From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp11.migadu.com ([2001:41d0:306:2d92::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms8.migadu.com with LMTPS id aH34F5oPMGVEIwEA9RJhRA:P1 (envelope-from ) for ; Wed, 18 Oct 2023 19:02:18 +0200 Received: from aspmx1.migadu.com ([2001:41d0:306:2d92::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp11.migadu.com with LMTPS id aH34F5oPMGVEIwEA9RJhRA (envelope-from ) for ; Wed, 18 Oct 2023 19:02:18 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id E54725AADC for ; Wed, 18 Oct 2023 19:02:17 +0200 (CEST) Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=kapsi.fi header.s=20161220 header.b=nBPgADZ7; spf=pass (aspmx1.migadu.com: domain of "help-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="help-guix-bounces+larch=yhetil.org@gnu.org"; dmarc=none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1697648538; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=Rd+cafMf0sv+t5f2DUVrlCS4NwIVItamoO7b5iu9NLU=; b=tryhUoozlMZlK2+UrMvG04hztzoxThDL3j8/OmTQcKUXWaxtEZWPskIABFwY0kTLdhVUH+ pxssSidZNtg1lqPTR5G2XxuDze18oMZZ8IXrUtcHcauUBaUgtTbjPqpjjFAMTJrMpSRsyg qKWw5SvLksST7621d/OqY+9JzwLqxFj6fmllaOeIRZiiawcKcQsaS2aAy+c4DlFUcN/dKP iAR9/2T/1o/omBAqOx/EZvgwQLhn7kpTW+wQiKIxSAMlF0FYq/+RhKB5WscxzA0ygwbD0h fqkEDxQNZucA0v3UIUGZMR0iGS7n6ieY4YZVntH27qa8HQ0nAwqtVZe/q/bigg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=kapsi.fi header.s=20161220 header.b=nBPgADZ7; spf=pass (aspmx1.migadu.com: domain of "help-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="help-guix-bounces+larch=yhetil.org@gnu.org"; dmarc=none ARC-Seal: i=1; s=key1; d=yhetil.org; t=1697648538; a=rsa-sha256; cv=none; b=FZrPgB6uUx/fGZeMWI6uDrG7DDQXHrgIKDFPV+gbSsICQsUoYfpkQ33CPEGTd9w/9/v5Y2 ifObVgs205qKTeGez5Ig7NpaUgJyM3DqkpGITaQa8LtBd136HYe5uj2Np+Ow8WFZXAaLeU vK0y9QJBSyT8LSvJztm9QjKKUaxN0M9+8ncis9GQyECjb8yXH1CWwrLHQdmo/KuGniziis ierXY9lArx2O2uGCnk3DgIAgqPK8japlNGDwXMhJvg2IGhuiW91uKZmPQEhIoWOvT6bO/N YCZIO0hx1CCjuR9A8ldjEeKSkVAxeqohqduSEfBMk8d4lb8CH00JeVOfbB61iw== Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1qt9vd-0004xd-Pr; Wed, 18 Oct 2023 13:01:54 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qt6nd-0005iZ-6K for help-guix@gnu.org; Wed, 18 Oct 2023 09:41:25 -0400 Received: from mail.kapsi.fi ([2001:67c:1be8::25]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qt6nW-0006kB-Vr for help-guix@gnu.org; Wed, 18 Oct 2023 09:41:24 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=kapsi.fi; s=20161220; h=In-Reply-To:Content-Type:MIME-Version:References:Message-ID: Subject:Cc:To:From:Date:Sender:Reply-To:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=Rd+cafMf0sv+t5f2DUVrlCS4NwIVItamoO7b5iu9NLU=; b=nBPgADZ7qdaVZ4J0u8FRaD68Fs 6v0BHSRKQZ+kIdHLSotBLMCg3EZKX7FTACa9cx08S+BcrZXo/smWWJe51M16Y54K0+SWUwuKF4tvH oH9atDKL8aPnv7ivD1AYjNJV7wUS7VWmDh7VShp58LAckXGtiLJ80LuZO8O1rX03ktv9XIH6ChaSC xyMzrvKztITvG0HVvVbQZAhrKu/NtKN0tyYtcPG6QYcqob88zjb5bIRd5vgJhcwgQO/Fy/TBeRixq xAwUk5aNznTjUTsDg78cKXme2KdzzSv0SQVjJPvx4vcY1O6DONaF9kIszA6fZUIF2NJy4MR5eNKkv BeONDZvw==; Received: from 91-154-85-247.elisa-laajakaista.fi ([91.154.85.247] helo=hai0398) by mail.kapsi.fi with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1qt6nM-007XSm-0V; Wed, 18 Oct 2023 16:41:08 +0300 Date: Wed, 18 Oct 2023 16:40:55 +0300 From: Markku Korkeala To: Alexis Simon Cc: help-guix@gnu.org Subject: Re: Stuck installing guix package manager on Fedora with selinux Message-ID: References: <2f749c20-ede2-4f1c-b95a-e9bfc1869fad@runbox.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <2f749c20-ede2-4f1c-b95a-e9bfc1869fad@runbox.com> X-SA-Exim-Connect-IP: 91.154.85.247 X-SA-Exim-Mail-From: markku.korkeala@iki.fi X-SA-Exim-Scanned: No (on mail.kapsi.fi); SAEximRunCond expanded to false Received-SPF: pass client-ip=2001:67c:1be8::25; envelope-from=nightwatch@kapsi.fi; helo=mail.kapsi.fi X-Spam_score_int: -17 X-Spam_score: -1.8 X-Spam_bar: - X-Spam_report: (-1.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-Mailman-Approved-At: Wed, 18 Oct 2023 13:01:50 -0400 X-BeenThere: help-guix@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: help-guix-bounces+larch=yhetil.org@gnu.org Sender: help-guix-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN X-Migadu-Spam-Score: -1.63 X-Spam-Score: -1.63 X-Migadu-Queue-Id: E54725AADC X-Migadu-Scanner: mx2.migadu.com X-TUID: Bv+bFDJfDrgI Hi, I haven't tried the official guix installation, but I was able to get guix running on Fedora using rpm packages from copr: https://copr.fedorainfracloud.org/coprs/lantw44/guix/ If you can't find solution to the SELinux problem, maybe give those rpm packages a try. Best regards, Markku On Tue, Oct 17, 2023 at 09:42:58AM -0700, Alexis Simon wrote: > Hi, > > I'd like to try the guix package manager but am stuck installing it on > Fedora 38 with selinux. I should say I don't know anything about the details > of either guix or selinux. > I know a few other persons that also wanted to try guix but gave up due to > issues with selinux, so I think solving this issue could help in adoption. > > I've used the installer script which worked well, then was initially hit by > this error > `guix install: error: remounting /gnu/store writable: Permission denied` > > This was solved by doing > sudo semodule -i /gnu/store/5kj8lyybjrdl7xd0fx9g9vzkz8sklqsy-guix-1.4.0/share/selinux/guix-daemon.cil > > sudo mount -o remount,rw /gnu/store > sudo restorecon -R /gnu /var/guix > sudo systemctl restart guix-daemon.service > > (note that the mount step was the missing part that was missing from all > guides I've seen on the web, and I found it in a guix commit). > > Now I have a different issue, guix-daemon doesn't seem to be able to access > internet with errors of the type > `In procedure getaddrinfo: Temporary failure in name resolution` > (disabling selinux works in that case, but I want it enabled) > > This is what I get from setroubleshoot: > ``` > SELinux is preventing guix substitute from search access on the directory > systemd. > ***** Plugin catchall (100. confidence) suggests ***** > ********************* > If you believe that guix substitute should be allowed sea > rch access on the systemd directory by default. > Then you should report this as a bug. > You can generate a local policy module to allow this acce > ss. > Do > allow this access for now by executing: > # ausearch -c 'guix substitute' --raw | audit2allow -M my > -guixsubstitute > # semodule -X 300 -i my-guixsubstitute.pp > ``` > > Trying the suggested commands also errors in: > ``` > libsepol.hierarchy_add_type_callback: guix_daemon doesn't exist, > guix_daemon.guix_daemon_t is an orphan > libsepol.hierarchy_add_bounds: 1 errors found while adding hierarchies > ``` > > So I don't really know where to go from there, any help appreciated. > Thanks > Alexis >