vice versa: Version bumps in Nix don't mean that the policy needs to be changed, rebuild and deployed. Lastly, this is also what Fedora does: Most policies are pre-integrated with the OS, and special needs policies for specific packages come as separately versioned and built packages. |
9d04d6a
to
059ced2
Compare
059ced2
to
5149147
Compare
@@ -0,0 +1,674 @@ | |||
GNU GENERAL PUBLIC LICENSE |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IMHO individual Nix expressions in Nixpkgs should not have different licenses.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Custom license removed, and since there's no upstream project, I applied nixpkgs' MIT license.
IMHO the main criterion to decide whether to upstream the file is whether it can be reused by other distributions like desktop files, manual pages or appstream metadata can. Not sure if SELinux policies fall into this category. |
@jtojnar the policy, in fact, is currently only of use for other distributions than NixOS. However it has to be loaded into the host system's SELinux configuration and there is no mechanism to do this yet except for the one I added to Nix' installer in NixOS/nix#2670, plus files have to be re-labeled unless they had been previously been installed by Nix. Keeping the policy separate from Nix has purely pragmatic advantages: It can thus be modified without requiring a separate release of Nix. The effect of the policy, once fully integrated, is global: It affects the future labeling of all files in the Nix store and makes it at least possible to run systemd services based on files from the Nix store on SELinux systems. I should've probably explained this much earlier, in the description. In any case, the resulting file has to be inserted using If you still think it shouldn't go to nixpkgs but Nix, I'm perfectly fine with closing the PR and moving the policy to the aforementioned PR to Nix. However hosting the policy with Nix will complicate future updates to the policy, and I think there are no advantages in not having the policy in nixpkgs except for purely idealistic ones. |
I ultimately decided to move the policy into the related Nix PR itself. |
Motivation for this change
This basic SELinux policy for files in
/nix
is required to support running Nix in multi-user mode on SELinux-enabled systems.To test the output of this derivation, run
semodule -i result/nix.pp
after building andrestorecon -v
on files in/nix
to verify that the contexts defined innix.fc
are applied.Required to fix NixOS/nix#2374.
Things done
sandbox
innix.conf
on non-NixOS)nix-shell -p nox --run "nox-review wip"
./result/bin/
)nix path-info -S
before and after)