Ricardo Wurmus <rek...@elephly.net> skribis: > Marek Felšöci <marek.fels...@lip6.fr> writes: > >> I get an access denied error on the ".guix/channels.scm" file which I >> own and have access to. >> >> I tried to play around with the AppArmor profile, but with no >> success. Are we still missing something? > > Do you see any relevant information in the AppArmor logs?
I actually have a similar error: --8<---------------cut here---------------start------------->8--- $ guix time-machine -- shell -C hello guix time-machine: error: failed to load '/builds/.config/guix/channels.scm': Permission denied $ sudo dmesg | tail -4 [489967.069070] audit: type=1400 audit(1737015245.640:166): apparmor="DENIED" operation="open" class="file" profile="guix-shell" name="/builds/.config/guix/channels.scm" pid=16585 comm="guix" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 [489967.069236] audit: type=1400 audit(1737015245.640:167): apparmor="DENIED" operation="open" class="file" profile="guix-shell" name="/builds/.config/guix/channels.scm" pid=16585 comm="guix" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 [490011.443246] audit: type=1400 audit(1737015290.015:168): apparmor="DENIED" operation="open" class="file" profile="guix-shell" name="/builds/.config/guix/channels.scm" pid=16597 comm="guix" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 [490011.443371] audit: type=1400 audit(1737015290.015:169): apparmor="DENIED" operation="open" class="file" profile="guix-shell" name="/builds/.config/guix/channels.scm" pid=16597 comm="guix" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 $ ls -l /builds/.config/guix/channels.scm -rw-rw-r-- 1 ci ci 147 Dec 27 11:28 /builds/.config/guix/channels.scm $ id uid=1000(ci) gid=1000(ci) groups=1000(ci) --8<---------------cut here---------------end--------------->8--- I think the problem we have is that the AppArmor profile now applies to all ‘guix’ invocations but it doesn’t specify that ‘guix’ can access user-owned files. I guess I did something wrong because that means that this profile is in fact more restrictive than the default one. Is there a way to say we want to inherit the default profile and only relax it? Ludo’.
