Re: Manual start of user@<uid>.service failed with permission denied

Hi Andrei,

As indicated in the logs no SELINUX nor APPARMOR is enabled.

Best regards,

Christopher Wong

From: systemd-devel <systemd-devel-bounces@xxxxxxxxxxxxxxxxxxxxx> on behalf of Andrei Borzenkov <arvidjaar@xxxxxxxxx>
Date: Saturday, 9 December 2023 at 07:13
To: systemd-devel@xxxxxxxxxxxxxxxxxxxxx <systemd-devel@xxxxxxxxxxxxxxxxxxxxx>
Subject: Re: Manual start of user@<uid>.service failed with permission denied

On 08.12.2023 23:53, Mantas Mikulėnas wrote:
...

>>
>> Dec 08 17:33:29 host systemd-user-runtime-dir[36278]: Will mount
>> /run/user/1001 owned by 1001:118
>>
>> Dec 08 17:33:29 host systemd-user-runtime-dir[36278]: Mounting tmpfs
>> (tmpfs) on /run/user/1001 (MS_NOSUID|MS_NODEV
>> "mode=0700,uid=1001,gid=118,size=99426304,nr_inodes=24274")...
>>
>> Dec 08 17:33:29 host systemd[1]: Finished User Runtime Directory
>> /run/user/1001.
>>
>> Dec 08 17:33:29 host systemd[1]: Starting User Manager for UID 1001...
>>
>> Dec 08 17:33:29 host systemd[36280]: systemd 254.7-2-g9edc143 running in
>> user mode for user 1001/ida. (-PAM -AUDIT -SELINUX -APPARMOR +IMA -SMACK
>> +SECCOMP +GCRYPT +GNUTLS +OPENSSL -ACL +BLKID +CURL -ELFUTILS -FIDO2 -IDN2
>> -IDN -IPTC +KMOD -LIBCRYPTSETUP +LIBFDISK -PCRE2 -PWQUALITY -P11KIT
>> -QRENCODE -TPM2 +BZIP2 -LZ4 +XZ +ZLIB +ZSTD -BPF_FRAMEWORK -XKBCOMMON -UTMP
>> -SYSVINIT default-hierarchy=unified)
>>
>> Dec 08 17:33:29 host systemd[36280]: Failed to create
>> '/run/user/1001/systemd/inaccessible', ignoring: Permission denied
>>
>> Dec 08 17:33:29 host systemd[36280]: Failed to create
>> '/run/user/1001/systemd/inaccessible/reg', ignoring: Permission denied
>>
>> Dec 08 17:33:29 host systemd[36280]: Failed to create
>> '/run/user/1001/systemd/inaccessible/dir', ignoring: Permission denied
>>
>> Dec 08 17:33:29 host systemd[36280]: Failed to create
>> '/run/user/1001/systemd/inaccessible/fifo', ignoring: Permission denied
>>
>> Dec 08 17:33:29 host systemd[36280]: Failed to create
>> '/run/user/1001/systemd/inaccessible/sock', ignoring: Permission denied
>>
>> Dec 08 17:33:29 host systemd[36280]: Failed to create
>> '/run/user/1001/systemd/inaccessible/chr', ignoring: Permission denied
>>
>> Dec 08 17:33:29 host systemd[36280]: Failed to create
>> '/run/user/1001/systemd/inaccessible/blk', ignoring: Permission denied
>>
>
> What's the ownership of /run/user/1001 and /run/user/1001/systemd after all
> of this?
>
> Are you rebooting between tests or just manually starting it?
>
> My current guess is that due to the earlier `systemctl set-environment`,
> some *other* thing that's running as root inherited the /run/user/1001 path
> and created root-owned directories there? That's the issue with setting
> global environment, it needs to be unset afterwards...
>

"Permission denied" sounds like something LSM related (AppArmor,
SELinux, ...)