Re: Manual start of user@<uid>.service failed with permission denied

[Andrei Borzenkov <arvidjaar@xxxxxxxxx>]

On 08.12.2023 23:53, Mantas Mikulėnas wrote:
...

> > Dec 08 17:33:29 host systemd-user-runtime-dir[36278]: Will mount
> > /run/user/1001 owned by 1001:118
> >
> > Dec 08 17:33:29 host systemd-user-runtime-dir[36278]: Mounting tmpfs
> > (tmpfs) on /run/user/1001 (MS_NOSUID|MS_NODEV
> > "mode=0700,uid=1001,gid=118,size=99426304,nr_inodes=24274")...
> >
> > Dec 08 17:33:29 host systemd[1]: Finished User Runtime Directory
> > /run/user/1001.
> >
> > Dec 08 17:33:29 host systemd[1]: Starting User Manager for UID 1001...
> >
> > Dec 08 17:33:29 host systemd[36280]: systemd 254.7-2-g9edc143 running in
> > user mode for user 1001/ida. (-PAM -AUDIT -SELINUX -APPARMOR +IMA -SMACK
> > +SECCOMP +GCRYPT +GNUTLS +OPENSSL -ACL +BLKID +CURL -ELFUTILS -FIDO2 -IDN2
> > -IDN -IPTC +KMOD -LIBCRYPTSETUP +LIBFDISK -PCRE2 -PWQUALITY -P11KIT
> > -QRENCODE -TPM2 +BZIP2 -LZ4 +XZ +ZLIB +ZSTD -BPF_FRAMEWORK -XKBCOMMON -UTMP
> > -SYSVINIT default-hierarchy=unified)
> >
> > Dec 08 17:33:29 host systemd[36280]: Failed to create
> > '/run/user/1001/systemd/inaccessible', ignoring: Permission denied
> >
> > Dec 08 17:33:29 host systemd[36280]: Failed to create
> > '/run/user/1001/systemd/inaccessible/reg', ignoring: Permission denied
> >
> > Dec 08 17:33:29 host systemd[36280]: Failed to create
> > '/run/user/1001/systemd/inaccessible/dir', ignoring: Permission denied
> >
> > Dec 08 17:33:29 host systemd[36280]: Failed to create
> > '/run/user/1001/systemd/inaccessible/fifo', ignoring: Permission denied
> >
> > Dec 08 17:33:29 host systemd[36280]: Failed to create
> > '/run/user/1001/systemd/inaccessible/sock', ignoring: Permission denied
> >
> > Dec 08 17:33:29 host systemd[36280]: Failed to create
> > '/run/user/1001/systemd/inaccessible/chr', ignoring: Permission denied
> >
> > Dec 08 17:33:29 host systemd[36280]: Failed to create
> > '/run/user/1001/systemd/inaccessible/blk', ignoring: Permission denied
>
> What's the ownership of /run/user/1001 and /run/user/1001/systemd after all
> of this?
>
> Are you rebooting between tests or just manually starting it?
>
> My current guess is that due to the earlier `systemctl set-environment`,
> some *other* thing that's running as root inherited the /run/user/1001 path
> and created root-owned directories there? That's the issue with setting
> global environment, it needs to be unset afterwards...

"Permission denied" sounds like something LSM related (AppArmor, 
SELinux, ...)