Unable to run `guix pull` on Fedora (Asahi) due to SELinux violations

  • Open
  • quality assurance status badge
Details
One participant
  • Pasta Pasta
Owner
unassigned
Submitted by
Pasta Pasta
Severity
normal
P
P
Pasta Pasta wrote on 29 Sep 06:01 +0200
(address . bug-guix@gnu.org)
CA+493-qsAeZgZQFnoT+VYCJ5GJCjC4TObS4yRWS9=Hg98G6Beg@mail.gmail.com
Hi all,

I installed guix via
specifically
```
cd /tmp
chmod +x guix-install.sh
sudo ./guix-install.sh
```

I then tried to follow the docs here:
to SELinux

I ended up running
```
sudo semodule -i
/gnu/store/271mkw93sqb3hc4ngszcjfsc2wsb6yc8-guix-1.4.0/share/selinux/guix-daemon.cil
```

As this was the only file I found that looked right according to the
docs such as `semodule -i etc/guix-daemon.cil`

I've restarted my system a few times, however, I am still getting
SELinux violations resulting in
```
$ guix pull
guix pull: error: remounting /gnu/store writable: Permission denied
```

see the detailed SELinux violation report

```
SELinux is preventing guix-daemon from remount access on the filesystem .

***** Plugin catchall (100. confidence) suggests **************************

If you believe that guix-daemon should be allowed remount access on
the filesystem by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'guix-daemon' --raw | audit2allow -M my-guixdaemon
# semodule -X 300 -i my-guixdaemon.pp

Additional Information:
Source Context system_u:system_r:guix_daemon.guix_daemon_t:s0
Target Context system_u:object_r:fs_t:s0
Target Objects [ filesystem ]
Source guix-daemon
Source Path guix-daemon
Port <Unknown>
Host pasta-macbookpro-asahi
Source RPM Packages
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-40.27-1.fc40.noarch
Local Policy RPM
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name pasta-macbookpro-asahi
Platform Linux pasta-macbookpro-asahi
6.11.0-400.asahi.fc40.aarch64+16k #1 SMP
PREEMPT_DYNAMIC Fri Sep 27 02:59:31 UTC 2024
aarch64
Alert Count 12
First Seen 2024-09-28 22:37:00 CDT
Last Seen 2024-09-28 22:51:58 CDT
Local ID 00bfc2a9-edf9-49d4-9f98-aaff428092a2

Raw Audit Messages
type=AVC msg=audit(1727581918.607:304): avc: denied { remount } for
pid=3363 comm="guix-daemon"
scontext=system_u:system_r:guix_daemon.guix_daemon_t:s0
tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=0


Hash: guix-daemon,guix_daemon.guix_daemon_t,fs_t,filesystem,remount
```

I tried running the recommended steps by SELinux, but that did not work.

Please advise!
P
P
Pasta Pasta wrote on 28 Oct 05:00 +0100
(address . bug-guix@gnu.org)
CA+493-otf8=RBq79vPyGBONOHKXFB08p-v2Nv4JOSL762VoQKA@mail.gmail.com
Hi!

Is anyone to evaluate this?

Thanks!

On Sat, Sep 28, 2024 at 11:01?PM Pasta Pasta <pasta@dash.org> wrote:
Toggle quote (87 lines)
>
> Hi all,
>
> I installed guix via
> https://guix.gnu.org/manual/en/html_node/Binary-Installation.html
> specifically
> ```
> cd /tmp
> wget https://git.savannah.gnu.org/cgit/guix.git/plain/etc/guix-install.sh
> chmod +x guix-install.sh
> sudo ./guix-install.sh
> ```
>
> I then tried to follow the docs here:
> https://guix.gnu.org/manual/en/html_node/SELinux-Support.html related
> to SELinux
>
> I ended up running
> ```
> sudo semodule -i
> /gnu/store/271mkw93sqb3hc4ngszcjfsc2wsb6yc8-guix-1.4.0/share/selinux/guix-daemon.cil
> ```
>
> As this was the only file I found that looked right according to the
> docs such as `semodule -i etc/guix-daemon.cil`
>
> I've restarted my system a few times, however, I am still getting
> SELinux violations resulting in
> ```
> $ guix pull
> guix pull: error: remounting /gnu/store writable: Permission denied
> ```
>
> see the detailed SELinux violation report
>
> ```
> SELinux is preventing guix-daemon from remount access on the filesystem .
>
> ***** Plugin catchall (100. confidence) suggests **************************
>
> If you believe that guix-daemon should be allowed remount access on
> the filesystem by default.
> Then you should report this as a bug.
> You can generate a local policy module to allow this access.
> Do
> allow this access for now by executing:
> # ausearch -c 'guix-daemon' --raw | audit2allow -M my-guixdaemon
> # semodule -X 300 -i my-guixdaemon.pp
>
> Additional Information:
> Source Context system_u:system_r:guix_daemon.guix_daemon_t:s0
> Target Context system_u:object_r:fs_t:s0
> Target Objects [ filesystem ]
> Source guix-daemon
> Source Path guix-daemon
> Port <Unknown>
> Host pasta-macbookpro-asahi
> Source RPM Packages
> Target RPM Packages
> SELinux Policy RPM selinux-policy-targeted-40.27-1.fc40.noarch
> Local Policy RPM
> Selinux Enabled True
> Policy Type targeted
> Enforcing Mode Enforcing
> Host Name pasta-macbookpro-asahi
> Platform Linux pasta-macbookpro-asahi
> 6.11.0-400.asahi.fc40.aarch64+16k #1 SMP
> PREEMPT_DYNAMIC Fri Sep 27 02:59:31 UTC 2024
> aarch64
> Alert Count 12
> First Seen 2024-09-28 22:37:00 CDT
> Last Seen 2024-09-28 22:51:58 CDT
> Local ID 00bfc2a9-edf9-49d4-9f98-aaff428092a2
>
> Raw Audit Messages
> type=AVC msg=audit(1727581918.607:304): avc: denied { remount } for
> pid=3363 comm="guix-daemon"
> scontext=system_u:system_r:guix_daemon.guix_daemon_t:s0
> tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=0
>
>
> Hash: guix-daemon,guix_daemon.guix_daemon_t,fs_t,filesystem,remount
> ```
>
> I tried running the recommended steps by SELinux, but that did not work.
>
> Please advise!
?
Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send an email to 73547@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 73547
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch