如何在 Fedora 上為 guix-daemon.service 安裝 SELinux 策略?
安裝 Guix 後,如何安裝捆綁的 SELinux 策略,它旨在允許
guix-daemon.service執行?為了在 Fedora 34 Workstation 上安裝 Guix 1.3.0,我使用了shell 安裝腳本:
$ cd /tmp $ wget https://git.savannah.gnu.org/cgit/guix.git/plain/etc/guix-install.sh $ chmod +x guix-install.sh $ sudo ./guix-install.sh腳本成功完成。我隱藏了它的提示並安裝了名稱服務記憶體守護程序:
$ sudo dnf install nscd $ sudo systemctl enable nscd $ sudo systemctl start nscd不幸的是,我無法繼續安裝
glibc-locales,因為guix-daemon.service沒有執行:$ guix install glibc-locales hint: Consider installing the `glibc-utf8-locales' or `glibc-locales' package and defining `GUIX_LOCPATH', along these lines: guix install glibc-utf8-locales export GUIX_LOCPATH="$HOME/.guix-profile/lib/locale" See the "Application Setup" section in the manual, for more info. guix install: error: failed to connect to `/var/guix/daemon-socket/socket': No such file or directory $ systemctl status guix-daemon × guix-daemon.service - Build daemon for GNU Guix Loaded: loaded (/etc/systemd/system/guix-daemon.service; enabled; vendor preset: disabled) Active: failed (Result: exit-code) since Thu 2021-08-19 21:12:26 EEST; 2h 29min ago Main PID: 793 (code=exited, status=203/EXEC) CPU: 1ms сер 19 21:12:26 fedora systemd[1]: Started Build daemon for GNU Guix. сер 19 21:12:26 fedora systemd[793]: guix-daemon.service: Failed to locate executable /var/guix/profiles/per-user/root/current-guix/bin/guix-daemon: Permission denied сер 19 21:12:26 fedora systemd[793]: guix-daemon.service: Failed at step EXEC spawning /var/guix/profiles/per-user/root/current-guix/bin/guix-daemon: Permission denied сер 19 21:12:26 fedora systemd[1]: guix-daemon.service: Main process exited, code=exited, status=203/EXEC сер 19 21:12:26 fedora systemd[1]: guix-daemon.service: Failed with result 'exit-code'. сер 19 23:35:07 fedora systemd[1]: /etc/systemd/system/guix-daemon.service:12: Standard output type syslog is obsolete, automatically updating to journal. Please update your unit file, and consider removing the setting altogether. сер 19 23:35:07 fedora systemd[1]: /etc/systemd/system/guix-daemon.service:13: Standard output type syslog is obsolete, automatically updating to journal. Please update your unit file, and consider removing the setting altogether.根據手冊:
Guix 包含一個 SELinux 策略文件
etc/guix-daemon.cil,可以安裝在啟用 SELinux 的系統上,以便標記 Guix 文件並指定守護程序的預期行為……Libera Chat 頻道上的人
#guix幫助我弄清楚上述說明是針對從 git 手動編譯的 Guix 的。對於使用 shell 安裝程序腳本安裝的 Guix,我必須在以下位置查找文件/gnu/store:$ find /gnu -name guix-daemon.cil /gnu/store/0iii8i1lc4wg3wccs1db7y7d8lg80i04-guix-1.3.0/share/selinux/guix-daemon.cil $ cd /gnu/store/0iii8i1lc4wg3wccs1db7y7d8lg80i04-guix-1.3.0/share/selinux/ $ sudo semodule -i guix-daemon.cil現在,手冊說:
restorecon然後使用系統提供的不同機製或通過系統提供的不同機制重新標記文件系統。我試過了:
$ sudo restorecon -vR /gnu這會返回很多
restorecon: Could not set context for /gnu/…: Read-only file system例如:
$ find /gnu -name guix-daemon.service /gnu/store/0iii8i1lc4wg3wccs1db7y7d8lg80i04-guix-1.3.0/lib/systemd/system/guix-daemon.service $ sudo restorecon -v /gnu/store/0iii8i1lc4wg3wccs1db7y7d8lg80i04-guix-1.3.0/lib/systemd/system/guix-daemon.service restorecon: Could not set context for /gnu/store/0iii8i1lc4wg3wccs1db7y7d8lg80i04-guix-1.3.0/lib/systemd/system/guix-daemon.service: Read-only file system並且守護程序仍然無法啟動。
我的猜測是這個問題與 SELinux 配置或 Fedora 如何處理它有關,但我不明白它能夠自己調查它。在 Guix 問題跟踪器中搜尋“只讀文件系統”“SELinux”只返回了兩個不相關的問題。
我查看了您發布的 guix 安裝腳本,看起來它正在通過 systemd 創建一個掛載點來掛載 /gnu 。執行此操作的安裝腳本部分是
{ # systemd .mount 單元必須以目標目錄命名。# 這裡我們假設 /gnu/store 的硬編碼名稱。# XXX 解決https://issues.guix.gnu.org/41356直到下一個版本。如果
$$ -f “~root/.config/guix/current/lib/systemd/system/gnu-store.mount” $$; 然後 cp “~root/.config/guix/current/lib/systemd/system/gnu-store.mount”
/etc/systemd/system/; chmod 664 /etc/systemd/system/gnu-store.mount; systemctl daemon-reload && systemctl enable gnu-store.mount; 菲
所以這意味著你必須在 systemd中有一個名為**gnu-store.mount的文件。**我窺探了一下,發現它有以下內容:
[Unit] Description=Read-only @storedir@ for GNU Guix DefaultDependencies=no ConditionPathExists=@storedir@ Before=guix-daemon.service [Install] WantedBy=guix-daemon.service [Mount] What=@storedir@ Where=@storedir@ Type=none Options=bind,ro如果您查看 Options=bind,ro ,它肯定是只讀的,因此您需要將其更改為 rw,重新安裝,然後使用 restoreconn 重新標記。從描述來看,它不應該像這樣工作,但我會嘗試一下。我希望這有幫助