Package: selinux-policy-default Version: 2:2.20161023.1-9 Severity: normal Dear Maintainer,
I have SELinux enabled and enforcing on Debian Stretch (commandline via SSH only, no GUI is installed at all). I am trying to start a systemd --user unit (which I know is correct, because it works with SELinux in permissive mode). Here are my findings: SELinux permissive ================== ================== $ sudo sestatus [sudo] password for testuser: SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: default Current mode: permissive Mode from config file: permissive Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 30 ================ $ systemctl --user start ssh-agent $ echo $? 0 $ ssh-add Enter passphrase for /home/testuser/.ssh/id_rsa: Identity added: /home/testuser/.ssh/id_rsa (/home/testuser/.ssh/id_rsa) ================= SELinux enforcing ================= ================= $ sudo sestatus [sudo] password for testuser: SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: default Current mode: enforcing Mode from config file: permissive Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 30 ================ $ systemctl --user start ssh-agent Failed to connect to bus: No such file or directory *** /home/testuser/.config/systemd/user/ssh-agent.service [Unit] Description=SSH key agent [Service] Type=forking Environment=SSH_AUTH_SOCK=%t/ssh-agent.socket ExecStart=/usr/bin/ssh-agent -a $SSH_AUTH_SOCK [Install] WantedBy=default.target *** /home/testuser/.profile # ~/.profile: executed by the command interpreter for login shells. # This file is not read by bash(1), if ~/.bash_profile or ~/.bash_login # exists. # see /usr/share/doc/bash/examples/startup-files for examples. # the files are located in the bash-doc package. # the default umask is set in /etc/profile; for setting the umask # for ssh logins, install and configure the libpam-umask package. #umask 022 # if running bash if [ -n "$BASH_VERSION" ]; then # include .bashrc if it exists if [ -f "$HOME/.bashrc" ]; then . "$HOME/.bashrc" fi fi # set PATH so it includes user's private bin if it exists if [ -d "$HOME/bin" ] ; then PATH="$HOME/bin:$PATH" fi export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/ssh-agent.socket" -- System Information: Debian Release: 9.3 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-5-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages selinux-policy-default depends on: ii libselinux1 2.6-3+b3 ii libsemanage1 2.6-2 ii libsepol1 2.6-2 ii policycoreutils 2.6-3 ii selinux-utils 2.6-3+b3 Versions of packages selinux-policy-default recommends: ii checkpolicy 2.6-2 ii setools 4.0.1-6 Versions of packages selinux-policy-default suggests: pn logcheck <none> pn syslog-summary <none> -- no debconf information