Comment 2 for bug 2064115

Looks like this is a case of https://bugs.launchpad.net/apparmor/+bug/2046844

What does work as a workaround is to create a specifc apparmor profile for guix, that is really unconfined and allows user namespaces:

Create a file /etc/apparmor.d/guix:

----------------------------------------------------
abi <abi/4.0>,
include <tunables/global>

profile guix /usr/bin/guix flags=(unconfined) {
  userns,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/guix>
}
----------------------------------------------------

Then do:

/etc/init.d/apparmor reload
aa-enforce guix