[systemd-devel] systemctl inaccessible when enabling DynamicUser=true

[Luca Boccassi]

On Wed, 20 Mar 2024 at 02:00, Nils Kattenbeck <nilskemail at gmail.com> wrote:
>
> Hello,
>
> I am writing a simple oneshot service which should read access from
> the journal and systemctl status. To restrict the service I was trying
> to enable DynamicUser (and added '
> SupplementaryGroups=systemd-journal'). However, the service is unable
> to access unit status information and errors with the message: "Failed
> to get properties: Transport endpoint is not connected". The error
> message is not really helpful what exactly this transport endpoint is.
> What parts of sandboxing do I have to disable again to get this
> working?
> This is systemd 252 on Debian.

Works just fine here in Debian with 252:

$ sudo systemd-run -t -p DynamicUser=yes systemctl status
systemd-journald.service
Running as unit: run-u4547.service
Press ^] three times within 1s to disconnect TTY.
● systemd-journald.service - Journal Service
     Loaded: loaded (/lib/systemd/system/systemd-journald.service; static)
     Active: active (running) since Mon 2024-03-25 10:16:03 GMT; 3 days ago
TriggeredBy: ● systemd-journald-audit.socket
             ● systemd-journald-dev-log.socket
             ● systemd-journald.socket
       Docs: man:systemd-journald.service(8)
             man:journald.conf(5)
   Main PID: 1028443 (systemd-journal)
     Status: "Processing requests..."
      Tasks: 1 (limit: 38074)
     Memory: 23.4M
        CPU: 16.045s
     CGroup: /system.slice/systemd-journald.service
             └─1028443 /lib/systemd/systemd-journald
$ systemctl --version
systemd 252 (252.23-1~deb12u1)
+PAM +AUDIT +SELINUX +APPARMOR +IMA +SMACK +SECCOMP +GCRYPT -GNUTLS
+OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN +IPTC +KMOD
+LIBCRYPTSETUP +LIBFDISK +PCRE2 -PWQUALITY +P11KIT +QRENCODE +TPM2
+BZIP2 +LZ4 +XZ +ZLIB +ZSTD -BPF_FRAMEWORK -XKBCOMMON +UTMP +SYSVINIT
default-hierarchy=unified