GNU bug report logs - #73547
Unable to run `guix pull` on Fedora (Asahi) due to SELinux violations

Previous Next

Package: guix;

Reported by: Pasta Pasta <pasta <at> dash.org>

Date: Sun, 29 Sep 2024 07:02:01 UTC

Severity: normal

Full log

View this message in rfc822 format

From: Pasta Pasta <pasta <at> dash.org>
To: 73547 <at> debbugs.gnu.org
Subject: bug#73547: Unable to run `guix pull` on Fedora (Asahi) due to SELinux violations
Date: Sat, 28 Sep 2024 23:01:06 -0500

Hi all,

I installed guix via
https://guix.gnu.org/manual/en/html_node/Binary-Installation.html
specifically
```
cd /tmp
wget https://git.savannah.gnu.org/cgit/guix.git/plain/etc/guix-install.sh
chmod +x guix-install.sh
sudo ./guix-install.sh
```

I then tried to follow the docs here:
https://guix.gnu.org/manual/en/html_node/SELinux-Support.html related
to SELinux

I ended up running
```
sudo semodule -i
/gnu/store/271mkw93sqb3hc4ngszcjfsc2wsb6yc8-guix-1.4.0/share/selinux/guix-daemon.cil
```

As this was the only file I found that looked right according to the
docs such as `semodule -i etc/guix-daemon.cil`

I've restarted my system a few times, however, I am still getting
SELinux violations resulting in
```
$ guix pull
guix pull: error: remounting /gnu/store writable: Permission denied
```

see the detailed SELinux violation report

```
SELinux is preventing guix-daemon from remount access on the filesystem .

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that guix-daemon should be allowed remount access on
the  filesystem by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'guix-daemon' --raw | audit2allow -M my-guixdaemon
# semodule -X 300 -i my-guixdaemon.pp

Additional Information:
Source Context                system_u:system_r:guix_daemon.guix_daemon_t:s0
Target Context                system_u:object_r:fs_t:s0
Target Objects                 [ filesystem ]
Source                        guix-daemon
Source Path                   guix-daemon
Port                          <Unknown>
Host                          pasta-macbookpro-asahi
Source RPM Packages
Target RPM Packages
SELinux Policy RPM            selinux-policy-targeted-40.27-1.fc40.noarch
Local Policy RPM
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     pasta-macbookpro-asahi
Platform                      Linux pasta-macbookpro-asahi
                              6.11.0-400.asahi.fc40.aarch64+16k #1 SMP
                              PREEMPT_DYNAMIC Fri Sep 27 02:59:31 UTC 2024
                              aarch64
Alert Count                   12
First Seen                    2024-09-28 22:37:00 CDT
Last Seen                     2024-09-28 22:51:58 CDT
Local ID                      00bfc2a9-edf9-49d4-9f98-aaff428092a2

Raw Audit Messages
type=AVC msg=audit(1727581918.607:304): avc:  denied  { remount } for
pid=3363 comm="guix-daemon"
scontext=system_u:system_r:guix_daemon.guix_daemon_t:s0
tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=0


Hash: guix-daemon,guix_daemon.guix_daemon_t,fs_t,filesystem,remount
```

I tried running the recommended steps by SELinux, but that did not work.

Please advise!
This bug report was last modified 85 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.