Hi Ido, Ido Yariv <[email protected]> skribis:
> It seems that the new unprivileged mode of guix-daemon breaks on some foreign > distros with SELinux. > More specifically, SELinux prevents guix-daemon from creating & entering user > namespaces. > > The following change seems to mitigate this on Fedora: [...] > The second rule requires the user_namespace class to be defined, and might > break > with policies which do not include it (e.g., Rocky Linux 9). What would you recommend to support both systems where the ‘user_namespace’ class is missing and (newer?) systems where it’s available? Or should we consider that the latter is enough? > Given that the guix-daemon SELinux policy doesn't quite work out of the box > for > stable releases (cil file is outdated and doesn't include all required > permissions), one suggestion can be to use an unconfined domain for the time > being, at least optionally? > > For instance, at least on Fedora and Rocky Linux 9, /gnu's file context can be > set to usr_t, similar to /usr & /opt, requiring no extra policy: > --8<---------------cut here---------------start------------->8--- > sudo semanage fcontext -a -t usr_t '/gnu(/.*)?' > --8<---------------cut here---------------end--------------->8--- Sounds like a reasonable fallback option. Thanks for reporting this, and apologies for not noticing earlier. If you want, you’re welcome to follow up at <https://codeberg.org/guix/guix/issues/3576>. Ludo’.
