Permission denied then running guix shell -C on Ubuntu

Permission denied then running guix shell -C on Ubuntu

[Gabriel Pickl]

Hi everyone :)

I've recently started using GUIX on Ubuntu 24.04 (Installed via the 
install script), and have run into a bit of a problem.

When running something like `guix shell -C guile` (the package list 
doesn't matter) I get the following error message:

```
guix shell: error: mount: mount "none" on "/tmp/guix-directory.xwKsHW": 
Permission denied
```

`dmesg` doesn't show any messages during the run.

Turning AppArmor off changes the error:

```
guix shell: error: clone: 2114060305: Permission denied
```

And also causes the following dmesg line to be printed (I thought I had 
disabled AppArmor... huh)

```
audit: type=1400 audit(1714930774.939:64): apparmor="DENIED" 
operation="userns_create" class="namespace" info="Userns create 
restricted - failed to find unprivileged_userns profile" error=-13 
profile="unconfined" pid=5486 comm="guix" requested="userns_create" 
denied="userns_create" target="unprivileged_userns"
```

I found some bug reports that might be related, but I don't know enough 
about GUIX or AppArmor (mentioned below) to extract anything useful from 
them

  * https://issues.guix.gnu.org/61690
  * https://issues.guix.gnu.org/46292
  * https://www.mail-archive.com/ubuntu-bugs@lists.ubuntu.com/msg6057761.html

Re: Permission denied then running guix shell -C on Ubuntu

[Gabriel Pickl]

It seems like creating a custom AppArmor profile like described in 
https://www.mail-archive.com/ubuntu-bugs@lists.ubuntu.com/msg6057881.html 
but specifying the actual guix command (in my case 
/gnu/store/5447wg7dp8qwlii61r5spyf9r4953b55-guix-command) allows me to 
create containers, but I assume this will break the next time I update 
guix. It would be lovely to fix this in a way that wasn't so temporary ^^'

On 5/5/24 19:47, Gabriel Pickl wrote:
>
> Hi everyone :)
>
> I've recently started using GUIX on Ubuntu 24.04 (Installed via the 
> install script), and have run into a bit of a problem.
>
> When running something like `guix shell -C guile` (the package list 
> doesn't matter) I get the following error message:
>
> ```
> guix shell: error: mount: mount "none" on 
> "/tmp/guix-directory.xwKsHW": Permission denied
> ```
>
> `dmesg` doesn't show any messages during the run.
>
> Turning AppArmor off changes the error:
>
> ```
> guix shell: error: clone: 2114060305: Permission denied
> ```
>
> And also causes the following dmesg line to be printed (I thought I 
> had disabled AppArmor... huh)
>
> ```
> audit: type=1400 audit(1714930774.939:64): apparmor="DENIED" 
> operation="userns_create" class="namespace" info="Userns create 
> restricted - failed to find unprivileged_userns profile" error=-13 
> profile="unconfined" pid=5486 comm="guix" requested="userns_create" 
> denied="userns_create" target="unprivileged_userns"
> ```
>
> I found some bug reports that might be related, but I don't know 
> enough about GUIX or AppArmor (mentioned below) to extract anything 
> useful from them
>
>   * https://issues.guix.gnu.org/61690
>   * https://issues.guix.gnu.org/46292
>   * https://www.mail-archive.com/ubuntu-bugs@lists.ubuntu.com/msg6057761.html
>