* bug#62487: guix-daemon fails on SELinux/systemd distros
@ 2023-03-27 16:16 Ludovic Courtès
2023-05-25 10:55 ` Ludovic Courtès
0 siblings, 1 reply; 2+ messages in thread
From: Ludovic Courtès @ 2023-03-27 16:16 UTC (permalink / raw)
To: 62487; +Cc: Ricardo Wurmus
[-- Attachment #1: Type: text/plain, Size: 2251 bytes --]
Hello!
Running guix-daemon on an SELinux distro is difficult and sparsely
documented (info "(guix) SELinux Support"). On-line fora are full of
questions on this topic and sometimes random advice.
I thought we could improve on that by having ‘guix-install.sh’ take care
of most things dynamically and documenting any remaining bits with
copy/pastable snippets.
The attached patch does 90% of the job! I tested it on the Rocky Linux 9
live image available at:
https://dl.rockylinux.org/pub/rocky/9/live/x86_64/Rocky-9-Workstation-Lite-x86_64-latest.iso
The missing 10% related to the ‘gnu-store.mount’ job: guix-daemon fails
to remount it read-write:
--8<---------------cut here---------------start------------->8---
# guix build hello
guix build: error: remounting /gnu/store writable: Permission denied
# ausearch -c guix-daemon | tail
time->Mon Mar 27 12:01:38 2023
type=PROCTITLE msg=audit(1679932898.081:464): proctitle=2F7661722F677569782F70726F66696C65732F7065722D757365722F726F6F742F63757272656E742D677569782F62696E2F677569782D6461656D6F6E003338303200000000000000000000000000000000000000000000000000002D2D646973636F7665723D6E6F
type=SYSCALL msg=audit(1679932898.081:464): arch=c000003e syscall=165 success=no exit=-13 a0=0 a1=4c5c10 a2=49f442 a3=1020 items=0 ppid=3258 pid=3805 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="guix-daemon" exe="/gnu/store/5kj8lyybjrdl7xd0fx9g9vzkz8sklqsy-guix-1.4.0/bin/guix-daemon" subj=system_u:system_r:guix_daemon.guix_daemon_t:s0 key=(null)
type=AVC msg=audit(1679932898.081:464): avc: denied { remount } for pid=3805 comm="guix-daemon" scontext=system_u:system_r:guix_daemon.guix_daemon_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=0
--8<---------------cut here---------------end--------------->8---
It works fine (as in: ‘guix build hello’ succeeds) if I ‘systemctl stop
guix-daemon.service’ and instead run:
guix-daemon --build-users-group=guixbuild
in the terminal.
Could it be a systemd feature at play here?
As a stopgap, we could change ‘guix-install.sh’ to not install
‘gnu-store.mount’ on SELinux systems.
Thoughts?
Ludo’.
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: Type: text/x-patch, Size: 1085 bytes --]
diff --git a/etc/guix-install.sh b/etc/guix-install.sh
index ea10f35250..1e6d5285f7 100755
--- a/etc/guix-install.sh
+++ b/etc/guix-install.sh
@@ -599,6 +599,22 @@ fi
_msg "${PAS}Bash shell prompt successfully customized for Guix"
}
+sys_maybe_setup_selinux()
+{
+ if [ -f /sys/fs/selinux/policy ]
+ then
+ prompt_yes_no "Install SELinux policy required to run guix-daemon?" \
+ || return
+
+ local var_guix=/var/guix/profiles/per-user/root/current-guix
+ semodule -i "${var_guix}/share/selinux/guix-daemon.cil"
+ restorecon -R /gnu /var/guix
+ # chcon -R -t guix_daemon.guix_daemon_conf_t /var/guix/
+ # chcon -R -t guix_daemon.guix_profiles_t /var/guix/profiles/per-user/root/current-guix
+ # chcon -R -t guix_daemon.guix_profiles_t /var/guix/profiles/per-user/root/current-guix-1-link
+ fi
+}
+
welcome()
{
local char
@@ -674,6 +690,7 @@ main()
sys_create_store "${GUIX_BINARY_FILE_NAME}" "${tmp_path}"
sys_create_build_user
+ sys_maybe_setup_selinux
sys_enable_guix_daemon
sys_authorize_build_farms
sys_create_init_profile
^ permalink raw reply related [flat|nested] 2+ messages in thread
* bug#62487: guix-daemon fails on SELinux/systemd distros
2023-03-27 16:16 bug#62487: guix-daemon fails on SELinux/systemd distros Ludovic Courtès
@ 2023-05-25 10:55 ` Ludovic Courtès
0 siblings, 0 replies; 2+ messages in thread
From: Ludovic Courtès @ 2023-05-25 10:55 UTC (permalink / raw)
To: 62487-done; +Cc: Ricardo Wurmus
Ludovic Courtès <ludovic.courtes@inria.fr> skribis:
> I thought we could improve on that by having ‘guix-install.sh’ take care
> of most things dynamically and documenting any remaining bits with
> copy/pastable snippets.
>
> The attached patch does 90% of the job! I tested it on the Rocky Linux 9
> live image available at:
>
> https://dl.rockylinux.org/pub/rocky/9/live/x86_64/Rocky-9-Workstation-Lite-x86_64-latest.iso
I fixed it with these commits (and with help from Ricardo, thanks!):
ca1ea6373a * self: Install 'guix-daemon.cil'.
b59c18f761 * doc: Tweak SELinux instructions.
4166b583fb * guix-install.sh: Install SELinux policy and relabel file systems if needed.
3bf612eaa1 * etc: SELinux: Update policy file.
Tested again in the Rocky Linux 9 image above.
Ludo’.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2023-05-25 10:56 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-03-27 16:16 bug#62487: guix-daemon fails on SELinux/systemd distros Ludovic Courtès
2023-05-25 10:55 ` Ludovic Courtès
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).