SELinux: Unit system-manager.target not found

[soupglasses]

Describe the bug

Running on openSUSE Tumbleweed, running a minimal configuration, it errors on system-manager.target not found. Unsure if this is due to the minimal configuraiton, or openSUSE. Notably the target gets generated empty?

$ cat /etc/systemd/system/system-manager.target
[Unit]

$ 

systemConfigs.default = system-manager.lib.makeSystemConfig {
  modules = [
    ({...}: {
      config = {
        nixpkgs.hostPlatform = "x86_64-linux";
        system-manager.allowAnyDistro = true;
      };
    })
  ];
};

Full output:

$ sudo system-manager switch --flake .  
[2024-09-25T10:46:26Z INFO  system_manager::register] Trying flake URI: .#systemConfigs.yoga...
warning: Git tree '/home/sofie/.coturnix' is dirty
[2024-09-25T10:46:26Z INFO  system_manager::register] Attribute .#systemConfigs.yoga not found in flake.
[2024-09-25T10:46:26Z INFO  system_manager::register] Trying flake URI: .#systemConfigs.default...
warning: Git tree '/home/sofie/.coturnix' is dirty
[2024-09-25T10:46:26Z INFO  system_manager::register] Success, using .#systemConfigs.default
[2024-09-25T10:46:26Z INFO  system_manager::register] Building new system-manager generation...
[2024-09-25T10:46:26Z INFO  system_manager::register] Running nix build...
warning: Git tree '/home/sofie/.coturnix' is dirty
[2024-09-25T10:46:28Z INFO  system_manager::register] Built system-manager profile /nix/store/snmir05zz4khpb5qsbqy8vap0vi7d8nw-system-manager
[2024-09-25T10:46:28Z INFO  system_manager::register] Creating new generation from /nix/store/snmir05zz4khpb5qsbqy8vap0vi7d8nw-system-manager
[2024-09-25T10:46:28Z INFO  system_manager::register] Registering GC root...
[2024-09-25T10:46:28Z INFO  system_manager] Creating symlink: /nix/var/nix/gcroots/system-manager-current -> /nix/store/snmir05zz4khpb5qsbqy8vap0vi7d8nw-system-manager
[2024-09-25T10:46:28Z INFO  system_manager::register] Done
[2024-09-25T10:46:28Z INFO  system_manager::activate] Activating system-manager profile: /nix/store/snmir05zz4khpb5qsbqy8vap0vi7d8nw-system-manager
[2024-09-25T10:46:28Z INFO  system_manager::activate] Running pre-activation assertions...
All pre-activation assertions succeeded.
[2024-09-25T10:46:28Z INFO  system_manager::activate] Reading state info from /var/lib/system-manager/state/system-manager-state.json
[2024-09-25T10:46:28Z INFO  system_manager::activate] Activating etc files...
[2024-09-25T10:46:28Z INFO  system_manager::activate::etc_files] Reading etc file definitions...
[2024-09-25T10:46:28Z INFO  system_manager::activate::etc_files] Creating /etc entries in /etc
[2024-09-25T10:46:28Z INFO  system_manager] Creating symlink: /etc/.system-manager-static -> /nix/store/m6jy60pq7gvlbd5gdglcj12ijjig6kqp-etc-static-env
[2024-09-25T10:46:28Z INFO  system_manager::activate::etc_files] Done
[2024-09-25T10:46:28Z INFO  system_manager::activate] Activating tmp files...
[2024-09-25T10:46:28Z INFO  system_manager::activate] Activating systemd services...
[2024-09-25T10:46:28Z INFO  system_manager::activate::services] Reading new service definitions...
[2024-09-25T10:46:28Z INFO  system_manager::activate::services] Reloading the systemd daemon...
[2024-09-25T10:46:29Z ERROR system_manager::activate::services] Service system-manager.target: error starting, please consult the logs
[2024-09-25T10:46:29Z ERROR system_manager::activate::services] Unit system-manager.target not found.
[2024-09-25T10:46:29Z INFO  system_manager::activate::services] Done
[2024-09-25T10:46:29Z INFO  system_manager::activate] Writing state info into file: /var/lib/system-manager/state/system-manager-state.json

[soupglasses]

Could be related to SELinux.

SELinux is preventing systemd from read access on the lnk_file systemd.

*****  Plugin catchall_labels (83.8 confidence) suggests   *******************

If you want to allow systemd to have read access on the systemd lnk_file
Then you need to change the label on systemd
Do
# semanage fcontext -a -t FILE_TYPE 'systemd'
where FILE_TYPE is one of the following: NetworkManager_dispatcher_console_var_run_t, NetworkManager_etc_rw_t, NetworkManager_etc_t, NetworkManager_initrc_exec_t, NetworkManager_unit_file_t, NetworkManager_var_run_t, abrt_etc_t, abrt_unit_file_t, abrt_var_run_t, accountsd_unit_file_t, admin_home_t, afterburn_runtime_t, afterburn_unit_file_t, aiccu_etc_t, aiccu_var_run_t, alsa_etc_rw_t, alsa_lock_t, alsa_unit_file_t, alsa_var_run_t, amanda_unit_file_t, anaconda_unit_file_t, antivirus_conf_t, antivirus_unit_file_t, antivirus_var_run_t, apcupsd_lock_t, apcupsd_unit_file_t, apcupsd_var_run_t, apmd_lock_t, apmd_unit_file_t, apmd_var_run_t, arpwatch_unit_file_t, arpwatch_var_run_t, asterisk_etc_t, asterisk_var_run_t, audisp_var_run_t, auditd_unit_file_t, auditd_var_run_t, automount_lock_t, automount_unit_file_t, automount_var_run_t, avahi_conf_t, avahi_unit_file_t, avahi_var_run_t, bacula_var_run_t, bcfg2_unit_file_t, bcfg2_var_run_t, bin_t, bitlbee_conf_t, bitlbee_var_run_t, blkmapd_var_run_t, blktap_var_run_t, blueman_var_run_t, bluetooth_conf_t, bluetooth_lock_t, bluetooth_unit_file_t, bluetooth_var_run_t, boinc_unit_file_t, boltd_var_lib_t, boltd_var_run_t, boot_t, boothd_etc_t, boothd_unit_file_t, boothd_var_run_t, bootloader_etc_t, bootloader_var_run_t, bootupd_unit_file_t, bootupd_var_run_t, brltty_unit_file_t, brltty_var_run_t, cache_home_t, cachefilesd_var_run_t, callweaver_var_run_t, canna_var_run_t, cardmgr_var_run_t, ccs_var_run_t, cert_t, certmaster_var_run_t, certmonger_unit_file_t, certmonger_var_run_t, cgconfig_etc_t, cgred_var_run_t, cgroup_memory_pressure_t, cgroup_t, cgrules_etc_t, chronyd_unit_file_t, chronyd_var_run_t, cinder_api_unit_file_t, cinder_backup_unit_file_t, cinder_scheduler_unit_file_t, cinder_var_run_t, cinder_volume_unit_file_t, clogd_var_run_t, cloud_init_unit_file_t, cluster_conf_t, cluster_unit_file_t, cluster_var_run_t, clvmd_var_run_t, cmirrord_var_run_t, cobbler_etc_t, collectd_unit_file_t, collectd_var_run_t, colord_unit_file_t, comsat_var_run_t, condor_conf_t, condor_unit_file_t, condor_var_lock_t, condor_var_run_t, config_home_t, conman_unit_file_t, conman_var_run_t, conntrackd_conf_t, conntrackd_unit_file_t, conntrackd_var_lock_t, conntrackd_var_run_t, consolekit_unit_file_t, consolekit_var_run_t, container_config_t, container_file_t, container_kvm_var_run_t, container_lock_t, container_plugin_var_run_t, container_ro_file_t, container_runtime_tmpfs_t, container_unit_file_t, container_var_lib_t, container_var_run_t, coreos_boot_mount_generator_unit_file_t, coreos_installer_unit_file_t, coreos_installer_var_run_t, couchdb_conf_t, couchdb_unit_file_t, couchdb_var_run_t, courier_etc_t, courier_var_run_t, cpucontrol_conf_t, cpuplug_lock_t, cpuplug_var_run_t, cpuspeed_var_run_t, cron_var_run_t, crond_unit_file_t, crond_var_run_t, ctdbd_var_run_t, cupsd_config_var_run_t, cupsd_etc_t, cupsd_lock_t, cupsd_lpd_var_run_t, cupsd_rw_etc_t, cupsd_unit_file_t, cupsd_var_run_t, cvs_var_run_t, cyphesis_var_run_t, cyrus_var_run_t, data_home_t, dbskkd_var_run_t, dbus_home_t, dbusd_etc_t, dbusd_unit_file_t, dcc_var_run_t, dccd_var_run_t, dccifd_var_run_t, dccm_var_run_t, dcerpcd_var_run_t, ddclient_etc_t, ddclient_var_run_t, deltacloudd_var_run_t, denyhosts_var_lock_t, device_t, devicekit_var_run_t, devlog_t, dhcp_etc_t, dhcpc_var_run_t, dhcpd_unit_file_t, dhcpd_var_run_t, dictd_etc_t, dictd_var_run_t, dirsrv_snmp_var_run_t, dirsrv_unit_file_t, dirsrv_var_lock_t, dirsrv_var_run_t, dkim_milter_data_t, dlm_controld_var_run_t, dnsmasq_etc_t, dnsmasq_unit_file_t, dnsmasq_var_run_t, dnssec_trigger_unit_file_t, dnssec_trigger_var_run_t, dovecot_etc_t, dovecot_var_run_t, drbd_lock_t, drbd_var_run_t, dspam_var_run_t, entropyd_var_run_t, etc_aliases_t, etc_mail_t, etc_runtime_t, etc_t, eventlogd_var_run_t, evtchnd_var_run_t, exim_var_run_t, exports_t, fail2ban_var_run_t, fcoemon_var_run_t, fdo_conf_rw_t, fdo_conf_t, fdo_unit_file_t, fenced_lock_t, fenced_var_run_t, fetchmail_etc_t, fetchmail_var_run_t, file_context_t, fingerd_etc_t, fingerd_var_run_t, firewalld_etc_rw_t, firewalld_unit_file_t, firewalld_var_run_t, firstboot_etc_t, foghorn_var_run_t, fonts_cache_t, fonts_t, freeipmi_bmc_watchdog_unit_file_t, freeipmi_bmc_watchdog_var_run_t, freeipmi_ipmidetectd_unit_file_t, freeipmi_ipmidetectd_var_run_t, freeipmi_ipmiseld_unit_file_t, freeipmi_ipmiseld_var_run_t, fsadm_var_run_t, fsdaemon_var_run_t, ftpd_etc_t, ftpd_lock_t, ftpd_unit_file_t, ftpd_var_run_t, fwupd_unit_file_t, games_srv_var_run_t, gconf_etc_t, gconf_home_t, gdomap_conf_t, gdomap_var_run_t, getty_etc_t, getty_lock_t, getty_unit_file_t, getty_var_run_t, gfs_controld_var_run_t, gkeyringd_gnome_home_t, glance_api_unit_file_t, glance_registry_unit_file_t, glance_scrubber_unit_file_t, glance_var_run_t, glusterd_var_run_t, gnome_home_t, gnome_initial_setup_var_run_t, gpm_conf_t, gpm_var_run_t, gpsd_var_run_t, greylist_milter_data_t, groupd_var_run_t, gssproxy_unit_file_t, gssproxy_var_run_t, gstreamer_home_t, haproxy_unit_file_t, haproxy_var_run_t, hddtemp_etc_t, home_root_t, hostapd_unit_file_t, hostapd_var_run_t, hostname_etc_t, hsqldb_unit_file_t, httpd_config_t, httpd_lock_t, httpd_unit_file_t, httpd_var_run_t, hwloc_dhwd_unit_t, hwloc_var_run_t, hypervkvp_unit_file_t, hypervvssd_unit_file_t, ibacm_conf_t, ibacm_var_run_t, icc_data_home_t, icecast_var_run_t, ifconfig_var_run_t, inetd_child_var_run_t, inetd_var_run_t, init_tmp_t, init_var_lib_t, init_var_run_t, initrc_var_run_t, innd_etc_t, innd_unit_file_t, innd_var_run_t, insights_client_etc_rw_t, insights_client_etc_t, insights_client_unit_file_t, insights_client_var_lock_t, insights_client_var_run_t, install_var_run_t, iodined_unit_file_t, ipmievd_lock_t, ipmievd_unit_file_t, ipmievd_var_run_t, ipsec_mgmt_lock_t, ipsec_mgmt_unit_file_t, ipsec_mgmt_var_run_t, ipsec_var_run_t, iptables_lock_t, iptables_unit_file_t, iptables_var_lib_t, iptables_var_run_t, irc_conf_t, irqbalance_var_run_t, irssi_etc_t, iscsi_lock_t, iscsi_unit_file_t, iscsi_var_run_t, isnsd_var_run_t, iwhd_var_run_t, jetty_unit_file_t, jetty_var_run_t, kadmind_var_run_t, kanidm_conf_t, kanidm_unixd_var_cache_t, kanidm_unixd_var_run_t, kdump_dep_unit_file_t, kdump_etc_t, kdump_lock_t, kdump_unit_file_t, keepalived_unit_file_t, keepalived_var_run_t, keystone_unit_file_t, keystone_var_run_t, kismet_var_run_t, klogd_var_run_t, kmod_var_run_t, krb5_conf_t, krb5kdc_conf_t, krb5kdc_lock_t, krb5kdc_var_run_t, ksm_unit_file_t, ksmtuned_unit_file_t, ksmtuned_var_run_t, ktalkd_unit_file_t, kubernetes_file_t, l2tp_conf_t, l2tpd_var_run_t, ld_so_t, lib_t, likewise_etc_t, likewise_pstore_lock_t, lircd_etc_t, lircd_var_run_t, lldpad_var_run_t, local_login_lock_t, locale_t, locate_var_run_t, lockdev_lock_t, logrotate_lock_t, logwatch_lock_t, logwatch_var_run_t, lpd_var_run_t, lsassd_var_run_t, lsmd_unit_file_t, lsmd_var_run_t, lttng_sessiond_unit_file_t, lttng_sessiond_var_run_t, lvm_etc_t, lvm_lock_t, lvm_unit_file_t, lvm_var_run_t, lwiod_var_run_t, lwregd_var_run_t, lwsmd_var_run_t, machineid_t, mail_spool_t, mailman_lock_t, mailman_var_run_t, man_cache_t, man_t, mandb_lock_t, mcelog_etc_t, mcelog_var_run_t, mdadm_conf_t, mdadm_unit_file_t, mdadm_var_run_t, memcached_var_run_t, minidlna_conf_t, minidlna_var_run_t, minissdpd_conf_t, minissdpd_var_run_t, mnt_t, mock_etc_t, mock_var_run_t, modemmanager_unit_file_t, modules_conf_t, modules_object_t, mon_statd_var_run_t, mongod_unit_file_t, mongod_var_run_t, motion_unit_file_t, motion_var_run_t, mount_var_run_t, mozilla_conf_t, mpd_etc_t, mpd_var_run_t, mplayer_etc_t, mptcpd_etc_t, mrtg_etc_t, mrtg_lock_t, mrtg_var_run_t, mscan_etc_t, mscan_var_run_t, munin_etc_t, munin_var_run_t, mysqld_etc_t, mysqld_unit_file_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, nagios_etc_t, nagios_var_run_t, named_conf_t, named_unit_file_t, named_var_run_t, net_conf_t, netlabel_mgmt_unit_file_t, netlogond_var_run_t, neutron_unit_file_t, neutron_var_run_t, nfsd_unit_file_t, ninfod_run_t, ninfod_unit_file_t, nis_unit_file_t, nmbd_var_run_t, nova_unit_file_t, nova_var_run_t, nrpe_etc_t, nrpe_var_run_t, nscd_unit_file_t, nscd_var_run_t, nsd_var_run_t, nslcd_conf_t, nslcd_var_run_t, ntop_etc_t, ntop_var_run_t, ntp_conf_t, ntpd_unit_file_t, ntpd_var_run_t, numad_unit_file_t, numad_var_run_t, nut_conf_t, nut_unit_file_t, nut_var_run_t, nvme_stas_unit_file_t, nvme_stas_var_run_t, nx_server_var_run_t, oddjob_unit_file_t, oddjob_var_run_t, opafm_var_run_t, openct_var_run_t, opendnssec_conf_t, opendnssec_unit_file_t, opendnssec_var_run_t, openhpid_var_run_t, openshift_var_run_t, opensm_unit_file_t, openvpn_etc_rw_t, openvpn_etc_t, openvpn_var_run_t, openvswitch_rw_t, openvswitch_unit_file_t, openvswitch_var_run_t, openwsman_run_t, openwsman_unit_file_t, oracleasm_conf_t, osad_var_run_t, packagekit_unit_file_t, pads_config_t, pads_var_run_t, pam_var_console_t, pam_var_run_t, passenger_var_run_t, pcp_var_run_t, pcscd_var_run_t, pdns_conf_t, pdns_unit_file_t, pdns_var_run_t, pegasus_conf_t, pegasus_openlmi_storage_var_run_t, pegasus_var_run_t, pesign_unit_file_t, pesign_var_run_t, phc2sys_unit_file_t, pingd_etc_t, pkcs_slotd_lock_t, pkcs_slotd_unit_file_t, pkcs_slotd_var_run_t, pki_ra_lock_t, pki_ra_var_run_t, pki_tomcat_lock_t, pki_tomcat_unit_file_t, pki_tomcat_var_run_t, pki_tps_lock_t, pki_tps_var_run_t, plymouthd_var_run_t, policykit_var_run_t, polipo_etc_t, polipo_pid_t, polipo_unit_file_t, portmap_var_run_t, portreserve_etc_t, portreserve_var_run_t, postfix_etc_t, postfix_var_run_t, postgresql_etc_t, postgresql_lock_t, postgresql_unit_file_t, postgresql_var_run_t, postgrey_etc_t, postgrey_var_run_t, power_unit_file_t, pppd_etc_t, pppd_lock_t, pppd_unit_file_t, pppd_var_run_t, pptp_var_run_t, prelude_audisp_var_run_t, prelude_correlator_config_t, prelude_lml_var_run_t, prelude_var_run_t, print_spool_t, printconf_t, privoxy_var_run_t, proc_t, prosody_unit_file_t, prosody_var_run_t, psad_etc_t, psad_var_run_t, ptal_etc_t, ptal_var_run_t, ptp4l_unit_file_t, pulseaudio_var_run_t, puppet_etc_t, puppet_var_run_t, pwauth_var_run_t, pyicqt_var_run_t, qatlib_conf_t, qatlib_unit_file_t, qatlib_var_run_t, qdiskd_var_run_t, qemu_var_run_t, qmail_etc_t, qpidd_var_run_t, quota_nld_var_run_t, rabbitmq_conf_t, rabbitmq_unit_file_t, rabbitmq_var_lock_t, rabbitmq_var_run_t, radiusd_etc_t, radiusd_unit_file_t, radiusd_var_run_t, radvd_etc_t, radvd_var_run_t, rasdaemon_unit_file_t, rdisc_unit_file_t, readahead_var_run_t, redis_conf_t, redis_unit_file_t, redis_var_run_t, regex_milter_data_t, restorecond_var_run_t, rhcd_unit_file_t, rhcd_var_run_t, rhev_agentd_unit_file_t, rhev_agentd_var_run_t, rhnsd_conf_t, rhnsd_unit_file_t, rhnsd_var_run_t, rhsmcertd_config_t, rhsmcertd_lock_t, rhsmcertd_var_run_t, ricci_modcluster_var_run_t, ricci_modstorage_lock_t, ricci_var_run_t, rlogind_var_run_t, rngd_unit_file_t, rngd_var_run_t, root_t, roundup_var_run_t, rpcbind_unit_file_t, rpcbind_var_run_t, rpcd_lock_t, rpcd_unit_file_t, rpcd_var_run_t, rpm_script_tmp_t, rpm_var_cache_t, rpm_var_lib_t, rpm_var_run_t, rrdcached_var_run_t, rshim_unit_file_t, rsync_etc_t, rsync_var_run_t, rtas_errd_unit_file_t, rtas_errd_var_lock_t, rtas_errd_var_run_t, samba_etc_t, samba_unit_file_t, sanlk_resetd_unit_file_t, sanlock_conf_t, sanlock_unit_file_t, sanlock_var_run_t, saslauthd_var_run_t, sbd_unit_file_t, sbd_var_run_t, sblim_var_run_t, screen_var_run_t, security_t, selinux_autorelabel_generator_unit_file_t, selinux_config_t, selinux_login_config_t, semanage_read_lock_t, semanage_store_t, semanage_trans_lock_t, sendmail_var_run_t, sensord_unit_file_t, sensord_var_run_t, setrans_var_run_t, setroubleshoot_var_run_t, shell_exec_t, shorewall_etc_t, shorewall_lock_t, slapd_etc_t, slapd_lock_t, slapd_unit_file_t, slapd_var_run_t, slpd_var_run_t, smbd_var_run_t, smokeping_var_run_t, snapperd_conf_t, snmpd_var_run_t, snort_etc_t, snort_var_run_t, sosreport_var_run_t, soundd_etc_t, soundd_var_run_t, spamass_milter_data_t, spamd_etc_t, spamd_unit_file_t, spamd_update_unit_file_t, spamd_var_run_t, spc_var_run_t, speech_dispatcher_unit_file_t, squid_conf_t, squid_var_run_t, src_t, srvsvcd_var_run_t, sshd_keygen_unit_file_t, sshd_unit_file_t, sshd_var_run_t, sslh_config_t, sslh_unit_file_t, sslh_var_run_t, sssd_conf_t, sssd_public_t, sssd_unit_file_t, sssd_var_lib_t, sssd_var_run_t, stalld_unit_file_t, stalld_var_run_t, stapserver_var_run_t, stratisd_data_t, stratisd_var_run_t, stunnel_etc_t, stunnel_var_run_t, svc_conf_t, svirt_home_t, svirt_image_t, svirt_tmp_t, svirt_tmpfs_t, svnserve_unit_file_t, svnserve_var_run_t, swat_var_run_t, swift_lock_t, swift_unit_file_t, swift_var_run_t, sysfs_t, syslog_conf_t, syslogd_unit_file_t, syslogd_var_run_t, sysstat_var_run_t, system_conf_t, system_cronjob_lock_t, system_cronjob_var_run_t, system_db_t, system_dbusd_var_lib_t, system_dbusd_var_run_t, systemd_bless_boot_generator_unit_file_t, systemd_bootchart_unit_file_t, systemd_bootchart_var_run_t, systemd_btrfs_soft_reboot_generator_unit_file_t, systemd_conf_t, systemd_cryptsetup_generator_unit_file_t, systemd_debug_generator_unit_file_t, systemd_fstab_generator_unit_file_t, systemd_generic_generator_unit_file_t, systemd_getty_generator_unit_file_t, systemd_gpt_generator_unit_file_t, systemd_growpart_generator_unit_file_t, systemd_home_t, systemd_hwdb_etc_t, systemd_hwdb_unit_file_t, systemd_ibft_rule_generator_unit_file_t, systemd_importd_var_run_t, systemd_logind_inhibit_var_run_t, systemd_logind_sessions_t, systemd_logind_var_run_t, systemd_machined_unit_file_t, systemd_machined_var_run_t, systemd_modules_load_unit_file_t, systemd_networkd_unit_file_t, systemd_networkd_var_run_t, systemd_nsresourced_runtime_t, systemd_passwd_var_run_t, systemd_rc_local_generator_unit_file_t, systemd_resolved_unit_file_t, systemd_resolved_var_run_t, systemd_rfkill_unit_file_t, systemd_runtime_unit_file_t, systemd_socket_proxyd_unit_file_t, systemd_ssh_generator_unit_file_t, systemd_status_mail_generator_unit_file_t, systemd_sysv_generator_unit_file_t, systemd_timedated_unit_file_t, systemd_timedated_var_lib_t, systemd_timedated_var_run_t, systemd_tpm2_generator_unit_file_t, systemd_udev_trigger_generator_unit_file_t, systemd_unit_file_t, systemd_userdbd_runtime_t, systemd_userdbd_unit_file_t, systemd_vconsole_unit_file_t, systemd_zram_generator_unit_file_t, tangd_cache_t, tangd_unit_file_t, targetclid_unit_file_t, targetclid_var_run_t, targetd_unit_file_t, telnetd_var_run_t, textrel_shlib_t, tftpd_etc_t, tftpd_var_run_t, tgtd_var_run_t, thin_aeolus_configserver_var_run_t, thin_var_run_t, timemaster_unit_file_t, timemaster_var_run_t, tlp_unit_file_t, tlp_var_run_t, tmp_t, tmpfs_t, tomcat_unit_file_t, tomcat_var_run_t, tor_etc_t, tor_unit_file_t, tor_var_run_t, tuned_etc_t, tuned_rw_etc_t, tuned_var_run_t, udev_etc_t, udev_var_run_t, ulogd_etc_t, uml_switch_var_run_t, unlabeled_t, usbmuxd_unit_file_t, usbmuxd_var_run_t, user_home_dir_t, useradd_var_run_t, userhelper_conf_t, usr_t, uucpd_lock_t, uucpd_var_run_t, uuidd_var_run_t, var_lib_t, var_lock_t, var_log_t, var_run_t, var_t, varnishd_etc_t, varnishd_var_run_t, varnishlog_var_run_t, vdagent_var_run_t, vhostmd_var_run_t, virt_common_var_run_t, virt_etc_rw_t, virt_etc_t, virt_lock_t, virt_lxc_var_run_t, virt_qemu_ga_var_run_t, virt_var_lib_t, virt_var_run_t, virtd_unit_file_t, virtinterfaced_t, virtinterfaced_var_run_t, virtlogd_etc_t, virtlogd_unit_file_t, virtlogd_var_run_t, virtnetworkd_t, virtnetworkd_var_run_t, virtnodedevd_lock_t, virtnodedevd_t, virtnodedevd_var_run_t, virtnwfilterd_t, virtnwfilterd_var_run_t, virtproxyd_t, virtproxyd_var_run_t, virtqemud_lock_t, virtqemud_t, virtqemud_var_run_t, virtsecretd_t, virtsecretd_var_run_t, virtstoraged_t, virtstoraged_var_run_t, virtvboxd_t, virtvboxd_var_run_t, virtvzd_t, virtvzd_var_run_t, virtxend_t, virtxend_var_run_t, vmtools_unit_file_t, vmware_host_pid_t, vmware_pid_t, vmware_sys_conf_t, vnstatd_var_run_t, vpnc_var_run_t, watchdog_var_run_t, wdmd_var_run_t, webalizer_etc_t, wicked_etc_rw_t, wicked_etc_t, wicked_unit_file_t, wicked_var_run_t, winbind_rpcd_var_run_t, winbind_var_run_t, wireguard_unit_file_t, xdm_etc_t, xdm_lock_t, xdm_rw_etc_t, xdm_unit_file_t, xdm_var_lib_t, xdm_var_run_t, xenconsoled_var_run_t, xend_var_run_t, xenstored_var_run_t, xserver_etc_t, xserver_var_run_t, ypbind_unit_file_t, ypbind_var_run_t, yppasswdd_var_run_t, ypserv_conf_t, ypserv_var_run_t, ypxfr_var_run_t, zabbix_var_run_t, zarafa_deliver_var_run_t, zarafa_etc_t, zarafa_gateway_var_run_t, zarafa_ical_var_run_t, zarafa_indexer_var_run_t, zarafa_monitor_var_run_t, zarafa_server_var_run_t, zarafa_spooler_var_run_t, zebra_conf_t, zebra_unit_file_t, zebra_var_run_t, zoneminder_unit_file_t, zoneminder_var_run_t.
Then execute:
restorecon -v 'systemd'


*****  Plugin catchall (17.1 confidence) suggests   **************************

If you believe that systemd should be allowed read access on the systemd lnk_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'systemd' --raw | audit2allow -M my-systemd
# semodule -X 300 -i my-systemd.pp

Additional Information:
Source Context                system_u:system_r:init_t:s0
Target Context                unconfined_u:object_r:default_t:s0
Target Objects                systemd [ lnk_file ]
Source                        systemd
Source Path                   systemd
Port                          <Unknown>
Host                          yoga
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-20240912-1.1.noarch
Local Policy RPM              selinux-policy-targeted-20240912-1.1.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     yoga
Platform                      Linux yoga 6.10.11-1-default #1 SMP
                              PREEMPT_DYNAMIC Thu Sep 19 07:33:24 UTC 2024
                              (bd33620) x86_64 x86_64
Alert Count                   23
First Seen                    2024-09-25 12:42:37 CEST
Last Seen                     2024-09-25 13:06:16 CEST
Local ID                      6c6d9913-799e-400d-91cf-5f6b16afc497

Raw Audit Messages
type=AVC msg=audit(1727262376.371:5480): avc:  denied  { read } for  pid=1 comm="systemd" name="systemd" dev="dm-0" ino=3232375 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:default_t:s0 tclass=lnk_file permissive=0


Hash: systemd,init_t,default_t,lnk_file,read

[soupglasses]

Enabling permissive mode lets it work. This seems to be SELinux related. Probably easier to debug further by installing Fedora which has SELinux by default.

[r-vdp]

The empty target is normal, it's just a synchronisation point.

I'm not very familiart with selinux, and haven't tested system-manager with it. I'm happy to review patches to improve the interaction.

[soupglasses]

Yeah it being empty was a red herring and the actual issue is SELinux refusing SystemD from reading the files generated by system-manager. I also am not the best at SELinux, but i may look at this at some point soon if someone else doesn't get to it first.

[soupglasses]

From some experimentation, it seems the double indirection through /etc/.system-manager-static is causing the problems. As the labelling seems to work correctly when directly targeted at the nix store. As the /nix/store/* has a rule (if installed by lix or nix-installers and their respective selinux files). But there is none for /etc/.system-manager-static, so its completely untyped in the sense of SELinux, making SystemD mad (since it expects the systemd_unit_file_t type due to default configuration).

So the solution would likely be to generate this /etc/.system-manager-static as a /nix/store/...-system-manager-configs or just directly link each file as f.x. /nix/store/...

Any thoughts? @r-vdp

[soupglasses]

Never mind, it started showing up again even with this change... Back to the drawing board...

[soupglasses]

Could be a me problem. I seem to have some SELinux issues outside of just System Manager now. Gonna reinstall sometime soon to see if a clean environment shows the same problems.

[r-vdp]

The reason for this indirection is so that we can switch to a new generation atomically, so we cannot just remove it in any case.
The point is to avoid needing to iterate over each (system-manager managed) file in etc when switching generations.

[soupglasses]

So this was partly my fault, sudo /sbin/restorecon -r /nix/store fixes a bunch of things that an autorelabel didnt for reasons i do not understand. I do know it fixed most issues with binaries.

However, there is one change needed to be done, and that would be to move the path where we store service files in the nix store to a FHS location so it will properly get labelled.

$ sudo /sbin/semanage fcontext -l | grep /nix/store
/nix/store/[^/]+/etc(/.*)?                         all files          system_u:object_r:etc_t:s0 
/nix/store/[^/]+/lib(/.*)?                         all files          system_u:object_r:lib_t:s0 
/nix/store/[^/]+/lib/systemd/system(/.*)?          all files          system_u:object_r:systemd_unit_file_t:s0 
/nix/store/[^/]+/man(/.*)?                         all files          system_u:object_r:man_t:s0 
/nix/store/[^/]+/s?bin(/.*)?                       all files          system_u:object_r:bin_t:s0 
/nix/store/[^/]+/share(/.*)?                       all files          system_u:object_r:usr_t:s0 

Manual steps to make it work for me right now:

sudo chcon -u system_u -r object_r -t systemd_unit_file_t /nix/store/...-unit-system-manager.target/system-manager.target
sudo chcon -u system_u -r object_r -t systemd_unit_file_t /nix/store/...-unit-system-manager-path.service/system-manager-path.service

This should probably also be done for things like activate as well.

[soupglasses]

Also I'm curious why something like linking to the path /nix/var/nix/profiles/system-manager-profiles/system-manager isn't used instead of adding a hidden file in/etc/.system-manager-static?

I also need some help figuring out where system-manager.target is generated, so i could rewrite it to do this path instead inside /nix/store

[soupglasses]

The custom path in etc doesn't get labelled correctly and breaks.

$ ls -lhaZ /etc/.system-manager-static/systemd/system/system-manager-path.service 
lrwxrwxrwx. 2 root root unconfined_u:object_r:default_t:s0 104 Jan  1  1970 /etc/.system-manager-static/systemd/system/system-manager-path.service -> /nix/store/...-unit-system-manager-path.service/system-manager-path.service

Linking to /nix/store/...-unit-system-manager-path.service/system-manager-path.service directly works given the above chcon command.

Gonna have to think if we should add our own selinux policy here just to get this linking to work. But it still requires the corrected paths inside /nix/store as well.

[soupglasses]

So after some more testing, i have found out that there are some fundementals in SELinux i do not understand. We'd need a way to add SELinux support to Nix to label the files correctly when it genereates them. This seems basically out of the water already but i have opened an issue here https://git.lix.systems/lix-project/lix/issues/546 to see if Lix would be interested in this support.

However, what makes things extra complicated is that most services has their own custom type, for example:

/usr/lib/systemd/system/wg-quick@\.service         regular file       system_u:object_r:wireguard_unit_file_t:s0 

How we will encode this correctly im not sure. We might ship our own SELinux labels based upon f.x. Fedora's, but modify them to target instead /nix/store/[^/]+/lib/systemd/system/wg-quick@\.service. This could be rather easy with a substitution stage s|/usr/lib/|/nix/store/[^/]+/|. But it would be generally hacky. I am also unsure how we should manage installing and updating these. But it is currently my best idea.

Even worse would be that the current SELinux labels would fight, i think there might be some overriding levels we could apply to override things, but I am already way deep into something I am not familiar with.

[zimbatm]

Hey @soupglasses. I'm unfamiliar with SELinux, but I know it has been researched for Nix already. Unfortunately, it looks like their conclusions were similar to yours. See NixOS/nix#2670 for a thread to pull on.

[soupglasses]

Yeah. A hacky way to deal with this would be to do something like the following:

system-manager.preActivationAssertions.ensureSELinuxLabels = {
  enable = true;
  script = ''
    echo "Relabelling the Nix store..."
    /sbin/restorecon -R /nix/store
    echo "Done!"
  '';
};

I however do not recommend this hack to be upstreamed, as relabeling the entire nix store is likely gonna retread a lot of ground and be excessively slow.

And to avoid changing the NixOS utils.systemdutils.makeunit behaviour, we can also add 2 manual labels to let SELinux at least know about them.

semanage fcontext -a -t systemd_unit_file_t "/nix/store/[^/]+/[^/]+\.target"
semanage fcontext -a -t systemd_unit_file_t "/nix/store/[^/]+/[^/]+\.service"

Add more .unit_type as needed, but this is the minimal needed to get SELinux happy with system-manager.

There is still the question if this should be more explicitly documented somewhere. It's a real hack, but giving the power to each user to add these as they need can be helpful, and documenting at least how to get it functional outside of running permissive mode is some improvement.

[zimbatm]

I'd be up for hosting the documentation, even if its content is just: "here is the current state of the art / hack". Giving people breadcrumbs is better than nothing.