SELinux error when /nix is a ZFS dataset

[kbknapp]

When using the installer to install to a created, but empty, ZFS dataset at /nix the installer fails with a fatal error.

Details:

• OS: Fedora 40
• CPU: Intel i9-13950HX
• RAM: 64GB
• HDD: 2TB Samsung 980 Pro NVMe
• FS: ZFS

The steps taken and error message:

$ sudo zfs create -o mountpoint=/nix zroot/nix
$ curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s -- install
info: downloading installer https://install.determinate.systems/nix/tag/v0.19.0/nix-installer-x86_64-linux
`nix-installer` needs to run as `root`, attempting to escalate now via `sudo`...
Nix install plan (v0.19.0)
Planner: linux (with default settings)

Planned actions:
* Extract the bundled Nix (originally from /nix/store/k51vv8b59cbjgf61l1klx6lqsa8mb0s1-nix-binary-tarball-2.21.2/nix-2.21.2-x86_64-linux.tar.xz)
* Create a directory tree in `/nix`
* Move the downloaded Nix into `/nix`
* Create build users (UID 30001-30032) and group (GID 30000)
* Setup the default Nix profile
* Place the Nix configuration in `/etc/nix/nix.conf`
* Configure the shell profiles
* Install an SELinux Policy for Nix
* Configure Nix daemon related settings with systemd
* Remove directory `/nix/temp-install-dir`


Proceed? ([Y]es/[n]o/[e]xplain): y
 INFO Step: Create directory `/nix`
 INFO Step: Provision Nix
 INFO Step: Create build users (UID 30001-30032) and group (GID 30000)
 INFO Step: Configure Nix
 INFO Step: Install an SELinux Policy for Nix
 INFO Step: Create directory `/etc/tmpfiles.d`
 INFO Step: Configure Nix daemon related settings with systemd
ERROR 
   0: Install failure
   1: Error executing action
   2: Action `configure_init_service` errored
   3: Failed to execute command with status 1 `"systemctl" "enable" "/nix/var/nix/profiles/default/lib/systemd/system/nix-daemon.socket" "--now"`, stdout: 
      stderr: Failed to enable unit: Access denied

   3: 

Location:
   src/cli/subcommand/install.rs:250

Backtrace omitted. Run with RUST_BACKTRACE=1 environment variable to display it.
Run with RUST_BACKTRACE=full to include source snippets.

Consider reporting this error using this URL: https://github.com/DeterminateSystems/nix-installer/issues/new?title=%3Cautogenerated-issue%3E&body=%23%23+Error%0A%60%60%60%0AError%3A+%0A+++0%3A+Install+failure%0A+++1%3A+Error+executing+action%0A+++2%3A+Action+%60configure_init_service%60+errored%0A+++3%3A+Failed+to+execute+command+with+status+1+%60%22systemctl%22+%22enable%22+%22%2Fnix%2Fvar%2Fnix%2Fprofiles%2Fdefault%2Flib%2Fsystemd%2Fsystem%2Fnix-daemon.socket%22+%22--now%22%60%2C+stdout%3A+%0A++++++stderr%3A+Failed+to+enable+unit%3A+Access+denied%0A%0A%0A%60%60%60%0A%0A%23%23+Metadata%0A%7Ckey%7Cvalue%7C%0A%7C--%7C--%7C%0A%7C**version**%7C0.19.0%7C%0A%7C**os**%7Clinux%7C%0A%7C**arch**%7Cx86_64%7C%0A
Installation failure, offering to revert...

Checking SELinux errors:

$ sudo ausearch -m avc -ts recent
----
time->Tue Jul  2 08:29:09 2024
type=AVC msg=audit(1719923349.655:742): avc:  denied  { read } for  pid=1 comm="systemd" name="lib" dev="zfs" ino=1370 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file permissive=0
----
time->Tue Jul  2 08:29:09 2024
type=AVC msg=audit(1719923349.655:743): avc:  denied  { read } for  pid=1 comm="systemd" name="lib" dev="zfs" ino=1370 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file permissive=0
----
time->Tue Jul  2 08:29:09 2024
type=AVC msg=audit(1719923349.812:796): avc:  denied  { read } for  pid=1 comm="systemd" name="lib" dev="zfs" ino=1370 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file permissive=0
----
time->Tue Jul  2 08:31:42 2024
type=AVC msg=audit(1719923502.271:806): avc:  denied  { read } for  pid=1 comm="systemd" name="lib" dev="zfs" ino=1370 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file permissive=0
----

I haven't dug into the SELinux policy that was installed as part of the install process, but I'm guessing the issue lies there.

[cole-h]

The .fc definition we install is here: https://github.com/DeterminateSystems/nix-installer/blob/21e8fc22f6434cfd31a656067fd3fe1ec0e5074f/src/action/linux/selinux/nix.fc

I'm not terribly familiar with SELinux or its policies... Do you happen to know of a better policy definition?

[kbknapp]

Putting the errors through audit2allow says the nix.te (Type Enforcement file) should be changed like this:

require {
+  type default_t;
+  type init_t;
+  class lnk_file read;
}

+allow init_t default_t:lnk_file read;

But I haven't checked if doing that is the only change, or more will be required once that is fixed. Once I have some cycles at my work system where this happened I'll try to see if that's the only change required.

[kbknapp]

I forgot I had a system at home that mimics the work setup. I was able to test and it works with those changes. Putting in a PR now.