GNU bug report logs - #78317
Unprivileged guix-daemon and SELinux

Previous Next

Package: guix;

Reported by: Ido Yariv <yarivido <at> gmail.com>

Date: Thu, 8 May 2025 12:54:02 UTC

Severity: normal

Done: Ludovic Courtès <ludovic.courtes <at> inria.fr>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 78317 in the body.
You can then email your comments to 78317 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to bug-guix <at> gnu.org:
bug#78317; Package guix. (Thu, 08 May 2025 12:54:02 GMT) Full text and rfc822 format available.
Acknowledgement sent to Ido Yariv <yarivido <at> gmail.com>:
New bug report received and forwarded. Copy sent to bug-guix <at> gnu.org. (Thu, 08 May 2025 12:54:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Ido Yariv <yarivido <at> gmail.com>
To: bug-guix <at> gnu.org
Subject: Unprivileged guix-daemon and SELinux
Date: Thu, 8 May 2025 08:53:00 -0400

[Message part 1 (text/plain, inline)]
Hi,

It seems that the new unprivileged mode of guix-daemon breaks on some
foreign
distros with SELinux.
More specifically, SELinux prevents guix-daemon from creating & entering
user
namespaces.

The following change seems to mitigate this on Fedora:
--8<---------------cut here---------------start------------->8---
diff --git a/etc/guix-daemon.cil.in b/etc/guix-daemon.cil.in
index b221e31094..d98af865eb 100644
--- a/etc/guix-daemon.cil.in
+++ b/etc/guix-daemon.cil.in
@@ -361,6 +361,14 @@
          self
          (netlink_route_socket (bind create getattr nlmsg_read read write
getopt)))

+  ;; Allow use of user namespaces
+  (allow guix_daemon_t
+         self
+         (cap_userns (sys_admin net_admin sys_chroot)))
+  (allow guix_daemon_t
+         self
+         (user_namespace (create)))
+
   ;; Socket operations
   (allow guix_daemon_t
          guix_daemon_socket_t
--8<---------------cut here---------------end--------------->8---

The second rule requires the user_namespace class to be defined, and might
break
with policies which do not include it (e.g., Rocky Linux 9).

Given that the guix-daemon SELinux policy doesn't quite work out of the box
for
stable releases (cil file is outdated and doesn't include all required
permissions), one suggestion can be to use an unconfined domain for the time
being, at least optionally?

For instance, at least on Fedora and Rocky Linux 9, /gnu's file context can
be
set to usr_t, similar to /usr & /opt, requiring no extra policy:
--8<---------------cut here---------------start------------->8---
sudo semanage fcontext -a -t usr_t '/gnu(/.*)?'
--8<---------------cut here---------------end--------------->8---

More details can be found here: https://danwalsh.livejournal.com/70577.html

It might not be ideal, but it works without any extra tweaking on each
upgrade, and keeps the rest of the system policy enforced.

Thanks,
Ido.

[Message part 2 (text/html, inline)]
Information forwarded to bug-guix <at> gnu.org:
bug#78317; Package guix. (Thu, 16 Oct 2025 14:26:01 GMT) Full text and rfc822 format available.

Message #8 received at 78317 <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludovic.courtes <at> inria.fr>
To: Ido Yariv <yarivido <at> gmail.com>
Cc: 78317 <at> debbugs.gnu.org
Subject: Re: bug#78317: Unprivileged guix-daemon and SELinux
Date: Thu, 16 Oct 2025 16:25:16 +0200

Hi Ido,

Ido Yariv <yarivido <at> gmail.com> skribis:

> It seems that the new unprivileged mode of guix-daemon breaks on some foreign
> distros with SELinux.
> More specifically, SELinux prevents guix-daemon from creating & entering user
> namespaces.
>
> The following change seems to mitigate this on Fedora:

[...]

> The second rule requires the user_namespace class to be defined, and might break
> with policies which do not include it (e.g., Rocky Linux 9).

What would you recommend to support both systems where the
‘user_namespace’ class is missing and (newer?) systems where it’s
available?

Or should we consider that the latter is enough?

> Given that the guix-daemon SELinux policy doesn't quite work out of the box for
> stable releases (cil file is outdated and doesn't include all required
> permissions), one suggestion can be to use an unconfined domain for the time
> being, at least optionally?
>
> For instance, at least on Fedora and Rocky Linux 9, /gnu's file context can be
> set to usr_t, similar to /usr & /opt, requiring no extra policy:
> --8<---------------cut here---------------start------------->8---
> sudo semanage fcontext -a -t usr_t '/gnu(/.*)?'
> --8<---------------cut here---------------end--------------->8---

Sounds like a reasonable fallback option.

Thanks for reporting this, and apologies for not noticing earlier.

If you want, you’re welcome to follow up at
<https://codeberg.org/guix/guix/issues/3576>.

Ludo’.
bug closed, send any further explanations to 78317 <at> debbugs.gnu.org and Ido Yariv <yarivido <at> gmail.com> Request was from Ludovic Courtès <ludovic.courtes <at> inria.fr> to control <at> debbugs.gnu.org. (Thu, 16 Oct 2025 14:26:02 GMT) Full text and rfc822 format available.
bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Fri, 14 Nov 2025 12:24:06 GMT) Full text and rfc822 format available.
This bug report was last modified 3 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.