Hi,

It seems that the new unprivileged mode of guix-daemon breaks on some foreign
distros with SELinux.
More specifically, SELinux prevents guix-daemon from creating & entering user
namespaces.

The following change seems to mitigate this on Fedora:
--8<---------------cut here---------------start------------->8---
diff --git a/etc/guix-daemon.cil.in b/etc/guix-daemon.cil.in
index b221e31094..d98af865eb 100644
--- a/etc/guix-daemon.cil.in
+++ b/etc/guix-daemon.cil.in
@@ -361,6 +361,14 @@
          self
          (netlink_route_socket (bind create getattr nlmsg_read read write getopt)))
 
+  ;; Allow use of user namespaces
+  (allow guix_daemon_t
+         self
+         (cap_userns (sys_admin net_admin sys_chroot)))
+  (allow guix_daemon_t
+         self
+         (user_namespace (create)))
+
   ;; Socket operations
   (allow guix_daemon_t
          guix_daemon_socket_t
--8<---------------cut here---------------end--------------->8---

The second rule requires the user_namespace class to be defined, and might break
with policies which do not include it (e.g., Rocky Linux 9).

Given that the guix-daemon SELinux policy doesn't quite work out of the box for
stable releases (cil file is outdated and doesn't include all required
permissions), one suggestion can be to use an unconfined domain for the time
being, at least optionally?

For instance, at least on Fedora and Rocky Linux 9, /gnu's file context can be
set to usr_t, similar to /usr & /opt, requiring no extra policy:
--8<---------------cut here---------------start------------->8---
sudo semanage fcontext -a -t usr_t '/gnu(/.*)?'
--8<---------------cut here---------------end--------------->8---

More details can be found here: https://danwalsh.livejournal.com/70577.html

It might not be ideal, but it works without any extra tweaking on each
upgrade, and keeps the rest of the system policy enforced.

Thanks,
Ido.