nix icon indicating copy to clipboard operation
nix copied to clipboard
verified publisher icon NixOS

[Bug]: Backup file /etc/bashrc.backup-before-nix contains Nix remnants

Open aad19 opened this issue 6 months ago • 4 comments

Platform

  • Linux Fedora 42

Additional information

While attempting to install Nix with SELinux enabled, I encountered multiple issues related to permission and daemon connectivity. Here's a summary of the steps taken to make the installation work.

Problem Summary

  • SELinux was blocking the installation, and Nix's daemon socket was not accessible.
  • The error cannot connect to socket at '/nix/var/nix/daemon-socket/socket': Connection refused was persistent.
  • Even after using the official installation script with the --daemon flag, the daemon wouldn’t start unless SELinux was disabled or configured explicitly.

Solution Outline

  1. Temporarily disable SELinux to allow initial installation to proceed:
   sudo setenforce 0
  1. Set required environment variable before installation:
export NIX_BUILD_GROUP_ID=969
  1. Run the official Nix installer:
sh <(curl -L https://nixos.org/nix/install) --daemon
  1. Add a custom SELinux policy module to allow Nix to function properly:
module nix 1.0;

require {
		 type unconfined_t;
		 type tmpfs_t;
		 type user_home_t;
		 class file { create open read write execute unlink };
		 class dir  { add_name create remove_name write };
}

# ===== Nix core rules =====
allow unconfined_t tmpfs_t:file { create open read write execute unlink };
allow unconfined_t tmpfs_t:dir  { add_name create remove_name write };
allow unconfined_t user_home_t:file { create open read write execute unlink };
allow unconfined_t user_home_t:dir  { add_name create remove_name write };

Then compile and install the module:

sudo make -f /usr/share/selinux/devel/Makefile nix.pp
sudo semodule -i nix.pp
  1. Attempt to run Nix commands:
nix-shell -p hello
hello

This resulted in:

error: cannot connect to socket at '/nix/var/nix/daemon-socket/socket': Connection refused
bash: hello: command not found...
  1. Try starting the Nix daemon:
sudo systemctl start nix-daemon.service
sudo systemctl enable nix-daemon.service

Output:

Failed to start nix-daemon.service: Unit nix-daemon.service not found.
  1. Clean reinstall and environment reset:
sudo rm -rf /nix
sudo rm -rf ~/.nix-*
sudo setenforce 0
sh <(curl -L https://nixos.org/nix/install) --daemon

At this point, installation succeeded after resolving the /etc/bashrc.backup-before-nix conflict.

🔎 Verifying the Environment

To check whether Nix-related profile scripts were properly added, I ran:

sudo cat /etc/bashrc.backup-before-nix | grep -i nix

And saw:

# Nix
if [ -e '/nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh' ]; then
  . '/nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh'
# End Nix

Output

Even after applying the SELinux policy and reinstalling Nix, the daemon unit file was still missing in systemd, and attempting to use nix-shell failed unless SELinux was fully disabled.

This suggests the installation does not complete successfully under SELinux enforcing mode without additional post-install steps or patches. Further troubleshooting might involve verifying which systemd unit files are created by the installer and where.

Checklist

Add :+1: to issues you find important.

aad19 avatar Jun 01 '25 08:06 aad19

The manual and download page both explicitly note the lack of SELinux support for multiuser installs. https://nix.dev/manual/nix/2.29/installation/installing-binary.html#installing-a-binary-distribution

This performs the default type of installation for your platform:

Multi-user:

  • Linux with systemd and without SELinux
  • macOS

Single-user:

  • Linux without systemd
  • Linux with SELinux

We recommend the multi-user installation if it supports your platform and you can authenticate with sudo.

abathur avatar Jun 01 '25 13:06 abathur

Triaged in Nix meeting: Assigned to @tomberek and @abathur (if that's ok :) )

roberth avatar Jun 11 '25 19:06 roberth

This issue has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/2025-06-11-nix-team-meeting-minutes-231/65543/1

nixos-discourse avatar Jun 11 '25 20:06 nixos-discourse

@roberth unclear what that means in this context, but I do not intend to implement SELinux support in the shell installer since it's one of those things we should get for the low low price of eventually adopting the experimental installer :)

abathur avatar Jun 11 '25 22:06 abathur