GNU bug report logs - #73547
Unable to run `guix pull` on Fedora (Asahi) due to SELinux violations

Previous Next

To reply to this bug, email your comments to 73547 AT debbugs.gnu.org.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Pasta Pasta <pasta <at> dash.org>
To: bug-guix <at> gnu.org
Subject: Unable to run `guix pull` on Fedora (Asahi) due to SELinux violations
Date: Sat, 28 Sep 2024 23:01:06 -0500

Hi all,

I installed guix via
https://guix.gnu.org/manual/en/html_node/Binary-Installation.html
specifically
```
cd /tmp
wget https://git.savannah.gnu.org/cgit/guix.git/plain/etc/guix-install.sh
chmod +x guix-install.sh
sudo ./guix-install.sh
```

I then tried to follow the docs here:
https://guix.gnu.org/manual/en/html_node/SELinux-Support.html related
to SELinux

I ended up running
```
sudo semodule -i
/gnu/store/271mkw93sqb3hc4ngszcjfsc2wsb6yc8-guix-1.4.0/share/selinux/guix-daemon.cil
```

As this was the only file I found that looked right according to the
docs such as `semodule -i etc/guix-daemon.cil`

I've restarted my system a few times, however, I am still getting
SELinux violations resulting in
```
$ guix pull
guix pull: error: remounting /gnu/store writable: Permission denied
```

see the detailed SELinux violation report

```
SELinux is preventing guix-daemon from remount access on the filesystem .

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that guix-daemon should be allowed remount access on
the  filesystem by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'guix-daemon' --raw | audit2allow -M my-guixdaemon
# semodule -X 300 -i my-guixdaemon.pp

Additional Information:
Source Context                system_u:system_r:guix_daemon.guix_daemon_t:s0
Target Context                system_u:object_r:fs_t:s0
Target Objects                 [ filesystem ]
Source                        guix-daemon
Source Path                   guix-daemon
Port                          <Unknown>
Host                          pasta-macbookpro-asahi
Source RPM Packages
Target RPM Packages
SELinux Policy RPM            selinux-policy-targeted-40.27-1.fc40.noarch
Local Policy RPM
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     pasta-macbookpro-asahi
Platform                      Linux pasta-macbookpro-asahi
                              6.11.0-400.asahi.fc40.aarch64+16k #1 SMP
                              PREEMPT_DYNAMIC Fri Sep 27 02:59:31 UTC 2024
                              aarch64
Alert Count                   12
First Seen                    2024-09-28 22:37:00 CDT
Last Seen                     2024-09-28 22:51:58 CDT
Local ID                      00bfc2a9-edf9-49d4-9f98-aaff428092a2

Raw Audit Messages
type=AVC msg=audit(1727581918.607:304): avc:  denied  { remount } for
pid=3363 comm="guix-daemon"
scontext=system_u:system_r:guix_daemon.guix_daemon_t:s0
tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=0


Hash: guix-daemon,guix_daemon.guix_daemon_t,fs_t,filesystem,remount
```

I tried running the recommended steps by SELinux, but that did not work.

Please advise!

Message #8 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Pasta Pasta <pasta <at> dash.org>
To: bug-guix <at> gnu.org
Subject: Re: Unable to run `guix pull` on Fedora (Asahi) due to SELinux
 violations
Date: Sun, 27 Oct 2024 23:00:51 -0500

Hi!

Is anyone to evaluate this?

Thanks!

On Sat, Sep 28, 2024 at 11:01 PM Pasta Pasta <pasta <at> dash.org> wrote:
>
> Hi all,
>
> I installed guix via
> https://guix.gnu.org/manual/en/html_node/Binary-Installation.html
> specifically
> ```
> cd /tmp
> wget https://git.savannah.gnu.org/cgit/guix.git/plain/etc/guix-install.sh
> chmod +x guix-install.sh
> sudo ./guix-install.sh
> ```
>
> I then tried to follow the docs here:
> https://guix.gnu.org/manual/en/html_node/SELinux-Support.html related
> to SELinux
>
> I ended up running
> ```
> sudo semodule -i
> /gnu/store/271mkw93sqb3hc4ngszcjfsc2wsb6yc8-guix-1.4.0/share/selinux/guix-daemon.cil
> ```
>
> As this was the only file I found that looked right according to the
> docs such as `semodule -i etc/guix-daemon.cil`
>
> I've restarted my system a few times, however, I am still getting
> SELinux violations resulting in
> ```
> $ guix pull
> guix pull: error: remounting /gnu/store writable: Permission denied
> ```
>
> see the detailed SELinux violation report
>
> ```
> SELinux is preventing guix-daemon from remount access on the filesystem .
>
> *****  Plugin catchall (100. confidence) suggests   **************************
>
> If you believe that guix-daemon should be allowed remount access on
> the  filesystem by default.
> Then you should report this as a bug.
> You can generate a local policy module to allow this access.
> Do
> allow this access for now by executing:
> # ausearch -c 'guix-daemon' --raw | audit2allow -M my-guixdaemon
> # semodule -X 300 -i my-guixdaemon.pp
>
> Additional Information:
> Source Context                system_u:system_r:guix_daemon.guix_daemon_t:s0
> Target Context                system_u:object_r:fs_t:s0
> Target Objects                 [ filesystem ]
> Source                        guix-daemon
> Source Path                   guix-daemon
> Port                          <Unknown>
> Host                          pasta-macbookpro-asahi
> Source RPM Packages
> Target RPM Packages
> SELinux Policy RPM            selinux-policy-targeted-40.27-1.fc40.noarch
> Local Policy RPM
> Selinux Enabled               True
> Policy Type                   targeted
> Enforcing Mode                Enforcing
> Host Name                     pasta-macbookpro-asahi
> Platform                      Linux pasta-macbookpro-asahi
>                               6.11.0-400.asahi.fc40.aarch64+16k #1 SMP
>                               PREEMPT_DYNAMIC Fri Sep 27 02:59:31 UTC 2024
>                               aarch64
> Alert Count                   12
> First Seen                    2024-09-28 22:37:00 CDT
> Last Seen                     2024-09-28 22:51:58 CDT
> Local ID                      00bfc2a9-edf9-49d4-9f98-aaff428092a2
>
> Raw Audit Messages
> type=AVC msg=audit(1727581918.607:304): avc:  denied  { remount } for
> pid=3363 comm="guix-daemon"
> scontext=system_u:system_r:guix_daemon.guix_daemon_t:s0
> tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=0
>
>
> Hash: guix-daemon,guix_daemon.guix_daemon_t,fs_t,filesystem,remount
> ```
>
> I tried running the recommended steps by SELinux, but that did not work.
>
> Please advise!

Message #11 received at 73547 <at> debbugs.gnu.org (full text, mbox):

From: Jitendra Nair <nair.jitendra <at> gmail.com>
To: 73547 <at> debbugs.gnu.org
Subject: error: remounting /gnu/store writable: Permission denied
Date: Sat, 22 Mar 2025 13:14:42 +0530

[Message part 1 (text/plain, inline)]

Hello,

This SO answer https://unix.stackexchange.com/a/788716/567807 helped me fix
the error!

# set /gnu/store to rewrite
mount -o remount,rw /gnu/store

# Modify the file 'guix-daemon.cil' to include the additions mentioned at
the SO page https://unix.stackexchange.com/a/788716/567807

# Next snippet gotten from 'guix-install.sh'
var_guix=/var/guix/profiles/per-user/root/current-guix
semodule -i "${var_guix}/share/selinux/guix-daemon.cil"
restorecon -R /gnu /var/guix

# After rebooting the system I was able to run the guix commands without
the error!

Thanks!

[Message part 2 (text/html, inline)]

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.