[Nix-dev] Stripped down Linux distribution based on Nix/NixOS
Nahum Shalman
nshalman at omniti.com
Wed May 4 17:23:44 CEST 2016
On Wed, May 4, 2016 at 10:25 AM, <phreedom at yandex.ru> wrote:
> On Tuesday, May 03, 2016 11:31:37 Nahum Shalman wrote:
>
> > I think the two most critical areas for us to work on next are:
>
> > 1. Shipping a kernel that enables selinux rather than apparmor. Any
>
> > suggestions about how to do this?
>
>
>
> I'm the person who effectively made the choice in favor of apparmor.
> "Enabling selinux" is trivial in the sense of turning on the feature in the
> kernel.
>
Sadly that's proving tricky to me and making me feel rather clumsy... My
cerana-test5 branch attempts to do that but fails. I can't yet figure out
why it's remaining disabled in spite of my changes.
> Shipping a working and useful policy would be hard.
>
For the Cerana project it's not so bad as the Nix store will be very small
and limited in how much it's doing so the policy for the core system will
be very limited in scope. For the rest of the software running on the
system we will have tools automatically generating the appropriate policies
for sotware that will be living in the ZFS pool rather than in the Nix
store.
> A relevant discussion:
>
> http://lists.science.uu.nl/pipermail/nix-dev/2013-May/011091.html
>
I am by no means suggesting that NixOS should switch to selinux. Just that
I want my downstream project to be able to use it.
Thanks!
-Nahum
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.science.uu.nl/pipermail/nix-dev/attachments/20160504/bef3c80e/attachment.html
More information about the nix-dev
mailing list