Noticed this on multiple incus deployments where running something like pacman -S openssh
fails at (3/4) Creating temporary files...
. It dumps out fchownat() of /sys/kernel/security/ima/binary_runtime_measurements failed: Permission denied
which makes sense because binary_runtime_measurements
is unreadable, and probably shouldn’t be.
This appears to happen because systemd-tmpfiles
has /sys/kernel/security/ima/binary_runtime_measurements
(and /sys/kernel/security/tpm[0-9]/binary_bios_measurements
) is configured in /usr/lib/tmpfiles.d/tpm2-tss-fapi.conf
to adjust access mode to 0440
.
Simple fix (for me) is to comment out those two lines in tpm2-tss-fapi.conf
- whether that’s “correct” or not (or should be included in the archlinux image in the first place) is another discussion.
Reproduction steps:
- Create a new archlinux container:
incus launch images:archlinux my-archlinux-instance
- Launch a root shell in it, and execute:
pacman -S openssh
- Expect it to fail
Environment:
- incus
6.4
- Debian 12, linux
6.1.0-23-amd64
Dumping the entire pacman output in case someone else runs into this and finds nothing about when searching the internet:
[root@hostname ~]# pacman -S openssh
warning: openssh-9.8p1-1 is up to date -- reinstalling
resolving dependencies...
looking for conflicting packages...
Packages (1) openssh-9.8p1-1
Total Installed Size: 5.71 MiB
Net Upgrade Size: 0.00 MiB
:: Proceed with installation? [Y/n]
(1/1) checking keys in keyring [...] 100%
(1/1) checking package integrity [...] 100%
(1/1) loading package files [...] 100%
(1/1) checking for file conflicts [...] 100%
(1/1) checking available disk space [...] 100%
:: Processing package changes...
(1/1) reinstalling openssh [...] 100%
:: Running post-transaction hooks...
(1/4) Reloading system manager configuration...
(2/4) Reloading user manager configuration...
(3/4) Creating temporary files...
fchownat() of /sys/kernel/security/ima/binary_runtime_measurements failed: Permission denied
error: command failed to execute correctly
(4/4) Arming ConditionNeedsUpdate...