Systemd-homed has permission issues

bproj · May 4, 2022, 1:59am

Trying to use homectl on Fedora (both workstation 35 and silverblue 36) seems to have Access denied issues. I was able to start systemd-homed via sudo systemctl enable systemd-homed and restarting my computer/VM. However, when I go to create a new user (sudo homectl create user2) is run into the following issue:

$ systemctl status systemd-homed
● systemd-homed.service - Home Area Manager
     Loaded: loaded (/usr/lib/systemd/system/systemd-homed.service; enabled; vendor preset: enabled)
     Active: active (running) since Tue 2022-05-03 22:07:01 EDT; 36s ago
       Docs: man:systemd-homed.service(8)
             man:org.freedesktop.home1(5)
   Main PID: 18985 (systemd-homed)
      Tasks: 1 (limit: 3436)
     Memory: 2.4M
        CPU: 190ms
     CGroup: /system.slice/systemd-homed.service
             └─18985 /usr/lib/systemd/systemd-homed

May 03 22:07:01 fedora systemd-homed[18985]: Successfully loaded private key pair.
May 03 22:07:34 fedora systemd-homed[18985]: Failed to stat /var/mail/, ignoring: Permission denied
May 03 22:07:34 fedora systemd-homed[18985]: user2: changing state absent → creating
May 03 22:07:34 fedora systemd-homework[27482]: Using automatic default storage of 'luks'.
May 03 22:07:34 fedora systemd-homework[27482]: Sizing home to 85% of available disk space, which is 9.9G.
May 03 22:07:34 fedora systemd-homework[27482]: Failed to create home image /home/.#homeworkuser2.home4068b54760dc6464: Permission denied
May 03 22:07:34 fedora systemd-homed[18985]: Operation on user2 failed: Permission denied

I thought this may be an issue with the systemd-homed.service file, but I didn’t see anything about ProtectHome=true, but perhaps its something else with the default systemd-homed.service config?

$ cat /usr/lib/systemd/system/systemd-homed.service
#  SPDX-License-Identifier: LGPL-2.1-or-later
#
#  This file is part of systemd.
#
#  systemd is free software; you can redistribute it and/or modify it
#  under the terms of the GNU Lesser General Public License as published by
#  the Free Software Foundation; either version 2.1 of the License, or
#  (at your option) any later version.

[Unit]
Description=Home Area Manager
Documentation=man:systemd-homed.service(8)
Documentation=man:org.freedesktop.home1(5)

After=home.mount

[Service]
BusName=org.freedesktop.home1
CapabilityBoundingSet=CAP_SYS_ADMIN CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER CAP_FSETID CAP_SETGID CAP_SETUID CAP_SYS_RESOURCE
DeviceAllow=/dev/loop-control rw
DeviceAllow=/dev/mapper/control rw
DeviceAllow=block-* rw
DeviceAllow=char-hidraw rw
ExecStart=/usr/lib/systemd/systemd-homed
IPAddressDeny=any
KillMode=mixed
LimitNOFILE=524288
LockPersonality=yes
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_ALG
RestrictNamespaces=mnt
RestrictRealtime=yes
StateDirectory=systemd/home
SystemCallArchitectures=native
SystemCallErrorNumber=EPERM
SystemCallFilter=@system-service @mount


[Install]
WantedBy=multi-user.target
Alias=dbus-org.freedesktop.home1.service
Also=systemd-homed-activate.service systemd-userdbd.service

sigmasquadron · May 24, 2022, 5:26pm

On Fedora, SELinux blocks systemd-homed by default. You’ll need to write new SELinux rules, or disable it entirely.

I’ve tried to get homed working as well, but got stuck trying to make it work with PAM and GDM. Since very few things support it yet, I’ve given up, but do let me know if you get it working.

bproj · June 1, 2022, 12:06am

Thanks for the hint! Do you know of any guides for what SELinux rules to write? I don’t really want to disable it.

Otherwise, I can trial and error it.

bproj · June 1, 2022, 7:18pm

Just as an update, I messed around with homed in a fedora 36 Vm and used SELinux Trouble shooter to generate a policy to allow homed to run:

# ausearch -c 'systemd-homewor' --raw | audit2allow -M my-systemdhomewor
# semodule -X 300 -i my-systemdhomewor.pp

However, it is still having issues getting access to /home

you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly.
# /sbin/restorecon -v /home/.#homeworktest.home2cd9aebe405a05b1

bproj · June 1, 2022, 7:46pm

Seems like I just have to keep updating the policy as issue come up. Will give an update when I can get this to work.

bproj · June 2, 2022, 2:51pm

To update it seems to get this working one has to:

Run SELinux in permissive mode /etc/selinux/config
Make a user with homed
Make PAM edits
Make sure you can login via su $USERNAME
Use SELinux trouble shooter to make edits to the selinux policy.
Re-enable SELinux

Although it doesn’t seem like you can log in as the homed user via Gnome. But I still have to take a closer look at that.

Topic		Replies	Views
Systemd-homedwork.service is not included to Fedora Silverblue 41? Ask Fedora security , systemd-homed , f41	5	304	November 14, 2024
Setting up systemd homed encryption Ask Fedora systemd , systemd-homed	1	16502	January 12, 2024
Building a new home with systemd-homed on fedora Project Discussion engineering , workstation-wg , confined-users , security-sig	127	10171	September 25, 2024
Issues using existing home volume under Silverblue Project Discussion silverblue-team	2	489	July 21, 2021
Systemd-homed Ask Fedora systemd-homed	5	185	November 18, 2024

Systemd-homed has permission issues

Related topics