Hello Daniel, Thanks a lot for this. Daniel Brooks writes: >>From 7dd9ed6da01c5bf125c95592f4978b579198731a Mon Sep 17 00:00:00 2001 > From: Daniel Brooks > Date: Mon, 9 Nov 2020 07:03:42 -0800 > Subject: [PATCH] etc: updates for the guix-daemon SELinux policy > > * etc/guix-daemon.cil.in: I can't promise that this is a complete list of > everything that guix-daemon needs, but it's probably most of them. It can > search for, install, upgrade, and remove packages, create virtual machines, > update itself, and so on. I haven't tried creating containers yet, which might > reveal more things to add. This commit message is somewhat unorthodox. :-) Perhaps it can be shortened to: * etc/guix-daemon.cil.in (guix_daemon): Specify more permissions for guix-daemon to account for daemon updates and newer SELinux. [...] > diff --git a/etc/guix-daemon.cil.in b/etc/guix-daemon.cil.in > index e0c9113498..666e5677a3 100644 > --- a/etc/guix-daemon.cil.in > +++ b/etc/guix-daemon.cil.in > @@ -21,6 +21,18 @@ > ;; Intermediate Language (CIL). It refers to types that must be defined in > ;; the system's base policy. > > +;; If you, like me, need advice about fixing an SELinux policy, I recommend > +;; reading https://danwalsh.livejournal.com/55324.html > + > +;; In particular, you can run semanage permissive -a guix_daemon.guix_daemon_t > +;; to allow guix-daemon to do whatever it wants. SELinux will still check its > +;; permissions, and when it doesn't have permission it will still send an > +;; audit message to your system logs. This lets you know what permissions it > +;; ought to have. Use ausearch --raw to find the permissions violations, then > +;; pipe that to audit2allow to generate an updated policy. You'll still need > +;; to translate that policy into CIL in order to update this file, but that's > +;; fairly straight-forward. Annoying, but easy. I'm not sure about the second paragraph. It's mainly a rehash of the blog post, no? And there are many other ways to go about troubleshooting SELinux (I did not use ausearch at all). Anyway! I tried it on RHEL8, and had to do a few more tweaks to get it working: