Stuck installing guix package manager on Fedora with selinux

Stuck installing guix package manager on Fedora with selinux

[Alexis Simon]

Hi,

I'd like to try the guix package manager but am stuck installing it on 
Fedora 38 with selinux. I should say I don't know anything about the 
details of either guix or selinux.
I know a few other persons that also wanted to try guix but gave up due 
to issues with selinux, so I think solving this issue could help in 
adoption.

I've used the installer script which worked well, then was initially hit 
by this error
`guix install: error: remounting /gnu/store writable: Permission denied`

This was solved by doing
sudo semodule -i 
/gnu/store/5kj8lyybjrdl7xd0fx9g9vzkz8sklqsy-guix-1.4.0/share/selinux/guix-daemon.cil 

sudo mount -o remount,rw /gnu/store
sudo restorecon -R /gnu /var/guix
sudo systemctl restart guix-daemon.service

(note that the mount step was the missing part that was missing from all 
guides I've seen on the web, and I found it in a guix commit).

Now I have a different issue, guix-daemon doesn't seem to be able to 
access internet with errors of the type
`In procedure getaddrinfo: Temporary failure in name resolution`
(disabling selinux works in that case, but I want it enabled)

This is what I get from setroubleshoot:
```
SELinux is preventing guix substitute from search access on the 
directory systemd.
*****  Plugin catchall (100. confidence) suggests   *****
*********************
If you believe that guix substitute should be allowed sea
rch access on the systemd directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this acce
ss.
Do
allow this access for now by executing:
# ausearch -c 'guix substitute' --raw | audit2allow -M my
-guixsubstitute
# semodule -X 300 -i my-guixsubstitute.pp
```

Trying the suggested commands also errors in:
```
libsepol.hierarchy_add_type_callback: guix_daemon doesn't exist, 
guix_daemon.guix_daemon_t is an orphan
libsepol.hierarchy_add_bounds: 1 errors found while adding hierarchies
```

So I don't really know where to go from there, any help appreciated.
Thanks
Alexis

Re: Stuck installing guix package manager on Fedora with selinux

[Markku Korkeala]

Hi,

I haven't tried the official guix installation, but I was
able to get guix running on Fedora using rpm packages from copr:

https://copr.fedorainfracloud.org/coprs/lantw44/guix/

If you can't find solution to the SELinux problem, maybe
give those rpm packages a try.

Best regards,
Markku

On Tue, Oct 17, 2023 at 09:42:58AM -0700, Alexis Simon wrote:
> Hi,
> 
> I'd like to try the guix package manager but am stuck installing it on
> Fedora 38 with selinux. I should say I don't know anything about the details
> of either guix or selinux.
> I know a few other persons that also wanted to try guix but gave up due to
> issues with selinux, so I think solving this issue could help in adoption.
> 
> I've used the installer script which worked well, then was initially hit by
> this error
> `guix install: error: remounting /gnu/store writable: Permission denied`
> 
> This was solved by doing
> sudo semodule -i /gnu/store/5kj8lyybjrdl7xd0fx9g9vzkz8sklqsy-guix-1.4.0/share/selinux/guix-daemon.cil
> 
> sudo mount -o remount,rw /gnu/store
> sudo restorecon -R /gnu /var/guix
> sudo systemctl restart guix-daemon.service
> 
> (note that the mount step was the missing part that was missing from all
> guides I've seen on the web, and I found it in a guix commit).
> 
> Now I have a different issue, guix-daemon doesn't seem to be able to access
> internet with errors of the type
> `In procedure getaddrinfo: Temporary failure in name resolution`
> (disabling selinux works in that case, but I want it enabled)
> 
> This is what I get from setroubleshoot:
> ```
> SELinux is preventing guix substitute from search access on the directory
> systemd.
> *****  Plugin catchall (100. confidence) suggests   *****
> *********************
> If you believe that guix substitute should be allowed sea
> rch access on the systemd directory by default.
> Then you should report this as a bug.
> You can generate a local policy module to allow this acce
> ss.
> Do
> allow this access for now by executing:
> # ausearch -c 'guix substitute' --raw | audit2allow -M my
> -guixsubstitute
> # semodule -X 300 -i my-guixsubstitute.pp
> ```
> 
> Trying the suggested commands also errors in:
> ```
> libsepol.hierarchy_add_type_callback: guix_daemon doesn't exist,
> guix_daemon.guix_daemon_t is an orphan
> libsepol.hierarchy_add_bounds: 1 errors found while adding hierarchies
> ```
> 
> So I don't really know where to go from there, any help appreciated.
> Thanks
> Alexis
> 

Re: Stuck installing guix package manager on Fedora with selinux

[Alexis Simon]

Hi, Thanks for the suggestion.

I stumbled on this guix rpm but it seems also that selinux needs to be 
disabled with that one.
I think the maintainer initially wanted to apply selinux policies but in 
the end commented out all those parts. (There's also a hint in the 
changelog that it doesn't work with selinux, see here [0]).

As someone else suggested, yes I could set selinux to permissive but I 
don't find that an acceptable solution. I don't want to disable a 
security feature of my system.

Also an update on my initial email: after a reboot, I'm back at square 
one with the remount error. So the solution wasn't really one.

Best regards,
Alexis

[0] 
https://copr-dist-git.fedorainfracloud.org/cgit/lantw44/guix/guix.git/tree/guix.spec?h=f38#n556

On 18/10/2023 06:40, Markku Korkeala wrote:
> Hi,
> 
> I haven't tried the official guix installation, but I was
> able to get guix running on Fedora using rpm packages from copr:
> 
> https://copr.fedorainfracloud.org/coprs/lantw44/guix/
> 
> If you can't find solution to the SELinux problem, maybe
> give those rpm packages a try.
> 
> Best regards,
> Markku
> 
> On Tue, Oct 17, 2023 at 09:42:58AM -0700, Alexis Simon wrote:
>> Hi,
>>
>> I'd like to try the guix package manager but am stuck installing it on
>> Fedora 38 with selinux. I should say I don't know anything about the details
>> of either guix or selinux.
>> I know a few other persons that also wanted to try guix but gave up due to
>> issues with selinux, so I think solving this issue could help in adoption.
>>
>> I've used the installer script which worked well, then was initially hit by
>> this error
>> `guix install: error: remounting /gnu/store writable: Permission denied`
>>
>> This was solved by doing
>> sudo semodule -i /gnu/store/5kj8lyybjrdl7xd0fx9g9vzkz8sklqsy-guix-1.4.0/share/selinux/guix-daemon.cil
>>
>> sudo mount -o remount,rw /gnu/store
>> sudo restorecon -R /gnu /var/guix
>> sudo systemctl restart guix-daemon.service
>>
>> (note that the mount step was the missing part that was missing from all
>> guides I've seen on the web, and I found it in a guix commit).
>>
>> Now I have a different issue, guix-daemon doesn't seem to be able to access
>> internet with errors of the type
>> `In procedure getaddrinfo: Temporary failure in name resolution`
>> (disabling selinux works in that case, but I want it enabled)
>>
>> This is what I get from setroubleshoot:
>> ```
>> SELinux is preventing guix substitute from search access on the directory
>> systemd.
>> *****  Plugin catchall (100. confidence) suggests   *****
>> *********************
>> If you believe that guix substitute should be allowed sea
>> rch access on the systemd directory by default.
>> Then you should report this as a bug.
>> You can generate a local policy module to allow this acce
>> ss.
>> Do
>> allow this access for now by executing:
>> # ausearch -c 'guix substitute' --raw | audit2allow -M my
>> -guixsubstitute
>> # semodule -X 300 -i my-guixsubstitute.pp
>> ```
>>
>> Trying the suggested commands also errors in:
>> ```
>> libsepol.hierarchy_add_type_callback: guix_daemon doesn't exist,
>> guix_daemon.guix_daemon_t is an orphan
>> libsepol.hierarchy_add_bounds: 1 errors found while adding hierarchies
>> ```
>>
>> So I don't really know where to go from there, any help appreciated.
>> Thanks
>> Alexis
>>

Re: Stuck installing guix package manager on Fedora with selinux

[Alexis Simon]

Ok I think I'm starting to get somewhere

those are the changes that were needed in the selinux policy to be able 
to start installing a package

==============================================
diff --git a/guix-daemon.cil b/guix-daemon.cil
index 3994e62..c26ed1a 100644
--- a/guix-daemon.cil
+++ b/guix-daemon.cil
@@ -202,7 +202,7 @@
                        sys_admin)))
    (allow guix_daemon_t
           fs_t
-         (filesystem (unmount)))
+         (filesystem (unmount remount)))
    (allow guix_daemon_t
           devpts_t
           (dir (search)))
@@ -308,6 +308,8 @@
           (lnk_file (read)))
    (allow guix_daemon_t NetworkManager_var_run_t
           (dir (search)))
+  (allow guix_daemon_t init_var_run_t
+         (dir (search)))

    ;; Access to profiles
    (allow guix_daemon_t
=============================================

I'll try it out more and update as I go along.

Alexis

On 18/10/2023 10:06, Alexis Simon wrote:
> Hi, Thanks for the suggestion.
> 
> I stumbled on this guix rpm but it seems also that selinux needs to be 
> disabled with that one.
> I think the maintainer initially wanted to apply selinux policies but in 
> the end commented out all those parts. (There's also a hint in the 
> changelog that it doesn't work with selinux, see here [0]).
> 
> As someone else suggested, yes I could set selinux to permissive but I 
> don't find that an acceptable solution. I don't want to disable a 
> security feature of my system.
> 
> Also an update on my initial email: after a reboot, I'm back at square 
> one with the remount error. So the solution wasn't really one.
> 
> Best regards,
> Alexis
> 
> [0] 
> https://copr-dist-git.fedorainfracloud.org/cgit/lantw44/guix/guix.git/tree/guix.spec?h=f38#n556
> 
> On 18/10/2023 06:40, Markku Korkeala wrote:
>> Hi,
>>
>> I haven't tried the official guix installation, but I was
>> able to get guix running on Fedora using rpm packages from copr:
>>
>> https://copr.fedorainfracloud.org/coprs/lantw44/guix/
>>
>> If you can't find solution to the SELinux problem, maybe
>> give those rpm packages a try.
>>
>> Best regards,
>> Markku
>>
>> On Tue, Oct 17, 2023 at 09:42:58AM -0700, Alexis Simon wrote:
>>> Hi,
>>>
>>> I'd like to try the guix package manager but am stuck installing it on
>>> Fedora 38 with selinux. I should say I don't know anything about the 
>>> details
>>> of either guix or selinux.
>>> I know a few other persons that also wanted to try guix but gave up 
>>> due to
>>> issues with selinux, so I think solving this issue could help in 
>>> adoption.
>>>
>>> I've used the installer script which worked well, then was initially 
>>> hit by
>>> this error
>>> `guix install: error: remounting /gnu/store writable: Permission denied`
>>>
>>> This was solved by doing
>>> sudo semodule -i 
>>> /gnu/store/5kj8lyybjrdl7xd0fx9g9vzkz8sklqsy-guix-1.4.0/share/selinux/guix-daemon.cil
>>>
>>> sudo mount -o remount,rw /gnu/store
>>> sudo restorecon -R /gnu /var/guix
>>> sudo systemctl restart guix-daemon.service
>>>
>>> (note that the mount step was the missing part that was missing from all
>>> guides I've seen on the web, and I found it in a guix commit).
>>>
>>> Now I have a different issue, guix-daemon doesn't seem to be able to 
>>> access
>>> internet with errors of the type
>>> `In procedure getaddrinfo: Temporary failure in name resolution`
>>> (disabling selinux works in that case, but I want it enabled)
>>>
>>> This is what I get from setroubleshoot:
>>> ```
>>> SELinux is preventing guix substitute from search access on the 
>>> directory
>>> systemd.
>>> *****  Plugin catchall (100. confidence) suggests   *****
>>> *********************
>>> If you believe that guix substitute should be allowed sea
>>> rch access on the systemd directory by default.
>>> Then you should report this as a bug.
>>> You can generate a local policy module to allow this acce
>>> ss.
>>> Do
>>> allow this access for now by executing:
>>> # ausearch -c 'guix substitute' --raw | audit2allow -M my
>>> -guixsubstitute
>>> # semodule -X 300 -i my-guixsubstitute.pp
>>> ```
>>>
>>> Trying the suggested commands also errors in:
>>> ```
>>> libsepol.hierarchy_add_type_callback: guix_daemon doesn't exist,
>>> guix_daemon.guix_daemon_t is an orphan
>>> libsepol.hierarchy_add_bounds: 1 errors found while adding hierarchies
>>> ```
>>>
>>> So I don't really know where to go from there, any help appreciated.
>>> Thanks
>>> Alexis
>>>
> 

Re: Stuck installing guix package manager on Fedora with selinux

[Maxim Cournoyer]

Hello,

Alexis Simon <alexis.simon@runbox.com> writes:

> Ok I think I'm starting to get somewhere
>
> those are the changes that were needed in the selinux policy to be
> able to start installing a package
>
> ==============================================
> diff --git a/guix-daemon.cil b/guix-daemon.cil
> index 3994e62..c26ed1a 100644
> --- a/guix-daemon.cil
> +++ b/guix-daemon.cil
> @@ -202,7 +202,7 @@
>                        sys_admin)))
>    (allow guix_daemon_t
>           fs_t
> -         (filesystem (unmount)))
> +         (filesystem (unmount remount)))
>    (allow guix_daemon_t
>           devpts_t
>           (dir (search)))
> @@ -308,6 +308,8 @@
>           (lnk_file (read)))
>    (allow guix_daemon_t NetworkManager_var_run_t
>           (dir (search)))
> +  (allow guix_daemon_t init_var_run_t
> +         (dir (search)))
>
>    ;; Access to profiles
>    (allow guix_daemon_t
> =============================================
>
> I'll try it out more and update as I go along.

Sounds good, keep us posted!  When you have reached a point you are
satisfied with, please email your patch to guix-patches@gnu.org.

-- 
Thanks,
Maxim

Re: Stuck installing guix package manager on Fedora with selinux

[Alexis Simon]

Hi,

So trying to prepare a patch, I realized those changes are already in 
master. So that's the reason I didn't get them in the normal stable 
release install.

Alexis

On 18/10/2023 19:02, Maxim Cournoyer wrote:
> Hello,
> 
> Alexis Simon <alexis.simon@runbox.com> writes:
> 
>> Ok I think I'm starting to get somewhere
>>
>> those are the changes that were needed in the selinux policy to be
>> able to start installing a package
>>
>> ==============================================
>> diff --git a/guix-daemon.cil b/guix-daemon.cil
>> index 3994e62..c26ed1a 100644
>> --- a/guix-daemon.cil
>> +++ b/guix-daemon.cil
>> @@ -202,7 +202,7 @@
>>                         sys_admin)))
>>     (allow guix_daemon_t
>>            fs_t
>> -         (filesystem (unmount)))
>> +         (filesystem (unmount remount)))
>>     (allow guix_daemon_t
>>            devpts_t
>>            (dir (search)))
>> @@ -308,6 +308,8 @@
>>            (lnk_file (read)))
>>     (allow guix_daemon_t NetworkManager_var_run_t
>>            (dir (search)))
>> +  (allow guix_daemon_t init_var_run_t
>> +         (dir (search)))
>>
>>     ;; Access to profiles
>>     (allow guix_daemon_t
>> =============================================
>>
>> I'll try it out more and update as I go along.
> 
> Sounds good, keep us posted!  When you have reached a point you are
> satisfied with, please email your patch to guix-patches@gnu.org.
> 

Re: Stuck installing guix package manager on Fedora with selinux

[Maxim Cournoyer]

Hi,

Alexis Simon <alexis.simon@runbox.com> writes:

> Hi,
>
> So trying to prepare a patch, I realized those changes are already in
> master. So that's the reason I didn't get them in the normal stable
> release install.

Ah!  You could try installing from a development snapshot instead.

-- 
Thanks,
Maxim

Re: Stuck installing guix package manager on Fedora with selinux

[Markku Korkeala]

Hi,

actually you do not need to have selinux disabled with the rpm packages,
I'm running SELinux in enforcing mode. That is something I do not want
disable either :) Some selinux-stuff is also included in the package:

rpm -ql guix | grep selinux
/usr/lib64/guile/3.0/site-ccache/gnu/packages/selinux.go
/usr/share/guile/site/3.0/gnu/packages/selinux.scm
/usr/share/selinux/packages/guix-daemon.cil

Best regards,
Markku

On Wed, Oct 18, 2023 at 10:06:07AM -0700, Alexis Simon wrote:
> Hi, Thanks for the suggestion.
> 
> I stumbled on this guix rpm but it seems also that selinux needs to be
> disabled with that one.
> I think the maintainer initially wanted to apply selinux policies but in the
> end commented out all those parts. (There's also a hint in the changelog
> that it doesn't work with selinux, see here [0]).
> 
> As someone else suggested, yes I could set selinux to permissive but I don't
> find that an acceptable solution. I don't want to disable a security feature
> of my system.
> 
> Also an update on my initial email: after a reboot, I'm back at square one
> with the remount error. So the solution wasn't really one.
> 
> Best regards,
> Alexis
> 
> [0] https://copr-dist-git.fedorainfracloud.org/cgit/lantw44/guix/guix.git/tree/guix.spec?h=f38#n556
> 
> On 18/10/2023 06:40, Markku Korkeala wrote:
> > Hi,
> > 
> > I haven't tried the official guix installation, but I was
> > able to get guix running on Fedora using rpm packages from copr:
> > 
> > https://copr.fedorainfracloud.org/coprs/lantw44/guix/
> > 
> > If you can't find solution to the SELinux problem, maybe
> > give those rpm packages a try.
> > 
> > Best regards,
> > Markku
> > 
> > On Tue, Oct 17, 2023 at 09:42:58AM -0700, Alexis Simon wrote:
> > > Hi,
> > > 
> > > I'd like to try the guix package manager but am stuck installing it on
> > > Fedora 38 with selinux. I should say I don't know anything about the details
> > > of either guix or selinux.
> > > I know a few other persons that also wanted to try guix but gave up due to
> > > issues with selinux, so I think solving this issue could help in adoption.
> > > 
> > > I've used the installer script which worked well, then was initially hit by
> > > this error
> > > `guix install: error: remounting /gnu/store writable: Permission denied`
> > > 
> > > This was solved by doing
> > > sudo semodule -i /gnu/store/5kj8lyybjrdl7xd0fx9g9vzkz8sklqsy-guix-1.4.0/share/selinux/guix-daemon.cil
> > > 
> > > sudo mount -o remount,rw /gnu/store
> > > sudo restorecon -R /gnu /var/guix
> > > sudo systemctl restart guix-daemon.service
> > > 
> > > (note that the mount step was the missing part that was missing from all
> > > guides I've seen on the web, and I found it in a guix commit).
> > > 
> > > Now I have a different issue, guix-daemon doesn't seem to be able to access
> > > internet with errors of the type
> > > `In procedure getaddrinfo: Temporary failure in name resolution`
> > > (disabling selinux works in that case, but I want it enabled)
> > > 
> > > This is what I get from setroubleshoot:
> > > ```
> > > SELinux is preventing guix substitute from search access on the directory
> > > systemd.
> > > *****  Plugin catchall (100. confidence) suggests   *****
> > > *********************
> > > If you believe that guix substitute should be allowed sea
> > > rch access on the systemd directory by default.
> > > Then you should report this as a bug.
> > > You can generate a local policy module to allow this acce
> > > ss.
> > > Do
> > > allow this access for now by executing:
> > > # ausearch -c 'guix substitute' --raw | audit2allow -M my
> > > -guixsubstitute
> > > # semodule -X 300 -i my-guixsubstitute.pp
> > > ```
> > > 
> > > Trying the suggested commands also errors in:
> > > ```
> > > libsepol.hierarchy_add_type_callback: guix_daemon doesn't exist,
> > > guix_daemon.guix_daemon_t is an orphan
> > > libsepol.hierarchy_add_bounds: 1 errors found while adding hierarchies
> > > ```
> > > 
> > > So I don't really know where to go from there, any help appreciated.
> > > Thanks
> > > Alexis
> > >