Hi,

I am starting with Guix and I just installed it on a CentOS Linux 8 x86_64 (kernel 4.18.0-240.15.1.el8_3.x86_64)

It went well but the daemon service exited and I couldn't install a package :

$ sudo systemctl status guix-daemon.service
‚óŹ guix-daemon.service - Build daemon for GNU Guix
   Loaded: loaded (/etc/systemd/system/guix-daemon.service; enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Sat 2021-04-24 01:44:16 CEST; 16min ago
  Process: 92489 ExecStart=/var/guix/profiles/per-user/root/current-guix/bin/guix-daemon --build-users-group=guixbuild (code=exited, status=203/EXEC)
Main PID: 92489 (code=exited, status=203/EXEC)

Apr 24 01:44:16 localhost.localdomain systemd[1]: Started Build daemon for GNU Guix.
Apr 24 01:44:16 localhost.localdomain systemd[1]: guix-daemon.service: Main process exited, code=exited, status=203/EXEC
Apr 24 01:44:16 localhost.localdomain systemd[1]: guix-daemon.service: Failed with result 'exit-code'.

I found this similar bug report Fedora : https://bugzilla.redhat.com/show_bug.cgi?id=1433971

It seems to be related to the SELinux policy.

// ----------------------------------------------------------------------------

I run :

$ journalctl -t setroubleshoot
Apr 24 01:30:30 localhost.localdomain setroubleshoot[92081]: AnalyzeThread.run(): Set alarm timeout to 10
Apr 24 01:44:18 localhost.localdomain setroubleshoot[92492]: Deleting alert f25667a8-16fa-447b-8df1-8bd6a8cddc10, it is allowed in current policy
Apr 24 01:44:18 localhost.localdomain setroubleshoot[92492]: AnalyzeThread.run(): Cancel pending alarm
Apr 24 01:44:21 localhost.localdomain setroubleshoot[92492]: SELinux is preventing /usr/bin/bash from execute access on the file guix-daemon. For complete SELinux messages run: sealert -l f4db012c-2639-4a2a-80>
Apr 24 01:44:21 localhost.localdomain setroubleshoot[92492]: SELinux is preventing /usr/bin/bash from execute access on the file guix-daemon.

$ sudo sealert -l f4db012c-2639-4a2a-809a-023ba4accbfd                                   
SELinux is preventing /usr/bin/bash from execute access on the file guix-daemon.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that bash should be allowed execute access on the guix-daemon file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'sesinetd' --raw | audit2allow -M my-sesinetd
# semodule -X 300 -i my-sesinetd.pp


Additional Information:
Source Context                system_u:system_r:init_t:s0
Target Context                unconfined_u:object_r:user_tmp_t:s0
Target Objects                guix-daemon [ file ]
Source                        sesinetd
Source Path                   /usr/bin/bash
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           systemd-239-41.el8_3.2.x86_64
Target RPM Packages          
SELinux Policy RPM            selinux-policy-targeted-3.14.3-54.el8_3.2.noarch
Local Policy RPM              selinux-policy-targeted-3.14.3-54.el8_3.2.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain
                              4.18.0-240.15.1.el8_3.x86_64 #1 SMP Mon Mar 1
                              17:16:16 UTC 2021 x86_64 x86_64
Alert Count                   2
First Seen                    2021-03-20 21:06:10 CET
Last Seen                     2021-04-24 01:44:16 CEST
Local ID                      f4db012c-2639-4a2a-809a-023ba4accbfd

Raw Audit Messages
type=AVC msg=audit(1619221456.618:467): avc:  denied  { execute } for  pid=92489 comm="(x-daemon)" name="guix-daemon" dev="dm-0" ino=2625286 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file permissive=0


type=SYSCALL msg=audit(1619221456.618:467): arch=x86_64 syscall=execve success=no exit=EACCES a0=5609e6745860 a1=5609e6600e20 a2=5609e66a8720 a3=2d646c6975622d2d items=0 ppid=1 pid=92489 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=(x-daemon) exe=/usr/lib/systemd/systemd subj=system_u:system_r:init_t:s0 key=(null)

Hash: sesinetd,init_t,user_tmp_t,file,execute

// ----------------------------------------------------------------------------

I tried executing the commands provided by SELinux to allow the access but it doesn't work and I don't really understand how it works.

Also on the SELinux support page in the Guix documentation, the etc/guix-daemon.cil file doesn't exist so I don't know how to run the command.

Has anyone gotten to run guix on a CentOS with SELinux enabled?

Any help would be greatly appreciated!

Thanks

Joseph