安装 Guix 后,如何安装捆绑的 SELinux 策略,以允许运行guix-daemon.service?
为了在 Fedora 34 工作站上安装 Guix 1.3.0,我使用了shell 安装程序脚本:
$ cd /tmp
$ wget https://git.savannah.gnu.org/cgit/guix.git/plain/etc/guix-install.sh
$ chmod +x guix-install.sh
$ sudo ./guix-install.sh
脚本成功完成。我隐藏了它的提示并安装了名称服务缓存守护进程:
$ sudo dnf install nscd
$ sudo systemctl enable nscd
$ sudo systemctl start nscd
不幸的是,我不能继续安装glibc-locales因为guix-daemon.service没有运行:
$ guix install glibc-locales
hint: Consider installing the `glibc-utf8-locales' or `glibc-locales' package and defining `GUIX_LOCPATH', along these lines:
guix install glibc-utf8-locales
export GUIX_LOCPATH="$HOME/.guix-profile/lib/locale"
See the "Application Setup" section in the manual, for more info.
guix install: error: failed to connect to `/var/guix/daemon-socket/socket': No such file or directory
$ systemctl status guix-daemon
× guix-daemon.service - Build daemon for GNU Guix
Loaded: loaded (/etc/systemd/system/guix-daemon.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Thu 2021-08-19 21:12:26 EEST; 2h 29min ago
Main PID: 793 (code=exited, status=203/EXEC)
CPU: 1ms
сер 19 21:12:26 fedora systemd[1]: Started Build daemon for GNU Guix.
сер 19 21:12:26 fedora systemd[793]: guix-daemon.service: Failed to locate executable /var/guix/profiles/per-user/root/current-guix/bin/guix-daemon: Permission denied
сер 19 21:12:26 fedora systemd[793]: guix-daemon.service: Failed at step EXEC spawning /var/guix/profiles/per-user/root/current-guix/bin/guix-daemon: Permission denied
сер 19 21:12:26 fedora systemd[1]: guix-daemon.service: Main process exited, code=exited, status=203/EXEC
сер 19 21:12:26 fedora systemd[1]: guix-daemon.service: Failed with result 'exit-code'.
сер 19 23:35:07 fedora systemd[1]: /etc/systemd/system/guix-daemon.service:12: Standard output type syslog is obsolete, automatically updating to journal. Please update your unit file, and consider removing the setting altogether.
сер 19 23:35:07 fedora systemd[1]: /etc/systemd/system/guix-daemon.service:13: Standard output type syslog is obsolete, automatically updating to journal. Please update your unit file, and consider removing the setting altogether.
根据手册:
Guix 包含一个 SELinux 策略文件
etc/guix-daemon.cil,可以安装在启用了 SELinux 的系统上,以便标记 Guix 文件并指定守护进程的预期行为......
Libera Chat 频道上的人们#guix帮助我弄清楚上述指令适用于从 git 手动编译的 Guix。对于使用 shell 安装程序脚本安装的 Guix,我必须在以下位置查找该文件/gnu/store:
$ find /gnu -name guix-daemon.cil
/gnu/store/0iii8i1lc4wg3wccs1db7y7d8lg80i04-guix-1.3.0/share/selinux/guix-daemon.cil
$ cd /gnu/store/0iii8i1lc4wg3wccs1db7y7d8lg80i04-guix-1.3.0/share/selinux/
$ sudo semodule -i guix-daemon.cil
现在,手册说:
restorecon然后使用系统提供的不同机制重新标记文件系统。
我试过:
$ sudo restorecon -vR /gnu
这会返回很多
restorecon: Could not set context for /gnu/…: Read-only file system
例如:
$ find /gnu -name guix-daemon.service
/gnu/store/0iii8i1lc4wg3wccs1db7y7d8lg80i04-guix-1.3.0/lib/systemd/system/guix-daemon.service
$ sudo restorecon -v /gnu/store/0iii8i1lc4wg3wccs1db7y7d8lg80i04-guix-1.3.0/lib/systemd/system/guix-daemon.service
restorecon: Could not set context for /gnu/store/0iii8i1lc4wg3wccs1db7y7d8lg80i04-guix-1.3.0/lib/systemd/system/guix-daemon.service: Read-only file system
并且守护进程仍然无法启动。
我的猜测是这个问题与 SELinux 配置或 Fedora 如何处理它有关,但我不明白它能够自己调查它。在 Guix 问题跟踪器中搜索“只读文件系统”“SELinux”仅返回了两个不相关的问题。
答案1
我查看了您发布的 guix 安装脚本,它看起来像是通过 systemd 创建一个安装点来安装 /gnu 。安装脚本中执行此操作的部分是
{ # systemd .mount 单元必须以目标目录命名。 # 这里我们假设硬编码名称为/gnu/store。 # XXX 解决方法https://issues.guix.gnu.org/41356直到下一个版本。 if [ -f "~root/.config/guix/current/lib/systemd/system/gnu-store.mount" ];然后 cp "~root/.config/guix/current/lib/systemd/system/gnu-store.mount"
/etc/systemd/system/; chmod 664 /etc/systemd/system/gnu-store.mount; systemctl daemon-reload && systemctl启用gnu-store.mount;菲
所以这意味着你必须有一个名为gnu-store.mount在 systemd 中。我仔细一探,发现里面有以下内容:
[Unit]
Description=Read-only @storedir@ for GNU Guix
DefaultDependencies=no
ConditionPathExists=@storedir@
Before=guix-daemon.service
[Install]
WantedBy=guix-daemon.service
[Mount]
What=@storedir@
Where=@storedir@
Type=none
Options=bind,ro
如果您查看 Options=bind,ro ,它肯定是只读的,因此您需要将其更改为 rw,重新挂载,然后使用 Restoreconn 重新标记。从描述来看,它不应该像这样工作,但我会尝试一下。我希望这有帮助