Hi, On Tue, 02 Jun 2026 at 14:09, Ludovic Courtès <[email protected]> wrote:
>>>> juin 01 11:01:34 rosa kernel: audit: type=1400 audit(1780304494.536:211): >>>> apparmor="DENIED" operation="file_receive" class="file" profile="guix- >>>> daemon" name="/disconnected/var/cache/nscd/group" pid=12877 comm="guix- >>>> daemon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 >>>> juin 01 11:01:39 rosa kernel: audit: type=1400 audit(1780304499.408:212): >>>> apparmor="DENIED" operation="capable" class="cap" profile="guix-daemon" >>>> pid=12886 comm="guix-daemon" capability=7 capname="setuid" >>>> >>>> So maybe there is an apparmor issue indeed? I know absolutely nothing about >>>> apparmor, so any advice on this is appreciated. >>> >>> I believe nscd sends file descriptors to its clients over sendmsg(2) so >>> they can mmap the cache. Presumably, it’s that file descriptor exchange >>> that AppArmor is forbidding here. [...] >> Patch at https://codeberg.org/guix/guix/pulls/9028 > > Problem is that, when running unprivileged, guix-daemon does not call > setuid(2) because that would fail. FWIW, I had a similar problem that I reported here: https://codeberg.org/guix/guix/issues/9011 Well, even doing all these modifications: --8<---------------cut here---------------start------------->8--- 1 file changed, 8 insertions(+) etc/apparmor.d/guix-daemon | 8 ++++++++ modified etc/apparmor.d/guix-daemon @@ -12,6 +12,11 @@ profile guix-daemon @{guix_storedir}/*-{guix-daemon,guix}-*/bin/guix-daemon flag capability net_admin, capability sys_chroot, capability setgid, + capability setuid, + capability dac_override, + capability dac_read_search, + capability fsetid, + capability fowner, capability chown, network dgram, umount, @@ -41,6 +46,9 @@ profile guix-daemon @{guix_storedir}/*-{guix-daemon,guix}-*/bin/guix-daemon flag /usr/bin/newgidmap Ux, + /run/nscd/socket rw, + /disconnected/run/nscd/socket rw, + # Site-specific additions and overrides. See local/README for details. include if exists <local/guix-daemon> --8<---------------cut here---------------end--------------->8--- It still fails with: --8<---------------cut here---------------start------------->8--- successfully built /gnu/store/jgwi0161ch6ys9anmsydc9b263rlrjqz-hello-2.12.3.drv error (ignored): opening `/tmp/guix-build-hello-2.12.3.drv-4/top': Permission denied guix build: error: opening `/tmp/guix-build-hello-2.12.3.drv-4/top': Permission denied --8<---------------cut here---------------end--------------->8--- Arf, I’m not sure to well-understand what I’m doing… It’s like black-magic sorcery without good effects. ;-) Cheers, simon
