Ludovic Courtès <ludovic.courtes@HIDDEN>
to control <at> debbugs.gnu.org.
Full text available.Received: (at 78317) by debbugs.gnu.org; 16 Oct 2025 14:25:44 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Thu Oct 16 10:25:44 2025 Received: from localhost ([127.0.0.1]:36449 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1v9OvH-0002Tr-Ii for submit <at> debbugs.gnu.org; Thu, 16 Oct 2025 10:25:44 -0400 Received: from mail3-relais-sop.national.inria.fr ([192.134.164.104]:25216) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from <ludovic.courtes@HIDDEN>) id 1v9OvA-0002TK-4r for 78317 <at> debbugs.gnu.org; Thu, 16 Oct 2025 10:25:38 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=inria.fr; s=dc; h=from:to:cc:subject:in-reply-to:references:date: message-id:mime-version:content-transfer-encoding; bh=IZ2YQv/aRHSzptSxXQvgRSZxQukwtL3U0Fa3zdc7pu0=; b=I2h74IxIrc5OttmhijGYn6BX0WLDrV1j8IQSlFuRiQYGp+mwuLrber1S 2RkWUmpMpYpZNkY99vN3a0ckk6fciKy9IGSLpRK4/9DBgke55Zo9+jQsb wxzcxCxppXAHFHUXkQfMhvqda2UeNOPzUk6x5FjlHrVbMV9LolruzZ7DY g=; X-CSE-ConnectionGUID: tsLBMlzURIuUEv7X7IonQw== X-CSE-MsgGUID: InukMKh1RxWI61R3TQBnpg== Authentication-Results: mail3-relais-sop.national.inria.fr; dkim=none (message not signed) header.i=none; spf=SoftFail smtp.mailfrom=ludovic.courtes@HIDDEN; dmarc=fail (p=none dis=none) d=inria.fr X-IronPort-AV: E=Sophos;i="6.19,234,1754949600"; d="scan'208";a="128403872" Received: from 91-160-117-201.subs.proxad.net (HELO ribbon) ([91.160.117.201]) by mail3-relais-sop.national.inria.fr with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 16 Oct 2025 16:25:28 +0200 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludovic.courtes@HIDDEN> To: Ido Yariv <yarivido@HIDDEN> Subject: Re: bug#78317: Unprivileged guix-daemon and SELinux In-Reply-To: <CAMPn9M=+61f_NcQENzaUDe8iAr8fQnh0BS7zQZMKA2pqU4d8wA@HIDDEN> (Ido Yariv's message of "Thu, 8 May 2025 08:53:00 -0400") References: <CAMPn9M=+61f_NcQENzaUDe8iAr8fQnh0BS7zQZMKA2pqU4d8wA@HIDDEN> Date: Thu, 16 Oct 2025 16:25:16 +0200 Message-ID: <87frbi6i0j.fsf@HIDDEN> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 78317 Cc: 78317 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.0 (-) Hi Ido, Ido Yariv <yarivido@HIDDEN> skribis: > It seems that the new unprivileged mode of guix-daemon breaks on some for= eign > distros with SELinux. > More specifically, SELinux prevents guix-daemon from creating & entering = user > namespaces. > > The following change seems to mitigate this on Fedora: [...] > The second rule requires the user_namespace class to be defined, and migh= t break > with policies which do not include it (e.g., Rocky Linux 9). What would you recommend to support both systems where the =E2=80=98user_namespace=E2=80=99 class is missing and (newer?) systems wher= e it=E2=80=99s available? Or should we consider that the latter is enough? > Given that the guix-daemon SELinux policy doesn't quite work out of the b= ox for > stable releases (cil file is outdated and doesn't include all required > permissions), one suggestion can be to use an unconfined domain for the t= ime > being, at least optionally? > > For instance, at least on Fedora and Rocky Linux 9, /gnu's file context c= an be > set to usr_t, similar to /usr & /opt, requiring no extra policy: > --8<---------------cut here---------------start------------->8--- > sudo semanage fcontext -a -t usr_t '/gnu(/.*)?' > --8<---------------cut here---------------end--------------->8--- Sounds like a reasonable fallback option. Thanks for reporting this, and apologies for not noticing earlier. If you want, you=E2=80=99re welcome to follow up at <https://codeberg.org/guix/guix/issues/3576>. Ludo=E2=80=99.
bug-guix@HIDDEN:bug#78317; Package guix.
Full text available.
Received: (at submit) by debbugs.gnu.org; 8 May 2025 12:53:46 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu May 08 08:53:46 2025
Received: from localhost ([127.0.0.1]:55563 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1uD0l0-0001fq-4U
for submit <at> debbugs.gnu.org; Thu, 08 May 2025 08:53:46 -0400
Received: from lists.gnu.org ([2001:470:142::17]:52004)
by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.84_2) (envelope-from <yarivido@HIDDEN>)
id 1uD0kr-0001eI-Jh
for submit <at> debbugs.gnu.org; Thu, 08 May 2025 08:53:41 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <yarivido@HIDDEN>)
id 1uD0kX-0007uk-KL
for bug-guix@HIDDEN; Thu, 08 May 2025 08:53:23 -0400
Received: from mail-ed1-x52a.google.com ([2a00:1450:4864:20::52a])
by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
(Exim 4.90_1) (envelope-from <yarivido@HIDDEN>)
id 1uD0kU-00069B-U4
for bug-guix@HIDDEN; Thu, 08 May 2025 08:53:17 -0400
Received: by mail-ed1-x52a.google.com with SMTP id
4fb4d7f45d1cf-5fbeadf2275so1691330a12.2
for <bug-guix@HIDDEN>; Thu, 08 May 2025 05:53:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20230601; t=1746708791; x=1747313591; darn=gnu.org;
h=to:subject:message-id:date:from:mime-version:from:to:cc:subject
:date:message-id:reply-to;
bh=ZfPkqcFbR6+Zzh1+Ecw1U8wBvWwui+YkwsVP/9PbQKQ=;
b=ZOtQgxviosckiAQo+7aIxgDGFM5noqHQyeQfcP4I4aLyrgtJLH1gv7LiRCUtGvNFIq
foYYZacGrWQyN8pKNM2fKvBZNOLu/q0n4Gdy4AgcAWhkHaxrkk3CqXaxVuqW1IaVaXQ9
0Gy5vYEC11aur1mfV2rJgSxgc+Lil5rWHJfmtz5F8pySvrANHECAeRSM0Y+AyF/VYcD0
Y0xa7rM3PgXQBQjKPu/m+3fwU7QlRTtxjEwJxUbP3Ffzw4OLK6udDI7u9Ujv0qtHMWUL
MKro/Dw6C/qNVDqmkHap3hSv7cPbXbdK1v8BIXTprcMy6NYeYHYwepWzKNq13KpkzVAy
O1sQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1746708791; x=1747313591;
h=to:subject:message-id:date:from:mime-version:x-gm-message-state
:from:to:cc:subject:date:message-id:reply-to;
bh=ZfPkqcFbR6+Zzh1+Ecw1U8wBvWwui+YkwsVP/9PbQKQ=;
b=XCrMPnoXDzH5o3fNrXvEkZ1KZ1fChPLtYV4vnmCG16QAo9DOd8ZW2JzWlfE6I4X4cJ
Gk0cSiH8a3i/trhQxWsM4ShasgFbv6ss1UMt05MLQKUdI2be4vUkOScJGEffycxCySis
sLflB5l+pBMtVznVEI4agGExrhzDStAyrmi9CD4a3sGsMjrvN02rbKGgP0lX/ohfBE1U
5xfoB9k2ogGLeFHc3oaI3bXrIM2BV8IonQXY1/gvoHm4wOIMRev2zu/+BKxDJoF68PGt
hPoiCFdiZpKT1V1r9fkX1Nol7Hw3rR9ossVmwELmlnrofF05v+R7cbg85JmYA5tI2XRN
D4VQ==
X-Gm-Message-State: AOJu0YzyzNJNPWFg4UWFd7fWLco9YWJVn76aETP4TDCpTH4uS/zyr+7r
NlELwRz2TfUkyYKO70YoHPwTHBHmcp2QKaSBpGYJ91gAqFdNdJ9L0qdrtU4NXf7yEmChYC12Jbp
j6PArrOgmzuvn705HXo6WSKSzz/J9ZGahBQo=
X-Gm-Gg: ASbGncvgfdW2JmS5RDxrf2QBFVBdaCrPLbBYj1bauR8kNQqMAgJe4OGRgVvkeoYvhZI
1PW0X3AK43fR4krDTfLdpJg6uhNI2MO3KLU6t2iE3oMOL23/Ch3VMcvAdMwJt9vPeGnN/7xX2wl
SLT0ISUCdrBy/QvEg44zgEz/hSFosSjgwgQAfkNRtNr4jq8/0dBnNeJ5d2UEM8vHTd2s0=
X-Google-Smtp-Source: AGHT+IFhKPpwWdYIh3W8AOJLmDXB9AykLKnpkpAXt17X39BVUJOznnu8TnXpEM8khVZYEHeC6WRAQ3fppsrRFoliQF4=
X-Received: by 2002:a17:907:97c1:b0:acf:8d:bf9a with SMTP id
a640c23a62f3a-ad1e8dbeb9emr730064366b.47.1746708791319; Thu, 08 May 2025
05:53:11 -0700 (PDT)
MIME-Version: 1.0
From: Ido Yariv <yarivido@HIDDEN>
Date: Thu, 8 May 2025 08:53:00 -0400
X-Gm-Features: ATxdqUEm2MQQz7zC9HBtZrt1hqtcYll3_u9RRx07QasLR2tRD3T8bWBe_4HKKSM
Message-ID: <CAMPn9M=+61f_NcQENzaUDe8iAr8fQnh0BS7zQZMKA2pqU4d8wA@HIDDEN>
Subject: Unprivileged guix-daemon and SELinux
To: bug-guix@HIDDEN
Content-Type: multipart/alternative; boundary="00000000000008692a06349f558d"
Received-SPF: pass client-ip=2a00:1450:4864:20::52a;
envelope-from=yarivido@HIDDEN; helo=mail-ed1-x52a.google.com
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,
SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.0 (/)
--00000000000008692a06349f558d
Content-Type: text/plain; charset="UTF-8"
Hi,
It seems that the new unprivileged mode of guix-daemon breaks on some
foreign
distros with SELinux.
More specifically, SELinux prevents guix-daemon from creating & entering
user
namespaces.
The following change seems to mitigate this on Fedora:
--8<---------------cut here---------------start------------->8---
diff --git a/etc/guix-daemon.cil.in b/etc/guix-daemon.cil.in
index b221e31094..d98af865eb 100644
--- a/etc/guix-daemon.cil.in
+++ b/etc/guix-daemon.cil.in
@@ -361,6 +361,14 @@
self
(netlink_route_socket (bind create getattr nlmsg_read read write
getopt)))
+ ;; Allow use of user namespaces
+ (allow guix_daemon_t
+ self
+ (cap_userns (sys_admin net_admin sys_chroot)))
+ (allow guix_daemon_t
+ self
+ (user_namespace (create)))
+
;; Socket operations
(allow guix_daemon_t
guix_daemon_socket_t
--8<---------------cut here---------------end--------------->8---
The second rule requires the user_namespace class to be defined, and might
break
with policies which do not include it (e.g., Rocky Linux 9).
Given that the guix-daemon SELinux policy doesn't quite work out of the box
for
stable releases (cil file is outdated and doesn't include all required
permissions), one suggestion can be to use an unconfined domain for the time
being, at least optionally?
For instance, at least on Fedora and Rocky Linux 9, /gnu's file context can
be
set to usr_t, similar to /usr & /opt, requiring no extra policy:
--8<---------------cut here---------------start------------->8---
sudo semanage fcontext -a -t usr_t '/gnu(/.*)?'
--8<---------------cut here---------------end--------------->8---
More details can be found here: https://danwalsh.livejournal.com/70577.html
It might not be ideal, but it works without any extra tweaking on each
upgrade, and keeps the rest of the system policy enforced.
Thanks,
Ido.
--00000000000008692a06349f558d
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr">Hi,<br><br>It seems that the new unprivileged mode of guix=
-daemon breaks on some foreign<br>distros with SELinux.<br>More specificall=
y, SELinux prevents guix-daemon from creating & entering user<br>namesp=
aces.<br><br>The following change seems to mitigate this on Fedora:<br>--8&=
lt;---------------cut here---------------start------------->8---<br>diff=
--git a/etc/<a href=3D"http://guix-daemon.cil.in">guix-daemon.cil.in</a> b=
/etc/<a href=3D"http://guix-daemon.cil.in">guix-daemon.cil.in</a><br>index =
b221e31094..d98af865eb 100644<br>--- a/etc/<a href=3D"http://guix-daemon.ci=
l.in">guix-daemon.cil.in</a><br>+++ b/etc/<a href=3D"http://guix-daemon.cil=
.in">guix-daemon.cil.in</a><br>@@ -361,6 +361,14 @@<br>=C2=A0 =C2=A0 =C2=A0=
=C2=A0 =C2=A0 self<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 (netlink_route_so=
cket (bind create getattr nlmsg_read read write getopt)))<br>=C2=A0<br>+ =
=C2=A0;; Allow use of user namespaces<br>+ =C2=A0(allow guix_daemon_t<br>+ =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 self<br>+ =C2=A0 =C2=A0 =C2=A0 =C2=A0 (cap_user=
ns (sys_admin net_admin sys_chroot)))<br>+ =C2=A0(allow guix_daemon_t<br>+ =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 self<br>+ =C2=A0 =C2=A0 =C2=A0 =C2=A0 (user_nam=
espace (create)))<br>+<br>=C2=A0 =C2=A0;; Socket operations<br>=C2=A0 =C2=
=A0(allow guix_daemon_t<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 guix_daemon_s=
ocket_t<br>--8<---------------cut here---------------end---------------&=
gt;8---<br><br>The second rule requires the user_namespace class to be defi=
ned, and might break<br>with policies which do not include it (e.g., Rocky =
Linux 9).<br><br>Given that the guix-daemon SELinux policy doesn't quit=
e work out of the box for<br>stable releases (cil file is outdated and does=
n't include all required<br>permissions), one suggestion can be to use =
an unconfined domain for the time<br>being, at least optionally?<br><br>For=
instance, at least on Fedora and Rocky Linux 9, /gnu's file context ca=
n be<br>set to usr_t, similar to /usr & /opt, requiring no extra policy=
:<br>--8<---------------cut here---------------start------------->8--=
-<br>sudo semanage fcontext -a -t usr_t '/gnu(/.*)?'<br>--8<----=
-----------cut here---------------end--------------->8---<br><br>More de=
tails can be found here: <a href=3D"https://danwalsh.livejournal.com/70577.=
html">https://danwalsh.livejournal.com/70577.html</a><br><br>It might not b=
e ideal, but it works without any extra tweaking on each<br>upgrade, and ke=
eps the rest of the system policy enforced.<br><br>Thanks,<br>Ido.</div>
--00000000000008692a06349f558d--
Ido Yariv <yarivido@HIDDEN>:bug-guix@HIDDEN.
Full text available.bug-guix@HIDDEN:bug#78317; Package guix.
Full text available.
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997 nCipher Corporation Ltd,
1994-97 Ian Jackson.