1

I've installed Guix and installed the bundled SELinux policy manually. But according to Ricardo Wurmus, as of 30 June 2021:

There are really just two ways: either 1) disable SELinux (or set it to permissive mode) or 2) install/debug/reinstall the SELinux daemon policy that is included with Guix.

The daemon policy is not installed with the binary installation method because it is known to be incomplete. You would need to get a copy of the Guix sources and configure it. The file you want is called “etc/guix-daemon.cil”. To debug it you would need to install it, set SELinux to permissive mode, run the daemon, and then check the audit log for errors.

There is an open issue for SElinux guix-daemon.cil file, which suggests a patch that seems already incorporated in the file bundled with my installation.

I installed setroubleshoot and kept restarting the guix-daemon.service while following the suggestions popping up in notifications. The daemon finally started after:

$ sudo chcon -R -t guix_daemon.guix_daemon_conf_t /var/guix/ $ sudo chcon -R -t guix_daemon.guix_profiles_t /var/guix/profiles/per-user/root/current-guix $ sudo chcon -R -t guix_daemon.guix_profiles_t /var/guix/profiles/per-user/root/current-guix-1-link

But I still cannot proceed with installing glibc-locales:

$ guix install glibc-locales hint: Consider installing the `glibc-utf8-locales' or `glibc-locales' package and defining `GUIX_LOCPATH', along these lines: guix install glibc-utf8-locales export GUIX_LOCPATH="$HOME/.guix-profile/lib/locale" See the "Application Setup" section in the manual, for more info. guix install: error: remounting /gnu/store writable: Permission denied

The SELinux diagnostics tool informs that "guix-daemon" is not allowed "remount" access to "filesystem" and suggests:

# ausearch -c 'guix-daemon' --raw | audit2allow -M my-guixdaemon # semodule -X 300 -i my-guixdaemon.pp

But ausearch fails on this:

$ sudo ausearch -c '(x-daemon)' --raw | audit2allow -M my-xdaemon compilation failed: libsepol.hierarchy_add_type_callback: guix_daemon doesn't exist, guix_daemon.guix_daemon_conf_t is an orphan libsepol.hierarchy_add_bounds: 1 errors found while adding hierarchies

How can I allow guix-daemon to remount the filesystem in SELinux?

Improve this question

2 Answers 2

Reset to default
1

I turned on the permissive mode and used Guix for a while. SELinux support is apparently still a work in progress. setroubleshoot regularly notifies of various issues. Running Guix with SELinux in permissive mode seems the only practical solution at the moment.

(To turn on the permissive mode permanently, edit /etc/selinux/config and reboot.)

Improve this answer
1

Looking at the output of the command

# ausearch -c 'guix-daemon' --raw | audit2allow #============= guix_daemon.guix_daemon_t ============== allow guix_daemon.guix_daemon_t fs_t:filesystem remount; #

So I translated that into something for the policy and added the following to the guix-daemon.cil file.

(allow guix_daemon_t fs_t (filesystem (remount)))

The reloaded the policy file and that seems to have worked for me.

Improve this answer
2
  • Your answer could be improved with additional supporting information. Please edit to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers in the help center. Commented Jan 5 at 20:03
  • Thank you, I found the "cil" file and I added that snippet where it seems to make sense, but could you please tell how you "reloaded" the policy file (without assumptions of people knowing how to use selinux things =)? Commented Aug 27 at 10:11

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.