system-manager
system-manager copied to clipboard
numtide
SELinux: `Unit system-manager.target not found`
Describe the bug
Running on openSUSE Tumbleweed, running a minimal configuration, it errors on system-manager.target not found. Unsure if this is due to the minimal configuraiton, or openSUSE. Notably the target gets generated empty?
$ cat /etc/systemd/system/system-manager.target
[Unit]
$
systemConfigs.default = system-manager.lib.makeSystemConfig {
modules = [
({...}: {
config = {
nixpkgs.hostPlatform = "x86_64-linux";
system-manager.allowAnyDistro = true;
};
})
];
};
Full output:
$ sudo system-manager switch --flake .
[2024-09-25T10:46:26Z INFO system_manager::register] Trying flake URI: .#systemConfigs.yoga...
warning: Git tree '/home/sofie/.coturnix' is dirty
[2024-09-25T10:46:26Z INFO system_manager::register] Attribute .#systemConfigs.yoga not found in flake.
[2024-09-25T10:46:26Z INFO system_manager::register] Trying flake URI: .#systemConfigs.default...
warning: Git tree '/home/sofie/.coturnix' is dirty
[2024-09-25T10:46:26Z INFO system_manager::register] Success, using .#systemConfigs.default
[2024-09-25T10:46:26Z INFO system_manager::register] Building new system-manager generation...
[2024-09-25T10:46:26Z INFO system_manager::register] Running nix build...
warning: Git tree '/home/sofie/.coturnix' is dirty
[2024-09-25T10:46:28Z INFO system_manager::register] Built system-manager profile /nix/store/snmir05zz4khpb5qsbqy8vap0vi7d8nw-system-manager
[2024-09-25T10:46:28Z INFO system_manager::register] Creating new generation from /nix/store/snmir05zz4khpb5qsbqy8vap0vi7d8nw-system-manager
[2024-09-25T10:46:28Z INFO system_manager::register] Registering GC root...
[2024-09-25T10:46:28Z INFO system_manager] Creating symlink: /nix/var/nix/gcroots/system-manager-current -> /nix/store/snmir05zz4khpb5qsbqy8vap0vi7d8nw-system-manager
[2024-09-25T10:46:28Z INFO system_manager::register] Done
[2024-09-25T10:46:28Z INFO system_manager::activate] Activating system-manager profile: /nix/store/snmir05zz4khpb5qsbqy8vap0vi7d8nw-system-manager
[2024-09-25T10:46:28Z INFO system_manager::activate] Running pre-activation assertions...
All pre-activation assertions succeeded.
[2024-09-25T10:46:28Z INFO system_manager::activate] Reading state info from /var/lib/system-manager/state/system-manager-state.json
[2024-09-25T10:46:28Z INFO system_manager::activate] Activating etc files...
[2024-09-25T10:46:28Z INFO system_manager::activate::etc_files] Reading etc file definitions...
[2024-09-25T10:46:28Z INFO system_manager::activate::etc_files] Creating /etc entries in /etc
[2024-09-25T10:46:28Z INFO system_manager] Creating symlink: /etc/.system-manager-static -> /nix/store/m6jy60pq7gvlbd5gdglcj12ijjig6kqp-etc-static-env
[2024-09-25T10:46:28Z INFO system_manager::activate::etc_files] Done
[2024-09-25T10:46:28Z INFO system_manager::activate] Activating tmp files...
[2024-09-25T10:46:28Z INFO system_manager::activate] Activating systemd services...
[2024-09-25T10:46:28Z INFO system_manager::activate::services] Reading new service definitions...
[2024-09-25T10:46:28Z INFO system_manager::activate::services] Reloading the systemd daemon...
[2024-09-25T10:46:29Z ERROR system_manager::activate::services] Service system-manager.target: error starting, please consult the logs
[2024-09-25T10:46:29Z ERROR system_manager::activate::services] Unit system-manager.target not found.
[2024-09-25T10:46:29Z INFO system_manager::activate::services] Done
[2024-09-25T10:46:29Z INFO system_manager::activate] Writing state info into file: /var/lib/system-manager/state/system-manager-state.json
Could be related to SELinux.
SELinux is preventing systemd from read access on the lnk_file systemd.
***** Plugin catchall_labels (83.8 confidence) suggests *******************
If you want to allow systemd to have read access on the systemd lnk_file
Then you need to change the label on systemd
Do
# semanage fcontext -a -t FILE_TYPE 'systemd'
where FILE_TYPE is one of the following: NetworkManager_dispatcher_console_var_run_t, NetworkManager_etc_rw_t, NetworkManager_etc_t, NetworkManager_initrc_exec_t, NetworkManager_unit_file_t, NetworkManager_var_run_t, abrt_etc_t, abrt_unit_file_t, abrt_var_run_t, accountsd_unit_file_t, admin_home_t, afterburn_runtime_t, afterburn_unit_file_t, aiccu_etc_t, aiccu_var_run_t, alsa_etc_rw_t, alsa_lock_t, alsa_unit_file_t, alsa_var_run_t, amanda_unit_file_t, anaconda_unit_file_t, antivirus_conf_t, antivirus_unit_file_t, antivirus_var_run_t, apcupsd_lock_t, apcupsd_unit_file_t, apcupsd_var_run_t, apmd_lock_t, apmd_unit_file_t, apmd_var_run_t, arpwatch_unit_file_t, arpwatch_var_run_t, asterisk_etc_t, asterisk_var_run_t, audisp_var_run_t, auditd_unit_file_t, auditd_var_run_t, automount_lock_t, automount_unit_file_t, automount_var_run_t, avahi_conf_t, avahi_unit_file_t, avahi_var_run_t, bacula_var_run_t, bcfg2_unit_file_t, bcfg2_var_run_t, bin_t, bitlbee_conf_t, bitlbee_var_run_t, blkmapd_var_run_t, blktap_var_run_t, blueman_var_run_t, bluetooth_conf_t, bluetooth_lock_t, bluetooth_unit_file_t, bluetooth_var_run_t, boinc_unit_file_t, boltd_var_lib_t, boltd_var_run_t, boot_t, boothd_etc_t, boothd_unit_file_t, boothd_var_run_t, bootloader_etc_t, bootloader_var_run_t, bootupd_unit_file_t, bootupd_var_run_t, brltty_unit_file_t, brltty_var_run_t, cache_home_t, cachefilesd_var_run_t, callweaver_var_run_t, canna_var_run_t, cardmgr_var_run_t, ccs_var_run_t, cert_t, certmaster_var_run_t, certmonger_unit_file_t, certmonger_var_run_t, cgconfig_etc_t, cgred_var_run_t, cgroup_memory_pressure_t, cgroup_t, cgrules_etc_t, chronyd_unit_file_t, chronyd_var_run_t, cinder_api_unit_file_t, cinder_backup_unit_file_t, cinder_scheduler_unit_file_t, cinder_var_run_t, cinder_volume_unit_file_t, clogd_var_run_t, cloud_init_unit_file_t, cluster_conf_t, cluster_unit_file_t, cluster_var_run_t, clvmd_var_run_t, cmirrord_var_run_t, cobbler_etc_t, collectd_unit_file_t, collectd_var_run_t, colord_unit_file_t, comsat_var_run_t, condor_conf_t, condor_unit_file_t, condor_var_lock_t, condor_var_run_t, config_home_t, conman_unit_file_t, conman_var_run_t, conntrackd_conf_t, conntrackd_unit_file_t, conntrackd_var_lock_t, conntrackd_var_run_t, consolekit_unit_file_t, consolekit_var_run_t, container_config_t, container_file_t, container_kvm_var_run_t, container_lock_t, container_plugin_var_run_t, container_ro_file_t, container_runtime_tmpfs_t, container_unit_file_t, container_var_lib_t, container_var_run_t, coreos_boot_mount_generator_unit_file_t, coreos_installer_unit_file_t, coreos_installer_var_run_t, couchdb_conf_t, couchdb_unit_file_t, couchdb_var_run_t, courier_etc_t, courier_var_run_t, cpucontrol_conf_t, cpuplug_lock_t, cpuplug_var_run_t, cpuspeed_var_run_t, cron_var_run_t, crond_unit_file_t, crond_var_run_t, ctdbd_var_run_t, cupsd_config_var_run_t, cupsd_etc_t, cupsd_lock_t, cupsd_lpd_var_run_t, cupsd_rw_etc_t, cupsd_unit_file_t, cupsd_var_run_t, cvs_var_run_t, cyphesis_var_run_t, cyrus_var_run_t, data_home_t, dbskkd_var_run_t, dbus_home_t, dbusd_etc_t, dbusd_unit_file_t, dcc_var_run_t, dccd_var_run_t, dccifd_var_run_t, dccm_var_run_t, dcerpcd_var_run_t, ddclient_etc_t, ddclient_var_run_t, deltacloudd_var_run_t, denyhosts_var_lock_t, device_t, devicekit_var_run_t, devlog_t, dhcp_etc_t, dhcpc_var_run_t, dhcpd_unit_file_t, dhcpd_var_run_t, dictd_etc_t, dictd_var_run_t, dirsrv_snmp_var_run_t, dirsrv_unit_file_t, dirsrv_var_lock_t, dirsrv_var_run_t, dkim_milter_data_t, dlm_controld_var_run_t, dnsmasq_etc_t, dnsmasq_unit_file_t, dnsmasq_var_run_t, dnssec_trigger_unit_file_t, dnssec_trigger_var_run_t, dovecot_etc_t, dovecot_var_run_t, drbd_lock_t, drbd_var_run_t, dspam_var_run_t, entropyd_var_run_t, etc_aliases_t, etc_mail_t, etc_runtime_t, etc_t, eventlogd_var_run_t, evtchnd_var_run_t, exim_var_run_t, exports_t, fail2ban_var_run_t, fcoemon_var_run_t, fdo_conf_rw_t, fdo_conf_t, fdo_unit_file_t, fenced_lock_t, fenced_var_run_t, fetchmail_etc_t, fetchmail_var_run_t, file_context_t, fingerd_etc_t, fingerd_var_run_t, firewalld_etc_rw_t, firewalld_unit_file_t, firewalld_var_run_t, firstboot_etc_t, foghorn_var_run_t, fonts_cache_t, fonts_t, freeipmi_bmc_watchdog_unit_file_t, freeipmi_bmc_watchdog_var_run_t, freeipmi_ipmidetectd_unit_file_t, freeipmi_ipmidetectd_var_run_t, freeipmi_ipmiseld_unit_file_t, freeipmi_ipmiseld_var_run_t, fsadm_var_run_t, fsdaemon_var_run_t, ftpd_etc_t, ftpd_lock_t, ftpd_unit_file_t, ftpd_var_run_t, fwupd_unit_file_t, games_srv_var_run_t, gconf_etc_t, gconf_home_t, gdomap_conf_t, gdomap_var_run_t, getty_etc_t, getty_lock_t, getty_unit_file_t, getty_var_run_t, gfs_controld_var_run_t, gkeyringd_gnome_home_t, glance_api_unit_file_t, glance_registry_unit_file_t, glance_scrubber_unit_file_t, glance_var_run_t, glusterd_var_run_t, gnome_home_t, gnome_initial_setup_var_run_t, gpm_conf_t, gpm_var_run_t, gpsd_var_run_t, greylist_milter_data_t, groupd_var_run_t, gssproxy_unit_file_t, gssproxy_var_run_t, gstreamer_home_t, haproxy_unit_file_t, haproxy_var_run_t, hddtemp_etc_t, home_root_t, hostapd_unit_file_t, hostapd_var_run_t, hostname_etc_t, hsqldb_unit_file_t, httpd_config_t, httpd_lock_t, httpd_unit_file_t, httpd_var_run_t, hwloc_dhwd_unit_t, hwloc_var_run_t, hypervkvp_unit_file_t, hypervvssd_unit_file_t, ibacm_conf_t, ibacm_var_run_t, icc_data_home_t, icecast_var_run_t, ifconfig_var_run_t, inetd_child_var_run_t, inetd_var_run_t, init_tmp_t, init_var_lib_t, init_var_run_t, initrc_var_run_t, innd_etc_t, innd_unit_file_t, innd_var_run_t, insights_client_etc_rw_t, insights_client_etc_t, insights_client_unit_file_t, insights_client_var_lock_t, insights_client_var_run_t, install_var_run_t, iodined_unit_file_t, ipmievd_lock_t, ipmievd_unit_file_t, ipmievd_var_run_t, ipsec_mgmt_lock_t, ipsec_mgmt_unit_file_t, ipsec_mgmt_var_run_t, ipsec_var_run_t, iptables_lock_t, iptables_unit_file_t, iptables_var_lib_t, iptables_var_run_t, irc_conf_t, irqbalance_var_run_t, irssi_etc_t, iscsi_lock_t, iscsi_unit_file_t, iscsi_var_run_t, isnsd_var_run_t, iwhd_var_run_t, jetty_unit_file_t, jetty_var_run_t, kadmind_var_run_t, kanidm_conf_t, kanidm_unixd_var_cache_t, kanidm_unixd_var_run_t, kdump_dep_unit_file_t, kdump_etc_t, kdump_lock_t, kdump_unit_file_t, keepalived_unit_file_t, keepalived_var_run_t, keystone_unit_file_t, keystone_var_run_t, kismet_var_run_t, klogd_var_run_t, kmod_var_run_t, krb5_conf_t, krb5kdc_conf_t, krb5kdc_lock_t, krb5kdc_var_run_t, ksm_unit_file_t, ksmtuned_unit_file_t, ksmtuned_var_run_t, ktalkd_unit_file_t, kubernetes_file_t, l2tp_conf_t, l2tpd_var_run_t, ld_so_t, lib_t, likewise_etc_t, likewise_pstore_lock_t, lircd_etc_t, lircd_var_run_t, lldpad_var_run_t, local_login_lock_t, locale_t, locate_var_run_t, lockdev_lock_t, logrotate_lock_t, logwatch_lock_t, logwatch_var_run_t, lpd_var_run_t, lsassd_var_run_t, lsmd_unit_file_t, lsmd_var_run_t, lttng_sessiond_unit_file_t, lttng_sessiond_var_run_t, lvm_etc_t, lvm_lock_t, lvm_unit_file_t, lvm_var_run_t, lwiod_var_run_t, lwregd_var_run_t, lwsmd_var_run_t, machineid_t, mail_spool_t, mailman_lock_t, mailman_var_run_t, man_cache_t, man_t, mandb_lock_t, mcelog_etc_t, mcelog_var_run_t, mdadm_conf_t, mdadm_unit_file_t, mdadm_var_run_t, memcached_var_run_t, minidlna_conf_t, minidlna_var_run_t, minissdpd_conf_t, minissdpd_var_run_t, mnt_t, mock_etc_t, mock_var_run_t, modemmanager_unit_file_t, modules_conf_t, modules_object_t, mon_statd_var_run_t, mongod_unit_file_t, mongod_var_run_t, motion_unit_file_t, motion_var_run_t, mount_var_run_t, mozilla_conf_t, mpd_etc_t, mpd_var_run_t, mplayer_etc_t, mptcpd_etc_t, mrtg_etc_t, mrtg_lock_t, mrtg_var_run_t, mscan_etc_t, mscan_var_run_t, munin_etc_t, munin_var_run_t, mysqld_etc_t, mysqld_unit_file_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, nagios_etc_t, nagios_var_run_t, named_conf_t, named_unit_file_t, named_var_run_t, net_conf_t, netlabel_mgmt_unit_file_t, netlogond_var_run_t, neutron_unit_file_t, neutron_var_run_t, nfsd_unit_file_t, ninfod_run_t, ninfod_unit_file_t, nis_unit_file_t, nmbd_var_run_t, nova_unit_file_t, nova_var_run_t, nrpe_etc_t, nrpe_var_run_t, nscd_unit_file_t, nscd_var_run_t, nsd_var_run_t, nslcd_conf_t, nslcd_var_run_t, ntop_etc_t, ntop_var_run_t, ntp_conf_t, ntpd_unit_file_t, ntpd_var_run_t, numad_unit_file_t, numad_var_run_t, nut_conf_t, nut_unit_file_t, nut_var_run_t, nvme_stas_unit_file_t, nvme_stas_var_run_t, nx_server_var_run_t, oddjob_unit_file_t, oddjob_var_run_t, opafm_var_run_t, openct_var_run_t, opendnssec_conf_t, opendnssec_unit_file_t, opendnssec_var_run_t, openhpid_var_run_t, openshift_var_run_t, opensm_unit_file_t, openvpn_etc_rw_t, openvpn_etc_t, openvpn_var_run_t, openvswitch_rw_t, openvswitch_unit_file_t, openvswitch_var_run_t, openwsman_run_t, openwsman_unit_file_t, oracleasm_conf_t, osad_var_run_t, packagekit_unit_file_t, pads_config_t, pads_var_run_t, pam_var_console_t, pam_var_run_t, passenger_var_run_t, pcp_var_run_t, pcscd_var_run_t, pdns_conf_t, pdns_unit_file_t, pdns_var_run_t, pegasus_conf_t, pegasus_openlmi_storage_var_run_t, pegasus_var_run_t, pesign_unit_file_t, pesign_var_run_t, phc2sys_unit_file_t, pingd_etc_t, pkcs_slotd_lock_t, pkcs_slotd_unit_file_t, pkcs_slotd_var_run_t, pki_ra_lock_t, pki_ra_var_run_t, pki_tomcat_lock_t, pki_tomcat_unit_file_t, pki_tomcat_var_run_t, pki_tps_lock_t, pki_tps_var_run_t, plymouthd_var_run_t, policykit_var_run_t, polipo_etc_t, polipo_pid_t, polipo_unit_file_t, portmap_var_run_t, portreserve_etc_t, portreserve_var_run_t, postfix_etc_t, postfix_var_run_t, postgresql_etc_t, postgresql_lock_t, postgresql_unit_file_t, postgresql_var_run_t, postgrey_etc_t, postgrey_var_run_t, power_unit_file_t, pppd_etc_t, pppd_lock_t, pppd_unit_file_t, pppd_var_run_t, pptp_var_run_t, prelude_audisp_var_run_t, prelude_correlator_config_t, prelude_lml_var_run_t, prelude_var_run_t, print_spool_t, printconf_t, privoxy_var_run_t, proc_t, prosody_unit_file_t, prosody_var_run_t, psad_etc_t, psad_var_run_t, ptal_etc_t, ptal_var_run_t, ptp4l_unit_file_t, pulseaudio_var_run_t, puppet_etc_t, puppet_var_run_t, pwauth_var_run_t, pyicqt_var_run_t, qatlib_conf_t, qatlib_unit_file_t, qatlib_var_run_t, qdiskd_var_run_t, qemu_var_run_t, qmail_etc_t, qpidd_var_run_t, quota_nld_var_run_t, rabbitmq_conf_t, rabbitmq_unit_file_t, rabbitmq_var_lock_t, rabbitmq_var_run_t, radiusd_etc_t, radiusd_unit_file_t, radiusd_var_run_t, radvd_etc_t, radvd_var_run_t, rasdaemon_unit_file_t, rdisc_unit_file_t, readahead_var_run_t, redis_conf_t, redis_unit_file_t, redis_var_run_t, regex_milter_data_t, restorecond_var_run_t, rhcd_unit_file_t, rhcd_var_run_t, rhev_agentd_unit_file_t, rhev_agentd_var_run_t, rhnsd_conf_t, rhnsd_unit_file_t, rhnsd_var_run_t, rhsmcertd_config_t, rhsmcertd_lock_t, rhsmcertd_var_run_t, ricci_modcluster_var_run_t, ricci_modstorage_lock_t, ricci_var_run_t, rlogind_var_run_t, rngd_unit_file_t, rngd_var_run_t, root_t, roundup_var_run_t, rpcbind_unit_file_t, rpcbind_var_run_t, rpcd_lock_t, rpcd_unit_file_t, rpcd_var_run_t, rpm_script_tmp_t, rpm_var_cache_t, rpm_var_lib_t, rpm_var_run_t, rrdcached_var_run_t, rshim_unit_file_t, rsync_etc_t, rsync_var_run_t, rtas_errd_unit_file_t, rtas_errd_var_lock_t, rtas_errd_var_run_t, samba_etc_t, samba_unit_file_t, sanlk_resetd_unit_file_t, sanlock_conf_t, sanlock_unit_file_t, sanlock_var_run_t, saslauthd_var_run_t, sbd_unit_file_t, sbd_var_run_t, sblim_var_run_t, screen_var_run_t, security_t, selinux_autorelabel_generator_unit_file_t, selinux_config_t, selinux_login_config_t, semanage_read_lock_t, semanage_store_t, semanage_trans_lock_t, sendmail_var_run_t, sensord_unit_file_t, sensord_var_run_t, setrans_var_run_t, setroubleshoot_var_run_t, shell_exec_t, shorewall_etc_t, shorewall_lock_t, slapd_etc_t, slapd_lock_t, slapd_unit_file_t, slapd_var_run_t, slpd_var_run_t, smbd_var_run_t, smokeping_var_run_t, snapperd_conf_t, snmpd_var_run_t, snort_etc_t, snort_var_run_t, sosreport_var_run_t, soundd_etc_t, soundd_var_run_t, spamass_milter_data_t, spamd_etc_t, spamd_unit_file_t, spamd_update_unit_file_t, spamd_var_run_t, spc_var_run_t, speech_dispatcher_unit_file_t, squid_conf_t, squid_var_run_t, src_t, srvsvcd_var_run_t, sshd_keygen_unit_file_t, sshd_unit_file_t, sshd_var_run_t, sslh_config_t, sslh_unit_file_t, sslh_var_run_t, sssd_conf_t, sssd_public_t, sssd_unit_file_t, sssd_var_lib_t, sssd_var_run_t, stalld_unit_file_t, stalld_var_run_t, stapserver_var_run_t, stratisd_data_t, stratisd_var_run_t, stunnel_etc_t, stunnel_var_run_t, svc_conf_t, svirt_home_t, svirt_image_t, svirt_tmp_t, svirt_tmpfs_t, svnserve_unit_file_t, svnserve_var_run_t, swat_var_run_t, swift_lock_t, swift_unit_file_t, swift_var_run_t, sysfs_t, syslog_conf_t, syslogd_unit_file_t, syslogd_var_run_t, sysstat_var_run_t, system_conf_t, system_cronjob_lock_t, system_cronjob_var_run_t, system_db_t, system_dbusd_var_lib_t, system_dbusd_var_run_t, systemd_bless_boot_generator_unit_file_t, systemd_bootchart_unit_file_t, systemd_bootchart_var_run_t, systemd_btrfs_soft_reboot_generator_unit_file_t, systemd_conf_t, systemd_cryptsetup_generator_unit_file_t, systemd_debug_generator_unit_file_t, systemd_fstab_generator_unit_file_t, systemd_generic_generator_unit_file_t, systemd_getty_generator_unit_file_t, systemd_gpt_generator_unit_file_t, systemd_growpart_generator_unit_file_t, systemd_home_t, systemd_hwdb_etc_t, systemd_hwdb_unit_file_t, systemd_ibft_rule_generator_unit_file_t, systemd_importd_var_run_t, systemd_logind_inhibit_var_run_t, systemd_logind_sessions_t, systemd_logind_var_run_t, systemd_machined_unit_file_t, systemd_machined_var_run_t, systemd_modules_load_unit_file_t, systemd_networkd_unit_file_t, systemd_networkd_var_run_t, systemd_nsresourced_runtime_t, systemd_passwd_var_run_t, systemd_rc_local_generator_unit_file_t, systemd_resolved_unit_file_t, systemd_resolved_var_run_t, systemd_rfkill_unit_file_t, systemd_runtime_unit_file_t, systemd_socket_proxyd_unit_file_t, systemd_ssh_generator_unit_file_t, systemd_status_mail_generator_unit_file_t, systemd_sysv_generator_unit_file_t, systemd_timedated_unit_file_t, systemd_timedated_var_lib_t, systemd_timedated_var_run_t, systemd_tpm2_generator_unit_file_t, systemd_udev_trigger_generator_unit_file_t, systemd_unit_file_t, systemd_userdbd_runtime_t, systemd_userdbd_unit_file_t, systemd_vconsole_unit_file_t, systemd_zram_generator_unit_file_t, tangd_cache_t, tangd_unit_file_t, targetclid_unit_file_t, targetclid_var_run_t, targetd_unit_file_t, telnetd_var_run_t, textrel_shlib_t, tftpd_etc_t, tftpd_var_run_t, tgtd_var_run_t, thin_aeolus_configserver_var_run_t, thin_var_run_t, timemaster_unit_file_t, timemaster_var_run_t, tlp_unit_file_t, tlp_var_run_t, tmp_t, tmpfs_t, tomcat_unit_file_t, tomcat_var_run_t, tor_etc_t, tor_unit_file_t, tor_var_run_t, tuned_etc_t, tuned_rw_etc_t, tuned_var_run_t, udev_etc_t, udev_var_run_t, ulogd_etc_t, uml_switch_var_run_t, unlabeled_t, usbmuxd_unit_file_t, usbmuxd_var_run_t, user_home_dir_t, useradd_var_run_t, userhelper_conf_t, usr_t, uucpd_lock_t, uucpd_var_run_t, uuidd_var_run_t, var_lib_t, var_lock_t, var_log_t, var_run_t, var_t, varnishd_etc_t, varnishd_var_run_t, varnishlog_var_run_t, vdagent_var_run_t, vhostmd_var_run_t, virt_common_var_run_t, virt_etc_rw_t, virt_etc_t, virt_lock_t, virt_lxc_var_run_t, virt_qemu_ga_var_run_t, virt_var_lib_t, virt_var_run_t, virtd_unit_file_t, virtinterfaced_t, virtinterfaced_var_run_t, virtlogd_etc_t, virtlogd_unit_file_t, virtlogd_var_run_t, virtnetworkd_t, virtnetworkd_var_run_t, virtnodedevd_lock_t, virtnodedevd_t, virtnodedevd_var_run_t, virtnwfilterd_t, virtnwfilterd_var_run_t, virtproxyd_t, virtproxyd_var_run_t, virtqemud_lock_t, virtqemud_t, virtqemud_var_run_t, virtsecretd_t, virtsecretd_var_run_t, virtstoraged_t, virtstoraged_var_run_t, virtvboxd_t, virtvboxd_var_run_t, virtvzd_t, virtvzd_var_run_t, virtxend_t, virtxend_var_run_t, vmtools_unit_file_t, vmware_host_pid_t, vmware_pid_t, vmware_sys_conf_t, vnstatd_var_run_t, vpnc_var_run_t, watchdog_var_run_t, wdmd_var_run_t, webalizer_etc_t, wicked_etc_rw_t, wicked_etc_t, wicked_unit_file_t, wicked_var_run_t, winbind_rpcd_var_run_t, winbind_var_run_t, wireguard_unit_file_t, xdm_etc_t, xdm_lock_t, xdm_rw_etc_t, xdm_unit_file_t, xdm_var_lib_t, xdm_var_run_t, xenconsoled_var_run_t, xend_var_run_t, xenstored_var_run_t, xserver_etc_t, xserver_var_run_t, ypbind_unit_file_t, ypbind_var_run_t, yppasswdd_var_run_t, ypserv_conf_t, ypserv_var_run_t, ypxfr_var_run_t, zabbix_var_run_t, zarafa_deliver_var_run_t, zarafa_etc_t, zarafa_gateway_var_run_t, zarafa_ical_var_run_t, zarafa_indexer_var_run_t, zarafa_monitor_var_run_t, zarafa_server_var_run_t, zarafa_spooler_var_run_t, zebra_conf_t, zebra_unit_file_t, zebra_var_run_t, zoneminder_unit_file_t, zoneminder_var_run_t.
Then execute:
restorecon -v 'systemd'
***** Plugin catchall (17.1 confidence) suggests **************************
If you believe that systemd should be allowed read access on the systemd lnk_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'systemd' --raw | audit2allow -M my-systemd
# semodule -X 300 -i my-systemd.pp
Additional Information:
Source Context system_u:system_r:init_t:s0
Target Context unconfined_u:object_r:default_t:s0
Target Objects systemd [ lnk_file ]
Source systemd
Source Path systemd
Port <Unknown>
Host yoga
Source RPM Packages
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-20240912-1.1.noarch
Local Policy RPM selinux-policy-targeted-20240912-1.1.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name yoga
Platform Linux yoga 6.10.11-1-default #1 SMP
PREEMPT_DYNAMIC Thu Sep 19 07:33:24 UTC 2024
(bd33620) x86_64 x86_64
Alert Count 23
First Seen 2024-09-25 12:42:37 CEST
Last Seen 2024-09-25 13:06:16 CEST
Local ID 6c6d9913-799e-400d-91cf-5f6b16afc497
Raw Audit Messages
type=AVC msg=audit(1727262376.371:5480): avc: denied { read } for pid=1 comm="systemd" name="systemd" dev="dm-0" ino=3232375 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:default_t:s0 tclass=lnk_file permissive=0
Hash: systemd,init_t,default_t,lnk_file,read
Enabling permissive mode lets it work. This seems to be SELinux related. Probably easier to debug further by installing Fedora which has SELinux by default.
The empty target is normal, it's just a synchronisation point.
I'm not very familiart with selinux, and haven't tested system-manager with it. I'm happy to review patches to improve the interaction.
Yeah it being empty was a red herring and the actual issue is SELinux refusing SystemD from reading the files generated by system-manager. I also am not the best at SELinux, but i may look at this at some point soon if someone else doesn't get to it first.
From some experimentation, it seems the double indirection through /etc/.system-manager-static is causing the problems. As the labelling seems to work correctly when directly targeted at the nix store. As the /nix/store/* has a rule (if installed by lix or nix-installers and their respective selinux files). But there is none for /etc/.system-manager-static, so its completely untyped in the sense of SELinux, making SystemD mad (since it expects the systemd_unit_file_t type due to default configuration).
So the solution would likely be to generate this /etc/.system-manager-static as a /nix/store/...-system-manager-configs or just directly link each file as f.x. /nix/store/...
Any thoughts? @r-vdp
Never mind, it started showing up again even with this change... Back to the drawing board...
Could be a me problem. I seem to have some SELinux issues outside of just System Manager now. Gonna reinstall sometime soon to see if a clean environment shows the same problems.
The reason for this indirection is so that we can switch to a new generation atomically, so we cannot just remove it in any case. The point is to avoid needing to iterate over each (system-manager managed) file in etc when switching generations.
So this was partly my fault, sudo /sbin/restorecon -r /nix/store fixes a bunch of things that an autorelabel didnt for reasons i do not understand. I do know it fixed most issues with binaries.
However, there is one change needed to be done, and that would be to move the path where we store service files in the nix store to a FHS location so it will properly get labelled.
$ sudo /sbin/semanage fcontext -l | grep /nix/store
/nix/store/[^/]+/etc(/.*)? all files system_u:object_r:etc_t:s0
/nix/store/[^/]+/lib(/.*)? all files system_u:object_r:lib_t:s0
/nix/store/[^/]+/lib/systemd/system(/.*)? all files system_u:object_r:systemd_unit_file_t:s0
/nix/store/[^/]+/man(/.*)? all files system_u:object_r:man_t:s0
/nix/store/[^/]+/s?bin(/.*)? all files system_u:object_r:bin_t:s0
/nix/store/[^/]+/share(/.*)? all files system_u:object_r:usr_t:s0
Manual steps to make it work for me right now:
sudo chcon -u system_u -r object_r -t systemd_unit_file_t /nix/store/...-unit-system-manager.target/system-manager.target
sudo chcon -u system_u -r object_r -t systemd_unit_file_t /nix/store/...-unit-system-manager-path.service/system-manager-path.service
This should probably also be done for things like activate as well.
Also I'm curious why something like linking to the path /nix/var/nix/profiles/system-manager-profiles/system-manager isn't used instead of adding a hidden file in/etc/.system-manager-static?
I also need some help figuring out where system-manager.target is generated, so i could rewrite it to do this path instead inside /nix/store
The custom path in etc doesn't get labelled correctly and breaks.
$ ls -lhaZ /etc/.system-manager-static/systemd/system/system-manager-path.service
lrwxrwxrwx. 2 root root unconfined_u:object_r:default_t:s0 104 Jan 1 1970 /etc/.system-manager-static/systemd/system/system-manager-path.service -> /nix/store/...-unit-system-manager-path.service/system-manager-path.service
Linking to /nix/store/...-unit-system-manager-path.service/system-manager-path.service directly works given the above chcon command.
Gonna have to think if we should add our own selinux policy here just to get this linking to work. But it still requires the corrected paths inside /nix/store as well.
So after some more testing, i have found out that there are some fundementals in SELinux i do not understand. We'd need a way to add SELinux support to Nix to label the files correctly when it genereates them. This seems basically out of the water already but i have opened an issue here https://git.lix.systems/lix-project/lix/issues/546 to see if Lix would be interested in this support.
However, what makes things extra complicated is that most services has their own custom type, for example:
/usr/lib/systemd/system/wg-quick@\.service regular file system_u:object_r:wireguard_unit_file_t:s0
How we will encode this correctly im not sure. We might ship our own SELinux labels based upon f.x. Fedora's, but modify them to target instead /nix/store/[^/]+/lib/systemd/system/wg-quick@\.service. This could be rather easy with a substitution stage s|/usr/lib/|/nix/store/[^/]+/|. But it would be generally hacky. I am also unsure how we should manage installing and updating these. But it is currently my best idea.
Even worse would be that the current SELinux labels would fight, i think there might be some overriding levels we could apply to override things, but I am already way deep into something I am not familiar with.
Hey @soupglasses. I'm unfamiliar with SELinux, but I know it has been researched for Nix already. Unfortunately, it looks like their conclusions were similar to yours. See https://github.com/NixOS/nix/pull/2670 for a thread to pull on.
Yeah. A hacky way to deal with this would be to do something like the following:
system-manager.preActivationAssertions.ensureSELinuxLabels = {
enable = true;
script = ''
echo "Relabelling the Nix store..."
/sbin/restorecon -R /nix/store
echo "Done!"
'';
};
I however do not recommend this hack to be upstreamed, as relabeling the entire nix store is likely gonna retread a lot of ground and be excessively slow.
And to avoid changing the NixOS utils.systemdutils.makeunit behaviour, we can also add 2 manual labels to let SELinux at least know about them.
semanage fcontext -a -t systemd_unit_file_t "/nix/store/[^/]+/[^/]+\.target"
semanage fcontext -a -t systemd_unit_file_t "/nix/store/[^/]+/[^/]+\.service"
Add more .unit_type as needed, but this is the minimal needed to get SELinux happy with system-manager.
There is still the question if this should be more explicitly documented somewhere. It's a real hack, but giving the power to each user to add these as they need can be helpful, and documenting at least how to get it functional outside of running permissive mode is some improvement.
I'd be up for hosting the documentation, even if its content is just: "here is the current state of the art / hack". Giving people breadcrumbs is better than nothing.
I'm trying to install it in fedora silverblue, by following the selinux bypass in #51 it makes it work.
Maybe a good approach would be to have a mdBook doc with notes for each distro that isn't fully supported yet?
I just got everything working on a Rocky Linux VM. This is what I did.
System Manager Notes
Things that need to be installed
dnf install vim git sudo policycoreutils-devel selinux-policy-devel
Installing Nix
curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s -- install --determinate
Here's the SELinux policy file:
cat > ~/allow-system-manager.te << 'EOF'
module allow-system-manager 1.0;
require {
type default_t;
type tmpfs_t;
type ifconfig_t;
type init_t;
type systemd_unit_file_t;
class cap_userns net_admin;
class lnk_file read;
class file { execute execute_no_trans map open read };
}
#============= ifconfig_t ==============
allow ifconfig_t self:cap_userns net_admin;
allow ifconfig_t tmpfs_t:lnk_file read;
#============= init_t ==============
allow init_t default_t:file map;
allow init_t default_t:file { execute execute_no_trans open read };
allow init_t default_t:lnk_file read;
# Allow systemd to read systemd unit files with default_t context
allow init_t default_t:file read;
EOF
To rebuild and apply the policy:
# Remove the old module first
semodule -r allow-system-manager
# Build the new module
checkmodule -M -m -o ~/allow-system-manager.mod ~/allow-system-manager.te
# Package the module
semodule_package -o ~/allow-system-manager.pp -m ~/allow-system-manager.mod
# Install the new module
semodule -i ~/allow-system-manager.pp
Then fix the file contexts and restart:
restorecon -R /etc/systemd/system/
systemctl daemon-reload
made a Nix package that is runnable on the VM and then you can deploy system-manager
{pkgs, ...}:
# SELinux policy file
let
policy-file = pkgs.writeText "allow-system-manager.te" ''
module allow-system-manager 1.0;
require {
type default_t;
type tmpfs_t;
type ifconfig_t;
type init_t;
type systemd_unit_file_t;
class cap_userns net_admin;
class lnk_file read;
class file { execute execute_no_trans map open read };
}
#============= ifconfig_t ==============
allow ifconfig_t self:cap_userns net_admin;
allow ifconfig_t tmpfs_t:lnk_file read;
#============= init_t ==============
allow init_t default_t:file map;
allow init_t default_t:file { execute execute_no_trans open read };
allow init_t default_t:lnk_file read;
# Allow systemd to read systemd unit files with default_t context
allow init_t default_t:file read;
'';
# Pre-compiled SELinux policy package
policy-package =
pkgs.runCommand "allow-system-manager.pp" {
buildInputs = [pkgs.policycoreutils pkgs.checkpolicy pkgs.semodule-utils];
} ''
checkmodule -M -m -o allow-system-manager.mod ${policy-file}
semodule_package -o $out -m allow-system-manager.mod
'';
install-selinux-policy = pkgs.writeShellApplication {
name = "install-selinux-policy";
runtimeInputs = [pkgs.libsemanage pkgs.policycoreutils];
text = ''
set -e
# Remove old module if exists
sudo semodule -r allow-system-manager 2>/dev/null || true
# Install pre-built policy package
sudo semodule -i ${policy-package}
# Fix contexts and reload
sudo restorecon -R /etc/systemd/system/
sudo systemctl daemon-reload
echo "SELinux policy installed"
'';
};
in
install-selinux-policy