Daniel Brooks writes: > Marius Bakke writes: > >> Interestingly, after updating the system (both RHEL8 and Guix) and >> rebooting, I got new SELinux troubles! >> >> I had to add these additional rules to make guix-daemon start again: >> >> diff --git a/etc/guix-daemon.cil.in b/etc/guix-daemon.cil.in >> index 47fd12a214..3e254a2187 100644 >> --- a/etc/guix-daemon.cil.in >> +++ b/etc/guix-daemon.cil.in >> @@ -86,12 +86,15 @@ >> (allow init_t >> guix_daemon_t >> (process (transition))) >> + (allow init_t >> + self >> + (process (execmem))) > > At some point we should track down why that one is necessary, perhaps > Guile has a JIT compiler or something? Ding ding ding. https://wingolog.org/archives/2019/05/24/lightening-run-time-code-generation >> (allow init_t >> guix_store_content_t >> - (file (open read execute))) >> + (file (open read execute execute_no_trans map))) > > This one looks pretty suspicious. I think it would allow any file > labeled guix_store_content_t to run in the init_t domain? We wouldn't > want that. Right. The guix_store_content_t file in question was 'guile', which I suppose is a kind of special case. Can you think of any workarounds for this? Are you testing with the latest version of guix-daemon?