Ludovic Courtès <[email protected]> writes: > Hello, > > David Lecompte <[email protected]> skribis: > >> This is on Trisquel 12, but I only have the problem on one computer with >> Trisquel 12 and guix (while I have several computers in that case), so >> perhaps I have some different setup there. In the journal, I noticed the >> following when I run guix pull: >> >> juin 01 11:01:34 rosa kernel: audit: type=1400 audit(1780304494.536:211): >> apparmor="DENIED" operation="file_receive" class="file" profile="guix- >> daemon" name="/disconnected/var/cache/nscd/group" pid=12877 comm="guix- >> daemon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 >> juin 01 11:01:39 rosa kernel: audit: type=1400 audit(1780304499.408:212): >> apparmor="DENIED" operation="capable" class="cap" profile="guix-daemon" >> pid=12886 comm="guix-daemon" capability=7 capname="setuid" >> >> So maybe there is an apparmor issue indeed? I know absolutely nothing about >> apparmor, so any advice on this is appreciated. > > I believe nscd sends file descriptors to its clients over sendmsg(2) so > they can mmap the cache. Presumably, it’s that file descriptor exchange > that AppArmor is forbidding here. > > I suppose we should add a rule to the AppArmor profile, but I’m still a > bit clueless about it. > > Ideas?
In the logs it shows that its specifically the host file /var/cache/nscd/group (from outside of build environment) and “setuid” that was blocked. Presumably, the setuid failure is probably important, while the nscd cache can be ignored. We can authorize these two in the AppArmor profile. But I would only authorize the setuid, since in principle we don’t want files from outside the build environment to get in. Also the nscd cache would be of no use there. Patch at https://codeberg.org/guix/guix/pulls/9028 Have a nice day, Noé
signature.asc
Description: PGP signature
