SELinux `nix` doesn't work after upgrade, needs `restorecon`

[m0nhawk]

After running the suggested upgrade step the nix is not available with the following error:

error: cannot connect to socket at '/nix/var/nix/daemon-socket/socket': Connection refused

And nix-daemon.service is not available after upgrade.

$ sudo systemctl status nix-daemon
Unit nix-daemon.service could not be found.

---

I am running this on Fedora 39, and can reproduce it with uninstall/install/upgrade steps. Though, it's highly disruptive to re-download whole nix store after reinstall.

[m0nhawk]

Still happening with 0.16.1 (forget to mention, before I was using 0.16.0).

I would appreciate any pointers on where to look why the service being removed/inaccessible.

[m0nhawk]

The service is present before the update:

~ $ sudo systemctl status nix-daemon.service
○ nix-daemon.service - Nix Daemon
     Loaded: loaded (/etc/systemd/system/nix-daemon.service; linked; preset: disabled)
    Drop-In: /usr/lib/systemd/system/service.d
             └─10-timeout-abort.conf
     Active: inactive (dead)
TriggeredBy: ● nix-daemon.socket
       Docs: man:nix-daemon
             https://nixos.org/manual

Feb 09 22:20:32 fw systemd[1]: Started nix-daemon.service - Nix Daemon.

But immediately after the upgrade:

~ $ sudo systemctl status nix-daemon.service
Warning: The unit file, source configuration file or drop-ins of nix-daemon.service changed on disk. Run 'systemctl daemon-reload' to reload units.
○ nix-daemon.service - Nix Daemon
     Loaded: loaded (/etc/systemd/system/nix-daemon.service; linked; preset: disabled)
    Drop-In: /usr/lib/systemd/system/service.d
             └─10-timeout-abort.conf
     Active: inactive (dead)
TriggeredBy: ● nix-daemon.socket
       Docs: man:nix-daemon
             https://nixos.org/manual

Feb 09 22:20:32 fw systemd[1]: Started nix-daemon.service - Nix Daemon.

And after daemon-reload it's missing, but!, the service file present:

~ $ ls -laZ /etc/systemd/system/nix-daemon.service
lrwxrwxrwx. 1 root root unconfined_u:object_r:systemd_unit_file_t:s0 67 Feb  9 22:32 /etc/systemd/system/nix-daemon.service -> /nix/var/nix/profiles/default/lib/systemd/system/nix-daemon.service

---

Not sure what's going on...

[m0nhawk]

Ok, I narrowed down it to SELinux permissions, running fixes the installation:

restorecon -Rv /nix/
systemctl daemon-reload
systemctl enable nix-daemon.service

It would be nice if sudo -i nix upgrade-nix will somehow fix the SELinux labels.

[Hoverbear]

Thanks for reporting this! That does seem a bug. Unfortunately upstream doesn't support SELinux so we may need to be a big creative about how we resolve this...

[m0nhawk]

Yes, I was checking upstream and it doesn't have anything to support SELinux (also, I appreciate that this installer does have proper support).

I'd like having some | sh -s -- update command for installer, but even documenting this step in README would be beneficial.

[DerRockWolf]

I've also fell into this. Thanks for the workaround @m0nhawk :heart:

What's interesting is that this also happens when no upgrade is done, e.g.,

replacing old 'nix-2.20.3'
installing 'nix-2.20.3'

Well as replacing implies, it's probably doing something :sweat_smile:

[YTG1234]

I'm experiencing a similar issue, but the workaround doesn't work for me. I'm still getting denials after running restorecon. The nix SELinux module is loaded.

[m0nhawk]

@YTG1234 I can try to help.

Are you having the same error cannot connect to socket?

What is the output of (running from root):

systemctl status nix-daemon.service # to check the status of the nix daemon
ls -laZ /etc/systemd/system/nix-daemon.service # to see the SELinux labels for the daemon

And what Linux do you use?

[Ian2020]

I had to reboot after running the restorecon fix before things would work again (Fedora 40). The nix-daemon.service and socket appeared to be enabled in systemd but I still saw "cannot connect to socket..".