Package: iwd Version: 3.8-2 Severity: normal Tags: patch When iwd is configured to use openresolv (NameResolvingService=resolvconf in /etc/iwd/main.conf), resolvconf fails to update /etc/resolv.conf because the iwd systemd unit ships ProtectSystem=strict, which makes /etc read-only for the iwd process and its children.
This results in stale DNS entries persisting in /etc/resolv.conf across network changes. The errors logged by iwd are: /usr/lib/resolvconf/libc: cannot create /etc/resolv.conf: Read-only file system /usr/sbin/resolvconf: kill: Operation not permitted resolve: /usr/sbin/resolvconf exited with status (256). The interface files in /run/resolvconf/interfaces/ are updated correctly (since /run is a tmpfs), but the final regeneration of /etc/resolv.conf fails due to the sandbox. Running "resolvconf -u" manually outside the iwd unit succeeds, confirming the issue is the systemd sandboxing. The systemd-resolved codepath is unaffected because it uses D-Bus rather than filesystem writes. Workaround: create a drop-in override: /etc/systemd/system/iwd.service.d/resolvconf.conf [Service] ReadWritePaths=/etc/resolv.conf Suggested fix: the iwd package should ship this override, or the unit file should include ReadWritePaths=/etc/resolv.conf when openresolv is installed. Regards, Ryan
