[GH-ISSUE #3020] Cannot run Icecat installed with Guix

gitea-mirror commented

2026-05-05 08:33:30 -06:00

Owner

Originally created by @ghost on GitHub (Oct 30, 2019).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3020

Hello! I'm having trouble running GNUzilla Icecat installed with GNU Guix, a package manager that may be used on any GNU distribution in addition to the native one. It stores its packages in the /gnu directory, automatically generating symlinks to them in ~/.guix-profile/bin, which is then added to the path. My path currently contains these:

~/.guix-profile/bin
~/.guix.profile/sbin
~/.config/guix/current/bin
/usr/local/bin
…

My operating system is Parabola GNU+Linux-libre and Firejail has been working fine with it. I have only installed Icecat and TeXmacs with Guix; TeXmacs appears to run perfectly fine with firejail, but doesn't have a pre-made profile in Firejail (which therefore falls back to the default profile), whereas Icecat currently does.

Running firejail icecat gives me the message: Error: cannot find the program in the path. When I specify the full path to the binary with ~/.guix-profile/bin/icecat , I get the message: Error: no suitable /home/username/.guix-profile/bin/icecat executable found.

I thought to try whitelisting /gnu for Icecat, so I added whitelist /gnu to its local profile, but with that, Firejail only tells me: Error: invalid whitelist path /gnu.

If whitelisting /gnu might help, how should I do it? If it's unlikely to work, how else could I get Icecat to run in Firejail? Please let me know if any further details on my setup or directory tree might help. Thank you!

Originally created by @ghost on GitHub (Oct 30, 2019). Original GitHub issue: https://github.com/netblue30/firejail/issues/3020 Hello! I'm having trouble running [GNUzilla Icecat](https://www.gnu.org/software/gnuzilla/) installed with [GNU Guix](http://guix.gnu.org/), a package manager that may be used on any GNU distribution in addition to the native one. It stores its packages in the `/gnu` directory, automatically generating symlinks to them in `~/.guix-profile/bin`, which is then added to the path. My path currently contains these: * ~/.guix-profile/bin * ~/.guix.profile/sbin * ~/.config/guix/current/bin * /usr/local/bin * … My operating system is [Parabola GNU+Linux-libre](https://www.parabola.nu/) and Firejail has been working fine with it. I have only installed Icecat and [TeXmacs](http://texmacs.org/tmweb/home/welcome.en.html) with Guix; TeXmacs appears to run perfectly fine with firejail, but doesn't have a pre-made profile in Firejail (which therefore falls back to the default profile), whereas Icecat [currently does](https://github.com/netblue30/firejail/blob/master/etc/icecat.profile). Running `firejail icecat` gives me the message: `Error: cannot find the program in the path`. When I specify the full path to the binary with `~/.guix-profile/bin/icecat` , I get the message: `Error: no suitable /home/username/.guix-profile/bin/icecat executable found`. I thought to try whitelisting `/gnu` for Icecat, so I added `whitelist /gnu` to its local profile, but with that, Firejail only tells me: `Error: invalid whitelist path /gnu`. If whitelisting `/gnu` might help, how should I do it? If it's unlikely to work, how else could I get Icecat to run in Firejail? Please let me know if any further details on my setup or directory tree might help. Thank you!

gitea-mirror closed this issue

2026-05-05 08:33:31 -06:00

gitea-mirror commented

2026-05-05 08:33:33 -06:00

Author

Owner

@ghost commented on GitHub (Oct 30, 2019):

Have you tried starting icecat using its full path instead of the symlinks this guix provides? I'm not familiar with guix but I assume it would be somewhere under the /gnu directory you mentioned. Hopefully that's enough to get it going. Otherwise you might need to add the below to your icecat.local to ensure the guix stuff in your $HOME is known to firejail:

mkdir ${HOME}/.config/guix/current/bin
mkdir ${HOME}/.guix-profile
whitelist ${HOME}/.config/guix/current/bin
whitelist ${HOME}/.guix-profile

@ghost commented on GitHub (Oct 30, 2019): Have you tried starting icecat using its **full path** instead of the symlinks this guix provides? I'm not familiar with guix but I assume it would be somewhere under the /gnu directory you mentioned. Hopefully that's enough to get it going. Otherwise you might need to add the below to your icecat.local to ensure the guix stuff in your $HOME is known to firejail: ``` mkdir ${HOME}/.config/guix/current/bin mkdir ${HOME}/.guix-profile whitelist ${HOME}/.config/guix/current/bin whitelist ${HOME}/.guix-profile ```

gitea-mirror commented

2026-05-05 08:33:34 -06:00

Author

Owner

@ghost commented on GitHub (Oct 30, 2019):

Thank you, @glitsj16! Starting Icecat via the full path actually gets it running, and the sandbox seems to work, too. It'd be convenient for the symlink to work, since it changes on every update and the launcher points to it by default, but I reckon I can get my system to update all of that automatically.

Unfortunately, the fonts in Icecat appear to be broken or missing, as the window only shows tofu. The console output complains about files not being found in /gnu/store/[…]/lib/icecat. I suspect Icecat might need access to the directory, but am not sure how to grant it. Is that possible at all?

(I'll check with the Guix community whether access to sub-directories of /gnu is necessary, but it would seem that way.)

@ghost commented on GitHub (Oct 30, 2019): Thank you, @glitsj16! Starting Icecat via the full path actually gets it running, and the sandbox seems to work, too. It'd be convenient for the symlink to work, since it changes on every update and the launcher points to it by default, but I reckon I can get my system to update all of that automatically. Unfortunately, the fonts in Icecat appear to be broken or missing, as the window only shows tofu. The console output complains about files not being found in `/gnu/store/[…]/lib/icecat`. I suspect Icecat might need access to the directory, but am not sure how to grant it. Is that possible at all? (I'll check with the Guix community whether access to sub-directories of `/gnu` is necessary, but it would seem that way.)

gitea-mirror commented

2026-05-05 08:33:35 -06:00

Author

Owner

@rusty-snake commented on GitHub (Oct 30, 2019):

Running firejail icecat gives me the message: Error: cannot find the program in the path.

IDK why, but FJ ignores $PATH entrys in $HOME.

When I specify the full path to the binary with ~/.guix-profile/bin/icecat , I get the message: Error: no suitable /home/username/.guix-profile/bin/icecat executable found.

Icecat has a whitelisting profile, therefore you must also whitelist this file/dir.

I thought to try whitelisting /gnu for Icecat, so I added whitelist /gnu to its local profile, but with that, Firejail only tells me: Error: invalid whitelist path /gnu.

whitelisting is not supported in /gnu. (see the manpage for supported paths)

Where is my first post? I have already commented this? 😕

Unfortunately, the fonts in Icecat appear to be broken or missing, as the window only shows tofu. The console output complains about files not being found in /gnu/store/[…]/lib/icecat. I suspect Icecat might need access to the directory, but am not sure how to grant it. Is that possible at all?

Start with firejail --name=icecat --ignore=private-bin icecat and the join with firejail --join=icecat bash. Then you can show how /gnu looks in the sandbox (ls /gnu).

@rusty-snake commented on GitHub (Oct 30, 2019): > Running `firejail icecat` gives me the message: `Error: cannot find the program in the path`. IDK why, but FJ ignores $PATH entrys in $HOME. > When I specify the full path to the binary with `~/.guix-profile/bin/icecat` , I get the message: `Error: no suitable /home/username/.guix-profile/bin/icecat executable found`. Icecat has a whitelisting profile, therefore you must also whitelist this file/dir. > I thought to try whitelisting `/gnu` for Icecat, so I added `whitelist /gnu` to its local profile, but with that, Firejail only tells me: `Error: invalid whitelist path /gnu`. whitelisting is not supported in /gnu. (see the manpage for supported paths) --- Where is my first post? I have already commented this? :confused: --- > Unfortunately, the fonts in Icecat appear to be broken or missing, as the window only shows tofu. The console output complains about files not being found in /gnu/store/[…]/lib/icecat. I suspect Icecat might need access to the directory, but am not sure how to grant it. Is that possible at all? Start with `firejail --name=icecat --ignore=private-bin icecat` and the join with `firejail --join=icecat bash`. Then you can show how /gnu looks in the sandbox (`ls /gnu`).

gitea-mirror commented

2026-05-05 08:33:36 -06:00

Author

Owner

@ghost commented on GitHub (Oct 30, 2019):

It'd be convenient for the symlink to work, since it changes on every update and the launcher points to it by default, but I reckon I can get my system to update all of that automatically.

I think you can do this by adding this to your icecat.local, cfr. my earlier post:

mkdir ${HOME}/.config/guix/current/bin
mkdir ${HOME}/.guix-profile
whitelist ${HOME}/.config/guix/current/bin
whitelist ${HOME}/.guix-profile

The only hurdle at the moment for that to work is trying to figure out how we can grant access to the /gnu directory. That's what @rusty-snake is trying to gather more info on. We'll get there, always fun to stumble onto new stuff like guix.

@ghost commented on GitHub (Oct 30, 2019): > It'd be convenient for the symlink to work, since it changes on every update and the launcher points to it by default, but I reckon I can get my system to update all of that automatically. I think you can do this by adding this to your icecat.local, cfr. my earlier post: ``` mkdir ${HOME}/.config/guix/current/bin mkdir ${HOME}/.guix-profile whitelist ${HOME}/.config/guix/current/bin whitelist ${HOME}/.guix-profile ``` The only hurdle _at the moment_ for that to work is trying to figure out how we can grant access to the **/gnu** directory. That's what @rusty-snake is trying to gather more info on. We'll get there, always fun to stumble onto new stuff like guix.

gitea-mirror commented

2026-05-05 08:33:37 -06:00

Author

Owner

@ghost commented on GitHub (Nov 3, 2019):

Reply to @rusty-snake:

Icecat has a whitelisting profile, therefore you must also whitelist this file/dir.

I have added the line whitelist ${HOME}/.guix-profile/bin/icecat, which resulted in the message: Error: invalid whitelist path /home/username/.guix-profile/bin/icecat. The problem may be that the ~/.guix.profile directory is another symlink (see below).

Start with firejail --name=icecat --ignore=private-bin icecat and the join with firejail --join=icecat bash. Then you can show how /gnu looks in the sandbox (ls /gnu).

Interesting enough, it lists the same files it does when I run the command normally, so maybe the issue is not Icecat being unable to access the directory? :/ I guess I'll ask if anyone knows how that might be intended to work in Guix…

Follow-up reply to @glitsj16:

I think you can do this by adding this to your icecat.local, cfr. my earlier post:

mkdir ${HOME}/.config/guix/current/bin
mkdir ${HOME}/.guix-profile
whitelist ${HOME}/.config/guix/current/bin
whitelist ${HOME}/.guix-profile

So it turns out that all paths lead to /gnu. The directory /home/username/.guix-profile is a symlink to /var/guix/profiles/per-user/username/guix-profile, which in turn is a (likely dynamically changing) symlink to guix-profile-17-link in the same directory, which itself is a symlink to the appropriate profile in /gnu/store. That profile contains a bin directory with further symlinks to the individual packages, also installed in /gnu/store.

@ghost commented on GitHub (Nov 3, 2019): Reply to @rusty-snake: > Icecat has a whitelisting profile, therefore you must also whitelist this file/dir. I have added the line `whitelist ${HOME}/.guix-profile/bin/icecat`, which resulted in the message: `Error: invalid whitelist path /home/username/.guix-profile/bin/icecat`. The problem may be that the `~/.guix.profile` directory is another symlink (see below). > Start with `firejail --name=icecat --ignore=private-bin icecat` and the join with `firejail --join=icecat bash`. Then you can show how /gnu looks in the sandbox (`ls /gnu`). Interesting enough, it lists the same files it does when I run the command normally, so maybe the issue is not Icecat being unable to access the directory? :/ I guess I'll ask if anyone knows how that might be intended to work in Guix… Follow-up reply to @glitsj16: > I think you can do this by adding this to your icecat.local, cfr. my earlier post: > > `mkdir ${HOME}/.config/guix/current/bin` > `mkdir ${HOME}/.guix-profile` > `whitelist ${HOME}/.config/guix/current/bin` > `whitelist ${HOME}/.guix-profile` So it turns out that all paths lead to `/gnu`. The directory `/home/username/.guix-profile` is a symlink to `/var/guix/profiles/per-user/username/guix-profile`, which *in turn* is a (likely dynamically changing) symlink to `guix-profile-17-link` in the same directory, which *itself* is a symlink to the appropriate profile in `/gnu/store`. That profile contains a `bin` directory with further symlinks to the individual packages, also installed in `/gnu/store`.

gitea-mirror commented

2026-05-05 08:33:38 -06:00

Author

Owner

@rusty-snake commented on GitHub (Nov 3, 2019):

icecat.profile includes firefox-common.profile which includes whitelist-var-common.inc. So your issue is there. 11418a46c1/etc/firefox-common.profile (L30)

Try adding whitelist /var/guix.

@rusty-snake commented on GitHub (Nov 3, 2019): `icecat.profile` `include`s `firefox-common.profile` which `include`s `whitelist-var-common.inc`. So your issue is there. https://github.com/netblue30/firejail/blob/11418a46c1c1c51a1270bb585bf8152f9298bc74/etc/firefox-common.profile#L30 Try adding `whitelist /var/guix`.

gitea-mirror commented

2026-05-05 08:33:40 -06:00

Author

Owner

@rusty-snake commented on GitHub (Dec 14, 2019):

@F3nd0
I'm closing here due to inactivity, please fell free to reopen if you still have this issue.

@rusty-snake commented on GitHub (Dec 14, 2019): @F3nd0 I'm closing here due to inactivity, please fell free to reopen if you still have this issue.

gitea-mirror commented

2026-05-05 08:33:41 -06:00

Author

Owner

@ghost commented on GitHub (Dec 31, 2019):

@rusty-snake
Unfortunately I do still have the issue, and didn't get much insight into the problem from the Guix community. None of the solutions suggested here have worked for me, either. I could reopen the issue, but I'm out of ideas. :/

@ghost commented on GitHub (Dec 31, 2019): @rusty-snake Unfortunately I do still have the issue, and didn't get much insight into the problem from the Guix community. None of the solutions suggested here have worked for me, either. I could reopen the issue, but I'm out of ideas. :/

gitea-mirror commented

2026-05-05 08:33:42 -06:00

Author

Owner

@smitsohu commented on GitHub (Dec 31, 2019):

I have added the line whitelist ${HOME}/.guix-profile/bin/icecat, which resulted in the message: Error: invalid whitelist path /home/username/.guix-profile/bin/icecat. The problem may be that the ~/.guix.profile directory is another symlink (see below).

@F3nd0 I guess the mkdir ${HOME}/.guix-profile prevents creating the symbolic link, can you try again without? It is possible you also need to set follow-symlink-as-user to no in /etc/firejail/firejail.config.

Assuming there is not another symlink in ~/.config/guix/current/bin, we currently are at

mkdir ${HOME}/.config/guix/current/bin
whitelist ${HOME}/.config/guix/current/bin
whitelist ${HOME}/.guix-profile
whitelist /var/guix

@smitsohu commented on GitHub (Dec 31, 2019): > I have added the line whitelist ${HOME}/.guix-profile/bin/icecat, which resulted in the message: Error: invalid whitelist path /home/username/.guix-profile/bin/icecat. The problem may be that the ~/.guix.profile directory is another symlink (see below). @F3nd0 I guess the `mkdir ${HOME}/.guix-profile` prevents creating the symbolic link, can you try again without? It is possible you also need to set `follow-symlink-as-user` to `no` in /etc/firejail/firejail.config. Assuming there is not another symlink in ~/.config/guix/current/bin, we currently are at ``` mkdir ${HOME}/.config/guix/current/bin whitelist ${HOME}/.config/guix/current/bin whitelist ${HOME}/.guix-profile whitelist /var/guix ```

gitea-mirror commented

2026-05-05 08:33:43 -06:00

Author

Owner

@smitsohu commented on GitHub (Dec 31, 2019):

I guess the mkdir ${HOME}/.guix-profile prevents creating the symbolic link

Scratch that part, it is nonsense

@smitsohu commented on GitHub (Dec 31, 2019): > I guess the `mkdir ${HOME}/.guix-profile` prevents creating the symbolic link Scratch that part, it is nonsense

gitea-mirror commented

2026-05-05 08:33:44 -06:00

Author

Owner

@ghost commented on GitHub (Jan 2, 2020):

@smitsohu Thank you, setting follow-symlink-as-user to no did the trick! With that, the only line I need in my icecat.local for Icecat to work is: whitelist ${HOME}/.guix-profile. I'll see later if that works for other Guix-origin software, too.

Thank you all for your persistent help; closing!

@ghost commented on GitHub (Jan 2, 2020): @smitsohu Thank you, setting `follow-symlink-as-user` to `no` did the trick! With that, the only line I need in my `icecat.local` for Icecat to work is: `whitelist ${HOME}/.guix-profile`. I'll see later if that works for other Guix-origin software, too. Thank you all for your persistent help; closing!

Rows
Columns

[GH-ISSUE #3020] Cannot run Icecat installed with Guix #1893