Incus agent in RHEL 10 VM

surreymagpie · March 6, 2026, 4:09pm

I tried creating a RHEL 10.1 VM using the ISO and manually going through the installer using the VGA console according to the instructions in How to create instances.

I’ve created a regular user wtih sudo access, with my public SSH key and a password so I can SSH-in and get root access. I was then able to mount the incus-agent using:

incus config device add rhel10 agent disk source=agent:config

and running the install script inside the VM.

The problem I’m having is that the incus-agent.service will not run (and it seems to be a SELinux problem) but I cannot understand why. I cannot therefore use incus shell rhel10 or incus exec rhel10 -- bash to execute commands within the VM from the host.

If I try start the service, it fails with the message:

Job for incus-agent.service failed because the control process exited with error code.
See "systemctl status incus-agent.service" and "journalctl -xeu incus-agent.service" for details.

and journalctl shows:

Error: cannot bind socket: listen unix /dev/incus/sock: bind: permission denied

It seems to be that the service is not allowed to bind to the socket at /dev/incus/sock even though it should be running as root. However, I can manually run (as root):

cd /run/incus_agent && /run/incus_agent/incus-agent &

and it works.

Alternatively, I can disable SELinux by running

setenforce 0

and the service will start correctly.

But if the VM restarts, SELinux is set back to Enforcing, the service fails and I would need to SSH-in again to manually start the agent.

Any suggestions?

stgraber · March 6, 2026, 5:30pm

Was SELInux enabled after you an the install.sh script?

The script includes the needed logic to make things behave under SELinux, specifically:

# SELinux handling.
if getenforce >/dev/null 2>&1 && type semanage >/dev/null 2>&1; then
    # Run semanage for both /var/run and /run due to different distro policies
    for run_path in /var/run /run; do
        semanage fcontext -a -t bin_t "${run_path}/incus_agent/incus-agent" >/dev/null 2>&1
    done
fi

This requires the system have SELinux enabled and have the SELinux tools present (for semanage).

surreymagpie · March 7, 2026, 4:46pm

I’m sure SELinux would have been enabled when I ran the install.sh script but when I run the following:

ls -alZ /run/incus_agent/incus-agent
-r-x------. 1 root root system_u:object_r:var_run_t:s0 27227137 Feb  4 11:43 /run/incus_agent/incus-agent

which shows the var_run_t type.

I ran the equivalent command to the script:

semanage fcontext -a -t bin_t /run/incus_agent/incus-agent

but the context did not immediately change, and it was necessary to run

restorecon /run/incus_agent/incus-agent

afterwards to get the change applied.

ls -alZ /run/incus_agent/incus-agent
-r-x------. 1 root root system_u:object_r:bin_t:s0 27227137 Feb  4 11:43 /run/incus_agent/incus-agent

After this the systemd service works as expected. I suspect the restorecon command needs including in the function in the install.sh script.

stgraber · March 7, 2026, 6:42pm

It shouldn’t need to as the file wouldn’t exist yet at the time the semanage is run, restorecon is only needed for files that already exist and for which the context configuration has been modified.

surreymagpie · March 10, 2026, 8:13pm

Having looked some more into this, it appears that the incus package on my Fedora host is still at v6.19.1, dating from 11 December and there doesn’t appear to be an update available in their repos.

So the install.sh script doesn’t try both /var/run and /run as shown in your code snippet above. In the script on my mounted CD-ROM, /var/run is hard-coded but this is a symlink and therefore it fails.

At least I am now able to manually set the context on the agent binary and hopefully the software version will be updated to v6.22 on my host soon.