(address . bug-guix@gnu.org)
87a5zygoeq.fsf@inria.fr
Hello!
Running guix-daemon on an SELinux distro is difficult and sparsely
documented (info "(guix) SELinux Support"). On-line fora are full of
questions on this topic and sometimes random advice.
I thought we could improve on that by having ‘guix-install.sh’ take care
of most things dynamically and documenting any remaining bits with
copy/pastable snippets.
The attached patch does 90% of the job! I tested it on the Rocky Linux 9
live image available at:
The missing 10% related to the ‘gnu-store.mount’ job: guix-daemon fails
to remount it read-write:
Toggle snippet (10 lines)
# guix build hello
guix build: error: remounting /gnu/store writable: Permission denied
# ausearch -c guix-daemon | tail
time->Mon Mar 27 12:01:38 2023
type=PROCTITLE msg=audit(1679932898.081:464): proctitle=2F7661722F677569782F70726F66696C65732F7065722D757365722F726F6F742F63757272656E742D677569782F62696E2F677569782D6461656D6F6E003338303200000000000000000000000000000000000000000000000000002D2D646973636F7665723D6E6F
type=SYSCALL msg=audit(1679932898.081:464): arch=c000003e syscall=165 success=no exit=-13 a0=0 a1=4c5c10 a2=49f442 a3=1020 items=0 ppid=3258 pid=3805 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="guix-daemon" exe="/gnu/store/5kj8lyybjrdl7xd0fx9g9vzkz8sklqsy-guix-1.4.0/bin/guix-daemon" subj=system_u:system_r:guix_daemon.guix_daemon_t:s0 key=(null)
type=AVC msg=audit(1679932898.081:464): avc: denied { remount } for pid=3805 comm="guix-daemon" scontext=system_u:system_r:guix_daemon.guix_daemon_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=0
It works fine (as in: ‘guix build hello’ succeeds) if I ‘systemctl stop
guix-daemon.service’ and instead run:
guix-daemon --build-users-group=guixbuild
in the terminal.
Could it be a systemd feature at play here?
As a stopgap, we could change ‘guix-install.sh’ to not install
‘gnu-store.mount’ on SELinux systems.
Thoughts?
Ludo’.
Toggle diff (35 lines)
diff --git a/etc/guix-install.sh b/etc/guix-install.sh
index ea10f35250..1e6d5285f7 100755
--- a/etc/guix-install.sh
+++ b/etc/guix-install.sh
@@ -599,6 +599,22 @@ fi
_msg "${PAS}Bash shell prompt successfully customized for Guix"
}
+sys_maybe_setup_selinux()
+{
+ if [ -f /sys/fs/selinux/policy ]
+ then
+ prompt_yes_no "Install SELinux policy required to run guix-daemon?" \
+ || return
+
+ local var_guix=/var/guix/profiles/per-user/root/current-guix
+ semodule -i "${var_guix}/share/selinux/guix-daemon.cil"
+ restorecon -R /gnu /var/guix
+ # chcon -R -t guix_daemon.guix_daemon_conf_t /var/guix/
+ # chcon -R -t guix_daemon.guix_profiles_t /var/guix/profiles/per-user/root/current-guix
+ # chcon -R -t guix_daemon.guix_profiles_t /var/guix/profiles/per-user/root/current-guix-1-link
+ fi
+}
+
welcome()
{
local char
@@ -674,6 +690,7 @@ main()
sys_create_store "${GUIX_BINARY_FILE_NAME}" "${tmp_path}"
sys_create_build_user
+ sys_maybe_setup_selinux
sys_enable_guix_daemon
sys_authorize_build_farms
sys_create_init_profile