#1129196 iwd: ProtectSystem=strict prevents resolvconf from updating /etc/resolv.conf

Package:
iwd
Source:
iwd
Description:
wireless daemon for Linux
Submitter:
Ryan Walklin
Date:
2026-02-27 11:13:02 UTC
Severity:
normal
Tags:
#1129196#5
Date:
2026-02-27 10:57:21 UTC
From:
To:
When iwd is configured to use openresolv (NameResolvingService=resolvconf
in /etc/iwd/main.conf), resolvconf fails to update /etc/resolv.conf because
the iwd systemd unit ships ProtectSystem=strict, which makes /etc read-only
for the iwd process and its children.

This results in stale DNS entries persisting in /etc/resolv.conf across
network changes. The errors logged by iwd are:

  /usr/lib/resolvconf/libc: cannot create /etc/resolv.conf: Read-only file system
  /usr/sbin/resolvconf: kill: Operation not permitted
  resolve: /usr/sbin/resolvconf exited with status (256).

The interface files in /run/resolvconf/interfaces/ are updated correctly
(since /run is a tmpfs), but the final regeneration of /etc/resolv.conf
fails due to the sandbox.

Running "resolvconf -u" manually outside the iwd unit succeeds, confirming
the issue is the systemd sandboxing.

The systemd-resolved codepath is unaffected because it uses D-Bus rather
than filesystem writes.

Workaround: create a drop-in override:

  /etc/systemd/system/iwd.service.d/resolvconf.conf
  [Service]
  ReadWritePaths=/etc/resolv.conf

Suggested fix: the iwd package should ship this override, or the unit file
should include ReadWritePaths=/etc/resolv.conf when openresolv is installed.

Regards,

Ryan