From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp10.migadu.com ([2001:41d0:306:2d92::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms8.migadu.com with LMTPS id mGcNB3VlMmW2HgAAG6o9tA:P1 (envelope-from ) for ; Fri, 20 Oct 2023 13:33:09 +0200 Received: from aspmx1.migadu.com ([2001:41d0:306:2d92::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp10.migadu.com with LMTPS id mGcNB3VlMmW2HgAAG6o9tA (envelope-from ) for ; Fri, 20 Oct 2023 13:33:09 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id E21DC59C8D for ; Fri, 20 Oct 2023 13:33:08 +0200 (CEST) Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=kapsi.fi header.s=20161220 header.b=kkG3qHSe; spf=pass (aspmx1.migadu.com: domain of "help-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="help-guix-bounces+larch=yhetil.org@gnu.org"; dmarc=none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1697801589; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=ir3Gp/i7dER1hNDbJGaK/uT1p3wiZgGFlp8yt0l4x0M=; b=EnwDuwC/sRx1pxLmG52k2AXMIzMViUqLyujA43K9F25VjNc6UjSwrjYNV29xHKPIb2dOqH bxHhymQe2b99RZpSNyd4jxNd5fqC22OUe1Bg0yZSNWtov3vNAGa7Cw8gA12mzNSBSGl8/G LesYAk9nao9jEsinnUHYuo58ajm25yPXGHlEgF2QHNWIPucYpB7S9S8vLZF50bmb41azkD fKmmHnvXAGIcx1sIwHJwLT9hSphpMVNbQMjvhWXvOdHmZCp86O5SOcnBj1XRqd2Izd/ToV 9hqszdwnpPsS30gr+fbJVV0CMj1vVtCXBosoXuVomqv96t5f1UKNZjx4dzIcvg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=kapsi.fi header.s=20161220 header.b=kkG3qHSe; spf=pass (aspmx1.migadu.com: domain of "help-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="help-guix-bounces+larch=yhetil.org@gnu.org"; dmarc=none ARC-Seal: i=1; s=key1; d=yhetil.org; t=1697801589; a=rsa-sha256; cv=none; b=liLrz8yHmtuu6ppKpSgwGY6+FdTbl3U68fAoii8AtOpkwWXFVKmUcSpDVRWwNMr8K+jSYV F/xqX7CMWM3Yfq+Enj7MdgXaFd0McmVozdIg7MlYK+OdrWBEEZhrP62cXAmtemnQw1l89N sffay3Uz4gKH86ffoPTLLzyV51V5KZOHIuQE1+OztJHiO4pYI2m8HRxTHIqJP9iiMjlq5Z N6eWHHZqVU+7JLYJohScGO8AI6HLKT/4wNGNQ7KMtcXcUdRChvIjRM7aYqNUBb06PIoLvc yh/hpr69mVRYgmw+F0eBoX3sPruqneH5b6aLs3XJu3ykaD5z0KInxYDWZJg1mg== Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1qtnkI-0001FK-Ju; Fri, 20 Oct 2023 07:32:50 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qtnkC-00017b-Fu for help-guix@gnu.org; Fri, 20 Oct 2023 07:32:45 -0400 Received: from mail.kapsi.fi ([2001:67c:1be8::25]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qtnk8-0000bi-58 for help-guix@gnu.org; Fri, 20 Oct 2023 07:32:43 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=kapsi.fi; s=20161220; h=In-Reply-To:Content-Type:MIME-Version:References:Message-ID: Subject:Cc:To:From:Date:Sender:Reply-To:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=ir3Gp/i7dER1hNDbJGaK/uT1p3wiZgGFlp8yt0l4x0M=; b=kkG3qHSeRJ7geBVca65BmtEPKq TfNTg9Bck2KVd+i28LjIttbS08i7JVlNVYK1lVHdTjsA1Rzzk7IFjiQNsH7tcmr49IhAJlYySW9nX 75mDX0KlcCp9v8C92A4vY8Wl7aZqIcDJPIgDSmzWma8zuX6/4CPuxfaAl0swMqoO+bP/i2EHiTzXh egTDXxX8yBDYJecaHHjUN8MzExXP6v4Z2SQAESv48AwTagiMtPyrEQ4qqsOh/9xr00RsPjlbTxNPy rpPsozqkJ2F8o0wFnWVDuXYes65AMOUF1K32Q349xGBAcXhEInRsMkvnxnw5ZDgLAVWot1Y2a/25U UIugS2HQ==; Received: from 77-246-205-246.cust.suomicom.net ([77.246.205.246] helo=hai0398) by mail.kapsi.fi with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1qtnjz-000reA-0e; Fri, 20 Oct 2023 14:32:31 +0300 Date: Fri, 20 Oct 2023 14:32:29 +0300 From: Markku Korkeala To: Alexis Simon Cc: help-guix@gnu.org Subject: Re: Stuck installing guix package manager on Fedora with selinux Message-ID: References: <2f749c20-ede2-4f1c-b95a-e9bfc1869fad@runbox.com> <0e7b887d-2a0f-4675-8e0a-569b82d155ad@runbox.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <0e7b887d-2a0f-4675-8e0a-569b82d155ad@runbox.com> X-SA-Exim-Connect-IP: 77.246.205.246 X-SA-Exim-Mail-From: markku.korkeala@iki.fi X-SA-Exim-Scanned: No (on mail.kapsi.fi); SAEximRunCond expanded to false Received-SPF: pass client-ip=2001:67c:1be8::25; envelope-from=nightwatch@kapsi.fi; helo=mail.kapsi.fi X-Spam_score_int: -17 X-Spam_score: -1.8 X-Spam_bar: - X-Spam_report: (-1.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: help-guix@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: help-guix-bounces+larch=yhetil.org@gnu.org Sender: help-guix-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN X-Migadu-Spam-Score: -1.62 X-Spam-Score: -1.62 X-Migadu-Queue-Id: E21DC59C8D X-Migadu-Scanner: mx2.migadu.com X-TUID: 7Nqo9kWlPW4m Hi, actually you do not need to have selinux disabled with the rpm packages, I'm running SELinux in enforcing mode. That is something I do not want disable either :) Some selinux-stuff is also included in the package: rpm -ql guix | grep selinux /usr/lib64/guile/3.0/site-ccache/gnu/packages/selinux.go /usr/share/guile/site/3.0/gnu/packages/selinux.scm /usr/share/selinux/packages/guix-daemon.cil Best regards, Markku On Wed, Oct 18, 2023 at 10:06:07AM -0700, Alexis Simon wrote: > Hi, Thanks for the suggestion. > > I stumbled on this guix rpm but it seems also that selinux needs to be > disabled with that one. > I think the maintainer initially wanted to apply selinux policies but in the > end commented out all those parts. (There's also a hint in the changelog > that it doesn't work with selinux, see here [0]). > > As someone else suggested, yes I could set selinux to permissive but I don't > find that an acceptable solution. I don't want to disable a security feature > of my system. > > Also an update on my initial email: after a reboot, I'm back at square one > with the remount error. So the solution wasn't really one. > > Best regards, > Alexis > > [0] https://copr-dist-git.fedorainfracloud.org/cgit/lantw44/guix/guix.git/tree/guix.spec?h=f38#n556 > > On 18/10/2023 06:40, Markku Korkeala wrote: > > Hi, > > > > I haven't tried the official guix installation, but I was > > able to get guix running on Fedora using rpm packages from copr: > > > > https://copr.fedorainfracloud.org/coprs/lantw44/guix/ > > > > If you can't find solution to the SELinux problem, maybe > > give those rpm packages a try. > > > > Best regards, > > Markku > > > > On Tue, Oct 17, 2023 at 09:42:58AM -0700, Alexis Simon wrote: > > > Hi, > > > > > > I'd like to try the guix package manager but am stuck installing it on > > > Fedora 38 with selinux. I should say I don't know anything about the details > > > of either guix or selinux. > > > I know a few other persons that also wanted to try guix but gave up due to > > > issues with selinux, so I think solving this issue could help in adoption. > > > > > > I've used the installer script which worked well, then was initially hit by > > > this error > > > `guix install: error: remounting /gnu/store writable: Permission denied` > > > > > > This was solved by doing > > > sudo semodule -i /gnu/store/5kj8lyybjrdl7xd0fx9g9vzkz8sklqsy-guix-1.4.0/share/selinux/guix-daemon.cil > > > > > > sudo mount -o remount,rw /gnu/store > > > sudo restorecon -R /gnu /var/guix > > > sudo systemctl restart guix-daemon.service > > > > > > (note that the mount step was the missing part that was missing from all > > > guides I've seen on the web, and I found it in a guix commit). > > > > > > Now I have a different issue, guix-daemon doesn't seem to be able to access > > > internet with errors of the type > > > `In procedure getaddrinfo: Temporary failure in name resolution` > > > (disabling selinux works in that case, but I want it enabled) > > > > > > This is what I get from setroubleshoot: > > > ``` > > > SELinux is preventing guix substitute from search access on the directory > > > systemd. > > > ***** Plugin catchall (100. confidence) suggests ***** > > > ********************* > > > If you believe that guix substitute should be allowed sea > > > rch access on the systemd directory by default. > > > Then you should report this as a bug. > > > You can generate a local policy module to allow this acce > > > ss. > > > Do > > > allow this access for now by executing: > > > # ausearch -c 'guix substitute' --raw | audit2allow -M my > > > -guixsubstitute > > > # semodule -X 300 -i my-guixsubstitute.pp > > > ``` > > > > > > Trying the suggested commands also errors in: > > > ``` > > > libsepol.hierarchy_add_type_callback: guix_daemon doesn't exist, > > > guix_daemon.guix_daemon_t is an orphan > > > libsepol.hierarchy_add_bounds: 1 errors found while adding hierarchies > > > ``` > > > > > > So I don't really know where to go from there, any help appreciated. > > > Thanks > > > Alexis > > >