Hello, David Lecompte <[email protected]> skribis:
> This is on Trisquel 12, but I only have the problem on one computer with > Trisquel 12 and guix (while I have several computers in that case), so > perhaps I have some different setup there. In the journal, I noticed the > following when I run guix pull: > > juin 01 11:01:34 rosa kernel: audit: type=1400 audit(1780304494.536:211): > apparmor="DENIED" operation="file_receive" class="file" profile="guix- > daemon" name="/disconnected/var/cache/nscd/group" pid=12877 comm="guix- > daemon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 > juin 01 11:01:39 rosa kernel: audit: type=1400 audit(1780304499.408:212): > apparmor="DENIED" operation="capable" class="cap" profile="guix-daemon" > pid=12886 comm="guix-daemon" capability=7 capname="setuid" > > So maybe there is an apparmor issue indeed? I know absolutely nothing about > apparmor, so any advice on this is appreciated. I believe nscd sends file descriptors to its clients over sendmsg(2) so they can mmap the cache. Presumably, it’s that file descriptor exchange that AppArmor is forbidding here. I suppose we should add a rule to the AppArmor profile, but I’m still a bit clueless about it. Ideas? Thanks, Ludo’.
