🟡 Medium   ⏱ 5–30 min  Last verified: 19 May 2026
Affected versions: SUSE Linux Enterprise Server 16

📖 ~1 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution – Primary Fix
  7. Solution – Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

`systemctl start ` returns `Permission denied` despite the binary being executable.

Environment & Reproduction

Often appears after copying a unit from another distro or restoring from backup.

Root Cause Analysis

SELinux-like restrictions, SUID loss, or `NoNewPrivileges=yes` in the unit drop required perms.

Quick Triage

Run `systemctl cat ` and `ls -lZ` on the ExecStart binary.

Step-by-Step Diagnosis

Use `systemd-analyze verify /etc/systemd/system/` to catch directive issues.

Illustrative mockup for sles-16 — systemd_unit-eperm_terminal
Terminal diagnostics for systemd unit fails with permission denied on ExecStart — Illustrative mockup — Progressive Robot

Solution – Primary Fix

Adjust unit directives (`User=`, `AmbientCapabilities=`) and run `systemctl daemon-reload`.

Still having issues? Our IT Solutions & Services team can diagnose and resolve this for you. Get in touch for a free consultation.

Illustrative mockup for sles-16 — systemd_unit-eperm_logs
Logs and evidence for systemd unit fails with permission denied on ExecStart — Illustrative mockup — Progressive Robot

Solution – Alternative Approaches

Wrap the binary in a small launcher script with proper capabilities set via `setcap`.

Verification & Acceptance Criteria

`systemctl status ` reports active (running) with no permission warnings.

Rollback Plan

Restore the original unit file from RPM via `rpm -V ` and `–reinstall`.

Prevention & Hardening

Keep custom drop-ins in `/etc/systemd/system/.d/` rather than overwriting shipped units.

Pairs with AppArmor denials when both LSM and unit constraints overlap.

Related tutorial: View the step-by-step tutorial for sles-16.

View all sles-16 tutorials on the Tutorials Hub →

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

systemd.exec manual page and SLES 16 service hardening notes.

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today — we respond within one business day.