[DSE-Dev] Bug#1090966: "Could not create manager: Permission denied" (also affects systemd-timesyncd)
Antonio Russo
aerusso at aerusso.net
Thu Dec 26 12:57:29 GMT 2024
The problem is resolved with a local selinux module with these extra permissions granted to systemd_resolved_t:
allow systemd_resolved_t init_runtime_t:sock_file create;
allow systemd_resolved_t init_runtime_t:dir watch;
The confusion was caused by [1], or something else that caused the kernel to not print the avc: lines
on policy denial. By luck, one of the boot-ups exposed this. Earlier boots might have exposed the lines,
but the audit2* commands seem to only process avc: lines after the audit daemon is started, so I might
have missed the kernel log entry, because I was assuming that audit2why would have shown me something.
I'm not sure why delaying the service startup by a couple seconds/until after systemd-tmpfiles finishes
causes the service bring-up to succeed, so the correct fix is probably more than just adding those
two extra permissions, but it works in the meantime.
Best,
Antonio
[1] https://github.com/linux-audit/audit-kernel/issues/17
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x72DB026E04C1C768.asc
Type: application/pgp-keys
Size: 7680 bytes
Desc: OpenPGP public key
URL: <http://alioth-lists.debian.net/pipermail/selinux-devel/attachments/20241226/f751354e/attachment.asc>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/selinux-devel/attachments/20241226/f751354e/attachment.sig>
More information about the SELinux-devel
mailing list