GNU bug report logs -
#62487
guix-daemon fails on SELinux/systemd distros
Previous Next
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 62487 in the body.
You can then email your comments to 62487 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
rekado <at> elephly.net, bug-guix <at> gnu.org:
bug#62487; Package
guix.
(Mon, 27 Mar 2023 16:18:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Ludovic Courtès <ludovic.courtes <at> inria.fr>:
New bug report received and forwarded. Copy sent to
rekado <at> elephly.net, bug-guix <at> gnu.org.
(Mon, 27 Mar 2023 16:18:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Hello!
Running guix-daemon on an SELinux distro is difficult and sparsely
documented (info "(guix) SELinux Support"). On-line fora are full of
questions on this topic and sometimes random advice.
I thought we could improve on that by having ‘guix-install.sh’ take care
of most things dynamically and documenting any remaining bits with
copy/pastable snippets.
The attached patch does 90% of the job! I tested it on the Rocky Linux 9
live image available at:
https://dl.rockylinux.org/pub/rocky/9/live/x86_64/Rocky-9-Workstation-Lite-x86_64-latest.iso
The missing 10% related to the ‘gnu-store.mount’ job: guix-daemon fails
to remount it read-write:
--8<---------------cut here---------------start------------->8---
# guix build hello
guix build: error: remounting /gnu/store writable: Permission denied
# ausearch -c guix-daemon | tail
time->Mon Mar 27 12:01:38 2023
type=PROCTITLE msg=audit(1679932898.081:464): proctitle=2F7661722F677569782F70726F66696C65732F7065722D757365722F726F6F742F63757272656E742D677569782F62696E2F677569782D6461656D6F6E003338303200000000000000000000000000000000000000000000000000002D2D646973636F7665723D6E6F
type=SYSCALL msg=audit(1679932898.081:464): arch=c000003e syscall=165 success=no exit=-13 a0=0 a1=4c5c10 a2=49f442 a3=1020 items=0 ppid=3258 pid=3805 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="guix-daemon" exe="/gnu/store/5kj8lyybjrdl7xd0fx9g9vzkz8sklqsy-guix-1.4.0/bin/guix-daemon" subj=system_u:system_r:guix_daemon.guix_daemon_t:s0 key=(null)
type=AVC msg=audit(1679932898.081:464): avc: denied { remount } for pid=3805 comm="guix-daemon" scontext=system_u:system_r:guix_daemon.guix_daemon_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=0
--8<---------------cut here---------------end--------------->8---
It works fine (as in: ‘guix build hello’ succeeds) if I ‘systemctl stop
guix-daemon.service’ and instead run:
guix-daemon --build-users-group=guixbuild
in the terminal.
Could it be a systemd feature at play here?
As a stopgap, we could change ‘guix-install.sh’ to not install
‘gnu-store.mount’ on SELinux systems.
Thoughts?
Ludo’.
[Message part 2 (text/x-patch, inline)]
diff --git a/etc/guix-install.sh b/etc/guix-install.sh
index ea10f35250..1e6d5285f7 100755
--- a/etc/guix-install.sh
+++ b/etc/guix-install.sh
@@ -599,6 +599,22 @@ fi
_msg "${PAS}Bash shell prompt successfully customized for Guix"
}
+sys_maybe_setup_selinux()
+{
+ if [ -f /sys/fs/selinux/policy ]
+ then
+ prompt_yes_no "Install SELinux policy required to run guix-daemon?" \
+ || return
+
+ local var_guix=/var/guix/profiles/per-user/root/current-guix
+ semodule -i "${var_guix}/share/selinux/guix-daemon.cil"
+ restorecon -R /gnu /var/guix
+ # chcon -R -t guix_daemon.guix_daemon_conf_t /var/guix/
+ # chcon -R -t guix_daemon.guix_profiles_t /var/guix/profiles/per-user/root/current-guix
+ # chcon -R -t guix_daemon.guix_profiles_t /var/guix/profiles/per-user/root/current-guix-1-link
+ fi
+}
+
welcome()
{
local char
@@ -674,6 +690,7 @@ main()
sys_create_store "${GUIX_BINARY_FILE_NAME}" "${tmp_path}"
sys_create_build_user
+ sys_maybe_setup_selinux
sys_enable_guix_daemon
sys_authorize_build_farms
sys_create_init_profile
Reply sent
to
Ludovic Courtès <ludovic.courtes <at> inria.fr>:
You have taken responsibility.
(Thu, 25 May 2023 10:56:01 GMT)
Full text and
rfc822 format available.
Notification sent
to
Ludovic Courtès <ludovic.courtes <at> inria.fr>:
bug acknowledged by developer.
(Thu, 25 May 2023 10:56:01 GMT)
Full text and
rfc822 format available.
Message #10 received at 62487-done <at> debbugs.gnu.org (full text, mbox):
Ludovic Courtès <ludovic.courtes <at> inria.fr> skribis:
> I thought we could improve on that by having ‘guix-install.sh’ take care
> of most things dynamically and documenting any remaining bits with
> copy/pastable snippets.
>
> The attached patch does 90% of the job! I tested it on the Rocky Linux 9
> live image available at:
>
> https://dl.rockylinux.org/pub/rocky/9/live/x86_64/Rocky-9-Workstation-Lite-x86_64-latest.iso
I fixed it with these commits (and with help from Ricardo, thanks!):
ca1ea6373a * self: Install 'guix-daemon.cil'.
b59c18f761 * doc: Tweak SELinux instructions.
4166b583fb * guix-install.sh: Install SELinux policy and relabel file systems if needed.
3bf612eaa1 * etc: SELinux: Update policy file.
Tested again in the Rocky Linux 9 image above.
Ludo’.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Thu, 22 Jun 2023 11:24:13 GMT)
Full text and
rfc822 format available.
This bug report was last modified 302 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.