GNU bug report logs - #62487
guix-daemon fails on SELinux/systemd distros

Previous Next

Package: guix;

Reported by: Ludovic Courtès <ludovic.courtes <at> inria.fr>

Date: Mon, 27 Mar 2023 16:18:02 UTC

Severity: normal

Done: Ludovic Courtès <ludovic.courtes <at> inria.fr>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Ludovic Courtès <ludovic.courtes <at> inria.fr>
Subject: bug#62487: closed (Re: bug#62487: guix-daemon fails on
 SELinux/systemd distros)
Date: Thu, 25 May 2023 10:56:01 +0000

[Message part 1 (text/plain, inline)]
Your bug report

#62487: guix-daemon fails on SELinux/systemd distros

which was filed against the guix package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 62487 <at> debbugs.gnu.org.

-- 
62487: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=62487
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]
From: Ludovic Courtès <ludovic.courtes <at> inria.fr>
To: 62487-done <at> debbugs.gnu.org
Cc: Ricardo Wurmus <rekado <at> elephly.net>
Subject: Re: bug#62487: guix-daemon fails on SELinux/systemd distros
Date: Thu, 25 May 2023 12:55:18 +0200

Ludovic Courtès <ludovic.courtes <at> inria.fr> skribis:

> I thought we could improve on that by having ‘guix-install.sh’ take care
> of most things dynamically and documenting any remaining bits with
> copy/pastable snippets.
>
> The attached patch does 90% of the job!  I tested it on the Rocky Linux 9
> live image available at:
>
>   https://dl.rockylinux.org/pub/rocky/9/live/x86_64/Rocky-9-Workstation-Lite-x86_64-latest.iso

I fixed it with these commits (and with help from Ricardo, thanks!):

  ca1ea6373a * self: Install 'guix-daemon.cil'.
  b59c18f761 * doc: Tweak SELinux instructions.
  4166b583fb * guix-install.sh: Install SELinux policy and relabel file systems if needed.
  3bf612eaa1 * etc: SELinux: Update policy file.

Tested again in the Rocky Linux 9 image above.

Ludo’.


[Message part 3 (message/rfc822, inline)]
From: Ludovic Courtès <ludovic.courtes <at> inria.fr>
To: bug-guix <at> gnu.org
Subject: guix-daemon fails on SELinux/systemd distros
Date: Mon, 27 Mar 2023 18:16:45 +0200

[Message part 4 (text/plain, inline)]
Hello!

Running guix-daemon on an SELinux distro is difficult and sparsely
documented (info "(guix) SELinux Support").  On-line fora are full of
questions on this topic and sometimes random advice.

I thought we could improve on that by having ‘guix-install.sh’ take care
of most things dynamically and documenting any remaining bits with
copy/pastable snippets.

The attached patch does 90% of the job!  I tested it on the Rocky Linux 9
live image available at:

  https://dl.rockylinux.org/pub/rocky/9/live/x86_64/Rocky-9-Workstation-Lite-x86_64-latest.iso

The missing 10% related to the ‘gnu-store.mount’ job: guix-daemon fails
to remount it read-write:

--8<---------------cut here---------------start------------->8---
# guix build hello
guix build: error: remounting /gnu/store writable: Permission denied

# ausearch -c guix-daemon | tail
time->Mon Mar 27 12:01:38 2023
type=PROCTITLE msg=audit(1679932898.081:464): proctitle=2F7661722F677569782F70726F66696C65732F7065722D757365722F726F6F742F63757272656E742D677569782F62696E2F677569782D6461656D6F6E003338303200000000000000000000000000000000000000000000000000002D2D646973636F7665723D6E6F
type=SYSCALL msg=audit(1679932898.081:464): arch=c000003e syscall=165 success=no exit=-13 a0=0 a1=4c5c10 a2=49f442 a3=1020 items=0 ppid=3258 pid=3805 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="guix-daemon" exe="/gnu/store/5kj8lyybjrdl7xd0fx9g9vzkz8sklqsy-guix-1.4.0/bin/guix-daemon" subj=system_u:system_r:guix_daemon.guix_daemon_t:s0 key=(null)
type=AVC msg=audit(1679932898.081:464): avc:  denied  { remount } for  pid=3805 comm="guix-daemon" scontext=system_u:system_r:guix_daemon.guix_daemon_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=0
--8<---------------cut here---------------end--------------->8---

It works fine (as in: ‘guix build hello’ succeeds) if I ‘systemctl stop
guix-daemon.service’ and instead run:

  guix-daemon --build-users-group=guixbuild

in the terminal.

Could it be a systemd feature at play here?

As a stopgap, we could change ‘guix-install.sh’ to not install
‘gnu-store.mount’ on SELinux systems.

Thoughts?

Ludo’.


[Message part 5 (text/x-patch, inline)]
diff --git a/etc/guix-install.sh b/etc/guix-install.sh
index ea10f35250..1e6d5285f7 100755
--- a/etc/guix-install.sh
+++ b/etc/guix-install.sh
@@ -599,6 +599,22 @@ fi
     _msg "${PAS}Bash shell prompt successfully customized for Guix"
 }
 
+sys_maybe_setup_selinux()
+{
+    if [ -f /sys/fs/selinux/policy ]
+    then
+	prompt_yes_no "Install SELinux policy required to run guix-daemon?" \
+	    || return
+
+	local var_guix=/var/guix/profiles/per-user/root/current-guix
+	semodule -i "${var_guix}/share/selinux/guix-daemon.cil"
+	restorecon -R /gnu /var/guix
+	# chcon -R -t guix_daemon.guix_daemon_conf_t /var/guix/
+	# chcon -R -t guix_daemon.guix_profiles_t /var/guix/profiles/per-user/root/current-guix
+	# chcon -R -t guix_daemon.guix_profiles_t /var/guix/profiles/per-user/root/current-guix-1-link
+    fi
+}
+
 welcome()
 {
     local char
@@ -674,6 +690,7 @@ main()
 
     sys_create_store "${GUIX_BINARY_FILE_NAME}" "${tmp_path}"
     sys_create_build_user
+    sys_maybe_setup_selinux
     sys_enable_guix_daemon
     sys_authorize_build_farms
     sys_create_init_profile
This bug report was last modified 2 years and 57 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.