From unknown Sat Aug 16 23:46:59 2025 X-Loop: help-debbugs@gnu.org Subject: bug#62487: guix-daemon fails on SELinux/systemd distros Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: rekado@elephly.net, bug-guix@gnu.org Resent-Date: Mon, 27 Mar 2023 16:18:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 62487 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 62487@debbugs.gnu.org Cc: Ricardo Wurmus X-Debbugs-Original-To: bug-guix@gnu.org X-Debbugs-Original-Xcc: Ricardo Wurmus Received: via spool by submit@debbugs.gnu.org id=B.167993384514092 (code B ref -1); Mon, 27 Mar 2023 16:18:02 +0000 Received: (at submit) by debbugs.gnu.org; 27 Mar 2023 16:17:25 +0000 Received: from localhost ([127.0.0.1]:48278 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pgpXB-0003fD-DI for submit@debbugs.gnu.org; Mon, 27 Mar 2023 12:17:25 -0400 Received: from lists.gnu.org ([209.51.188.17]:57334) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pgpX9-0003f5-JV for submit@debbugs.gnu.org; Mon, 27 Mar 2023 12:17:24 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pgpX5-0006jH-Ah for bug-guix@gnu.org; Mon, 27 Mar 2023 12:17:21 -0400 Received: from mail2-relais-roc.national.inria.fr ([192.134.164.83]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pgpX1-0007b3-Ek for bug-guix@gnu.org; Mon, 27 Mar 2023 12:17:19 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=inria.fr; s=dc; h=from:to:subject:date:message-id:mime-version; bh=E/UujCyRnh065P/cJ4YguNyYqBOp8KYk0V+ZV0/DxDM=; b=m92H63fuonzWuZeMuSYq2GE6BjfxaleAjO/pc+hkX+HJYMeThX7UOfcE 47wCCfgRZJxUUOB2xZFdrFuBDXOvjF+rZO2BYikS+q+5lj2jaOS0GTvQT hST46FyRWnjXF9xNsaDWCZ/EAARpmUItMCgjXgu90WZ5lf78mLnrzQxFu Q=; Authentication-Results: mail2-relais-roc.national.inria.fr; dkim=none (message not signed) header.i=none; spf=SoftFail smtp.mailfrom=ludovic.courtes@inria.fr; dmarc=fail (p=none dis=none) d=inria.fr X-IronPort-AV: E=Sophos;i="5.98,295,1673910000"; d="scan'208";a="99368628" Received: from unknown (HELO ribbon) ([193.50.110.81]) by mail2-relais-roc.national.inria.fr with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 27 Mar 2023 18:16:45 +0200 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: Septidi 7 Germinal an 231 de la =?UTF-8?Q?R=C3=A9volution,?= jour du Bouleau X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Mon, 27 Mar 2023 18:16:45 +0200 Message-ID: <87a5zygoeq.fsf@inria.fr> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" Received-SPF: pass client-ip=192.134.164.83; envelope-from=ludovic.courtes@inria.fr; helo=mail2-relais-roc.national.inria.fr X-Spam_score_int: -43 X-Spam_score: -4.4 X-Spam_bar: ---- X-Spam_report: (-4.4 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.3 (-) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.3 (--) --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hello! Running guix-daemon on an SELinux distro is difficult and sparsely documented (info "(guix) SELinux Support"). On-line fora are full of questions on this topic and sometimes random advice. I thought we could improve on that by having =E2=80=98guix-install.sh=E2=80= =99 take care of most things dynamically and documenting any remaining bits with copy/pastable snippets. The attached patch does 90% of the job! I tested it on the Rocky Linux 9 live image available at: https://dl.rockylinux.org/pub/rocky/9/live/x86_64/Rocky-9-Workstation-Lit= e-x86_64-latest.iso The missing 10% related to the =E2=80=98gnu-store.mount=E2=80=99 job: guix-= daemon fails to remount it read-write: --8<---------------cut here---------------start------------->8--- # guix build hello guix build: error: remounting /gnu/store writable: Permission denied # ausearch -c guix-daemon | tail time->Mon Mar 27 12:01:38 2023 type=3DPROCTITLE msg=3Daudit(1679932898.081:464): proctitle=3D2F7661722F677= 569782F70726F66696C65732F7065722D757365722F726F6F742F63757272656E742D677569= 782F62696E2F677569782D6461656D6F6E00333830320000000000000000000000000000000= 0000000000000000000002D2D646973636F7665723D6E6F type=3DSYSCALL msg=3Daudit(1679932898.081:464): arch=3Dc000003e syscall=3D1= 65 success=3Dno exit=3D-13 a0=3D0 a1=3D4c5c10 a2=3D49f442 a3=3D1020 items= =3D0 ppid=3D3258 pid=3D3805 auid=3D4294967295 uid=3D0 gid=3D0 euid=3D0 suid= =3D0 fsuid=3D0 egid=3D0 sgid=3D0 fsgid=3D0 tty=3D(none) ses=3D4294967295 co= mm=3D"guix-daemon" exe=3D"/gnu/store/5kj8lyybjrdl7xd0fx9g9vzkz8sklqsy-guix-= 1.4.0/bin/guix-daemon" subj=3Dsystem_u:system_r:guix_daemon.guix_daemon_t:s= 0 key=3D(null) type=3DAVC msg=3Daudit(1679932898.081:464): avc: denied { remount } for = pid=3D3805 comm=3D"guix-daemon" scontext=3Dsystem_u:system_r:guix_daemon.gu= ix_daemon_t:s0 tcontext=3Dsystem_u:object_r:fs_t:s0 tclass=3Dfilesystem per= missive=3D0 --8<---------------cut here---------------end--------------->8--- It works fine (as in: =E2=80=98guix build hello=E2=80=99 succeeds) if I =E2= =80=98systemctl stop guix-daemon.service=E2=80=99 and instead run: guix-daemon --build-users-group=3Dguixbuild in the terminal. Could it be a systemd feature at play here? As a stopgap, we could change =E2=80=98guix-install.sh=E2=80=99 to not inst= all =E2=80=98gnu-store.mount=E2=80=99 on SELinux systems. Thoughts? Ludo=E2=80=99. --=-=-= Content-Type: text/x-patch Content-Disposition: inline diff --git a/etc/guix-install.sh b/etc/guix-install.sh index ea10f35250..1e6d5285f7 100755 --- a/etc/guix-install.sh +++ b/etc/guix-install.sh @@ -599,6 +599,22 @@ fi _msg "${PAS}Bash shell prompt successfully customized for Guix" } +sys_maybe_setup_selinux() +{ + if [ -f /sys/fs/selinux/policy ] + then + prompt_yes_no "Install SELinux policy required to run guix-daemon?" \ + || return + + local var_guix=/var/guix/profiles/per-user/root/current-guix + semodule -i "${var_guix}/share/selinux/guix-daemon.cil" + restorecon -R /gnu /var/guix + # chcon -R -t guix_daemon.guix_daemon_conf_t /var/guix/ + # chcon -R -t guix_daemon.guix_profiles_t /var/guix/profiles/per-user/root/current-guix + # chcon -R -t guix_daemon.guix_profiles_t /var/guix/profiles/per-user/root/current-guix-1-link + fi +} + welcome() { local char @@ -674,6 +690,7 @@ main() sys_create_store "${GUIX_BINARY_FILE_NAME}" "${tmp_path}" sys_create_build_user + sys_maybe_setup_selinux sys_enable_guix_daemon sys_authorize_build_farms sys_create_init_profile --=-=-=-- From unknown Sat Aug 16 23:46:59 2025 MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) X-Loop: help-debbugs@gnu.org From: help-debbugs@gnu.org (GNU bug Tracking System) To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Subject: bug#62487: closed (Re: bug#62487: guix-daemon fails on SELinux/systemd distros) Message-ID: References: <87wn0wel49.fsf@gnu.org> <87a5zygoeq.fsf@inria.fr> X-Gnu-PR-Message: they-closed 62487 X-Gnu-PR-Package: guix Reply-To: 62487@debbugs.gnu.org Date: Thu, 25 May 2023 10:56:01 +0000 Content-Type: multipart/mixed; boundary="----------=_1685012161-30845-1" This is a multi-part message in MIME format... ------------=_1685012161-30845-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Your bug report #62487: guix-daemon fails on SELinux/systemd distros which was filed against the guix package, has been closed. The explanation is attached below, along with your original report. If you require more details, please reply to 62487@debbugs.gnu.org. --=20 62487: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D62487 GNU Bug Tracking System Contact help-debbugs@gnu.org with problems ------------=_1685012161-30845-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at 62487-done) by debbugs.gnu.org; 25 May 2023 10:55:29 +0000 Received: from localhost ([127.0.0.1]:46106 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1q28cz-0007y1-8X for submit@debbugs.gnu.org; Thu, 25 May 2023 06:55:29 -0400 Received: from mail2-relais-roc.national.inria.fr ([192.134.164.83]:51235) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1q28cw-0007x5-34 for 62487-done@debbugs.gnu.org; Thu, 25 May 2023 06:55:27 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=inria.fr; s=dc; h=from:to:cc:subject:references:date:in-reply-to: message-id:mime-version:content-transfer-encoding; bh=tclmSupCi1AFNdVCEXdgps9qpq/I17IwosNflmgOy/s=; b=qt0sDacNeRm4JgEg6LVcgK27xZqnr4C10vfkQpl77eRXFSj/G5ONyDjo ZtnsRBQa8sHX5LV9MnuwqNp5VoOtqCnOKrsDtKyzec9MNMm8+BRZNy83F NSqs6O8VDBjmrVLAMnXFsY33n+h+6nmUkQ3C5E46pzZV8u1O95H24g0B7 o=; Authentication-Results: mail2-relais-roc.national.inria.fr; dkim=none (message not signed) header.i=none; spf=SoftFail smtp.mailfrom=ludovic.courtes@inria.fr; dmarc=fail (p=none dis=none) d=inria.fr X-IronPort-AV: E=Sophos;i="6.00,190,1681164000"; d="scan'208";a="109637945" Received: from 91-160-117-201.subs.proxad.net (HELO ribbon) ([91.160.117.201]) by mail2-relais-roc.national.inria.fr with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 25 May 2023 12:55:19 +0200 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: 62487-done@debbugs.gnu.org Subject: Re: bug#62487: guix-daemon fails on SELinux/systemd distros References: <87a5zygoeq.fsf@inria.fr> Date: Thu, 25 May 2023 12:55:18 +0200 In-Reply-To: <87a5zygoeq.fsf@inria.fr> ("Ludovic =?utf-8?Q?Court=C3=A8s=22?= =?utf-8?Q?'s?= message of "Mon, 27 Mar 2023 18:16:45 +0200") Message-ID: <87wn0wel49.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 62487-done Cc: Ricardo Wurmus X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Ludovic Court=C3=A8s skribis: > I thought we could improve on that by having =E2=80=98guix-install.sh=E2= =80=99 take care > of most things dynamically and documenting any remaining bits with > copy/pastable snippets. > > The attached patch does 90% of the job! I tested it on the Rocky Linux 9 > live image available at: > > https://dl.rockylinux.org/pub/rocky/9/live/x86_64/Rocky-9-Workstation-L= ite-x86_64-latest.iso I fixed it with these commits (and with help from Ricardo, thanks!): ca1ea6373a * self: Install 'guix-daemon.cil'. b59c18f761 * doc: Tweak SELinux instructions. 4166b583fb * guix-install.sh: Install SELinux policy and relabel file sys= tems if needed. 3bf612eaa1 * etc: SELinux: Update policy file. Tested again in the Rocky Linux 9 image above. Ludo=E2=80=99. ------------=_1685012161-30845-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by debbugs.gnu.org; 27 Mar 2023 16:17:25 +0000 Received: from localhost ([127.0.0.1]:48278 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pgpXB-0003fD-DI for submit@debbugs.gnu.org; Mon, 27 Mar 2023 12:17:25 -0400 Received: from lists.gnu.org ([209.51.188.17]:57334) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pgpX9-0003f5-JV for submit@debbugs.gnu.org; Mon, 27 Mar 2023 12:17:24 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pgpX5-0006jH-Ah for bug-guix@gnu.org; Mon, 27 Mar 2023 12:17:21 -0400 Received: from mail2-relais-roc.national.inria.fr ([192.134.164.83]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pgpX1-0007b3-Ek for bug-guix@gnu.org; Mon, 27 Mar 2023 12:17:19 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=inria.fr; s=dc; h=from:to:subject:date:message-id:mime-version; bh=E/UujCyRnh065P/cJ4YguNyYqBOp8KYk0V+ZV0/DxDM=; b=m92H63fuonzWuZeMuSYq2GE6BjfxaleAjO/pc+hkX+HJYMeThX7UOfcE 47wCCfgRZJxUUOB2xZFdrFuBDXOvjF+rZO2BYikS+q+5lj2jaOS0GTvQT hST46FyRWnjXF9xNsaDWCZ/EAARpmUItMCgjXgu90WZ5lf78mLnrzQxFu Q=; Authentication-Results: mail2-relais-roc.national.inria.fr; dkim=none (message not signed) header.i=none; spf=SoftFail smtp.mailfrom=ludovic.courtes@inria.fr; dmarc=fail (p=none dis=none) d=inria.fr X-IronPort-AV: E=Sophos;i="5.98,295,1673910000"; d="scan'208";a="99368628" Received: from unknown (HELO ribbon) ([193.50.110.81]) by mail2-relais-roc.national.inria.fr with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 27 Mar 2023 18:16:45 +0200 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: bug-guix@gnu.org Subject: guix-daemon fails on SELinux/systemd distros X-Debbugs-CC: Ricardo Wurmus X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: Septidi 7 Germinal an 231 de la =?utf-8?Q?R=C3=A9vol?= =?utf-8?Q?ution=2C?= jour du Bouleau X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Mon, 27 Mar 2023 18:16:45 +0200 Message-ID: <87a5zygoeq.fsf@inria.fr> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" Received-SPF: pass client-ip=192.134.164.83; envelope-from=ludovic.courtes@inria.fr; helo=mail2-relais-roc.national.inria.fr X-Spam_score_int: -43 X-Spam_score: -4.4 X-Spam_bar: ---- X-Spam_report: (-4.4 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.3 (-) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.3 (--) --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hello! Running guix-daemon on an SELinux distro is difficult and sparsely documented (info "(guix) SELinux Support"). On-line fora are full of questions on this topic and sometimes random advice. I thought we could improve on that by having =E2=80=98guix-install.sh=E2=80= =99 take care of most things dynamically and documenting any remaining bits with copy/pastable snippets. The attached patch does 90% of the job! I tested it on the Rocky Linux 9 live image available at: https://dl.rockylinux.org/pub/rocky/9/live/x86_64/Rocky-9-Workstation-Lit= e-x86_64-latest.iso The missing 10% related to the =E2=80=98gnu-store.mount=E2=80=99 job: guix-= daemon fails to remount it read-write: --8<---------------cut here---------------start------------->8--- # guix build hello guix build: error: remounting /gnu/store writable: Permission denied # ausearch -c guix-daemon | tail time->Mon Mar 27 12:01:38 2023 type=3DPROCTITLE msg=3Daudit(1679932898.081:464): proctitle=3D2F7661722F677= 569782F70726F66696C65732F7065722D757365722F726F6F742F63757272656E742D677569= 782F62696E2F677569782D6461656D6F6E00333830320000000000000000000000000000000= 0000000000000000000002D2D646973636F7665723D6E6F type=3DSYSCALL msg=3Daudit(1679932898.081:464): arch=3Dc000003e syscall=3D1= 65 success=3Dno exit=3D-13 a0=3D0 a1=3D4c5c10 a2=3D49f442 a3=3D1020 items= =3D0 ppid=3D3258 pid=3D3805 auid=3D4294967295 uid=3D0 gid=3D0 euid=3D0 suid= =3D0 fsuid=3D0 egid=3D0 sgid=3D0 fsgid=3D0 tty=3D(none) ses=3D4294967295 co= mm=3D"guix-daemon" exe=3D"/gnu/store/5kj8lyybjrdl7xd0fx9g9vzkz8sklqsy-guix-= 1.4.0/bin/guix-daemon" subj=3Dsystem_u:system_r:guix_daemon.guix_daemon_t:s= 0 key=3D(null) type=3DAVC msg=3Daudit(1679932898.081:464): avc: denied { remount } for = pid=3D3805 comm=3D"guix-daemon" scontext=3Dsystem_u:system_r:guix_daemon.gu= ix_daemon_t:s0 tcontext=3Dsystem_u:object_r:fs_t:s0 tclass=3Dfilesystem per= missive=3D0 --8<---------------cut here---------------end--------------->8--- It works fine (as in: =E2=80=98guix build hello=E2=80=99 succeeds) if I =E2= =80=98systemctl stop guix-daemon.service=E2=80=99 and instead run: guix-daemon --build-users-group=3Dguixbuild in the terminal. Could it be a systemd feature at play here? As a stopgap, we could change =E2=80=98guix-install.sh=E2=80=99 to not inst= all =E2=80=98gnu-store.mount=E2=80=99 on SELinux systems. Thoughts? Ludo=E2=80=99. --=-=-= Content-Type: text/x-patch Content-Disposition: inline diff --git a/etc/guix-install.sh b/etc/guix-install.sh index ea10f35250..1e6d5285f7 100755 --- a/etc/guix-install.sh +++ b/etc/guix-install.sh @@ -599,6 +599,22 @@ fi _msg "${PAS}Bash shell prompt successfully customized for Guix" } +sys_maybe_setup_selinux() +{ + if [ -f /sys/fs/selinux/policy ] + then + prompt_yes_no "Install SELinux policy required to run guix-daemon?" \ + || return + + local var_guix=/var/guix/profiles/per-user/root/current-guix + semodule -i "${var_guix}/share/selinux/guix-daemon.cil" + restorecon -R /gnu /var/guix + # chcon -R -t guix_daemon.guix_daemon_conf_t /var/guix/ + # chcon -R -t guix_daemon.guix_profiles_t /var/guix/profiles/per-user/root/current-guix + # chcon -R -t guix_daemon.guix_profiles_t /var/guix/profiles/per-user/root/current-guix-1-link + fi +} + welcome() { local char @@ -674,6 +690,7 @@ main() sys_create_store "${GUIX_BINARY_FILE_NAME}" "${tmp_path}" sys_create_build_user + sys_maybe_setup_selinux sys_enable_guix_daemon sys_authorize_build_farms sys_create_init_profile --=-=-=-- ------------=_1685012161-30845-1--