doc: Add a note about SELinux relabeling after upgrades to guix-daemon.

* doc/guix.texi (SELinux Support): Add note about upgrades.

Signed-off-by: Marius Bakke <marius@gnu.org>
This commit is contained in:
Daniel Brooks 2020-11-14 08:04:30 -08:00 committed by Marius Bakke
parent 67d905ee79
commit 0fd87768e4
No known key found for this signature in database
GPG key ID: A2A06DF2A33A54FA

View file

@ -83,6 +83,7 @@ Copyright @copyright{} 2020 pinoaffe@*
Copyright @copyright{} 2020 André Batista@* Copyright @copyright{} 2020 André Batista@*
Copyright @copyright{} 2020 Alexandru-Sergiu Marton@* Copyright @copyright{} 2020 Alexandru-Sergiu Marton@*
Copyright @copyright{} 2020 raingloom@* Copyright @copyright{} 2020 raingloom@*
Copyright @copyright{} 2020 Daniel Brooks@*
Permission is granted to copy, distribute and/or modify this document Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License, Version 1.3 or under the terms of the GNU Free Documentation License, Version 1.3 or
@ -1398,6 +1399,11 @@ install and run it, which lifts it into the @code{guix_daemon_t} domain.
At that point SELinux could not prevent it from accessing files that are At that point SELinux could not prevent it from accessing files that are
allowed for processes in that domain. allowed for processes in that domain.
You will need to relabel the store directory after all upgrades to
@file{guix-daemon}, such as after running @code{guix pull}. Assuming the
store is in @file{/gnu}, you can do this with @code{restorecon -vR /gnu},
or by other means provided by your operating system.
We could generate a much more restrictive policy at installation time, We could generate a much more restrictive policy at installation time,
so that only the @emph{exact} file name of the currently installed so that only the @emph{exact} file name of the currently installed
@code{guix-daemon} executable would be labelled with @code{guix-daemon} executable would be labelled with