GNU bug report logs - #78317
Unprivileged guix-daemon and SELinux

Previous Next

Package: guix;

Reported by: Ido Yariv <yarivido <at> gmail.com>

Date: Thu, 8 May 2025 12:54:02 UTC

Severity: normal

To reply to this bug, email your comments to 78317 AT debbugs.gnu.org.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to bug-guix <at> gnu.org:
bug#78317; Package guix. (Thu, 08 May 2025 12:54:02 GMT) Full text and rfc822 format available.
Acknowledgement sent to Ido Yariv <yarivido <at> gmail.com>:
New bug report received and forwarded. Copy sent to bug-guix <at> gnu.org. (Thu, 08 May 2025 12:54:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Ido Yariv <yarivido <at> gmail.com>
To: bug-guix <at> gnu.org
Subject: Unprivileged guix-daemon and SELinux
Date: Thu, 8 May 2025 08:53:00 -0400

[Message part 1 (text/plain, inline)]
Hi,

It seems that the new unprivileged mode of guix-daemon breaks on some
foreign
distros with SELinux.
More specifically, SELinux prevents guix-daemon from creating & entering
user
namespaces.

The following change seems to mitigate this on Fedora:
--8<---------------cut here---------------start------------->8---
diff --git a/etc/guix-daemon.cil.in b/etc/guix-daemon.cil.in
index b221e31094..d98af865eb 100644
--- a/etc/guix-daemon.cil.in
+++ b/etc/guix-daemon.cil.in
@@ -361,6 +361,14 @@
          self
          (netlink_route_socket (bind create getattr nlmsg_read read write
getopt)))

+  ;; Allow use of user namespaces
+  (allow guix_daemon_t
+         self
+         (cap_userns (sys_admin net_admin sys_chroot)))
+  (allow guix_daemon_t
+         self
+         (user_namespace (create)))
+
   ;; Socket operations
   (allow guix_daemon_t
          guix_daemon_socket_t
--8<---------------cut here---------------end--------------->8---

The second rule requires the user_namespace class to be defined, and might
break
with policies which do not include it (e.g., Rocky Linux 9).

Given that the guix-daemon SELinux policy doesn't quite work out of the box
for
stable releases (cil file is outdated and doesn't include all required
permissions), one suggestion can be to use an unconfined domain for the time
being, at least optionally?

For instance, at least on Fedora and Rocky Linux 9, /gnu's file context can
be
set to usr_t, similar to /usr & /opt, requiring no extra policy:
--8<---------------cut here---------------start------------->8---
sudo semanage fcontext -a -t usr_t '/gnu(/.*)?'
--8<---------------cut here---------------end--------------->8---

More details can be found here: https://danwalsh.livejournal.com/70577.html

It might not be ideal, but it works without any extra tweaking on each
upgrade, and keeps the rest of the system policy enforced.

Thanks,
Ido.

[Message part 2 (text/html, inline)]
This bug report was last modified 6 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.