# cat /lib/systemd/system/reboot.target
cat: /lib/systemd/system/reboot.target: Permission denied
# systemctl reboot
... it reboots
Should systemd be doing some sort of access check on reboot.target?
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
On Mon, Jul 15, 2019 at 01:10:48AM +1000, Russell Coker wrote:
> # cat /lib/systemd/system/reboot.target
> cat: /lib/systemd/system/reboot.target: Permission denied
> # systemctl reboot
> ... it reboots
>
> Should systemd be doing some sort of access check on reboot.target?
I don't think so. The access check is on systemd-reboot.service i believe.
>
> --
> My Main Blog http://etbe.coker.com.au/
> My Documents Blog http://doc.coker.com.au/
>
>
>
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
On Mon, Jul 15, 2019 at 01:10:48AM +1000, Russell Coker wrote:
> # cat /lib/systemd/system/reboot.target
> cat: /lib/systemd/system/reboot.target: Permission denied
> # systemctl reboot
> ... it reboots
>
> Should systemd be doing some sort of access check on reboot.target?
I was wrong. It is doing an acccess check on reboot.target
I tried it out here: https://www.youtube.com/watch?v=YUATkv6R6Ys&feature=youtu.be
>
> --
> My Main Blog http://etbe.coker.com.au/
> My Documents Blog http://doc.coker.com.au/
>
>
>
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
On Monday, 15 July 2019 2:16:19 AM AEDT Dominick Grift wrote:
> On Mon, Jul 15, 2019 at 01:10:48AM +1000, Russell Coker wrote:
> > # cat /lib/systemd/system/reboot.target
> > cat: /lib/systemd/system/reboot.target: Permission denied
> > # systemctl reboot
> > ... it reboots
> >
> > Should systemd be doing some sort of access check on reboot.target?
>
> I was wrong. It is doing an acccess check on reboot.target
>
> I tried it out here:
> https://www.youtube.com/watch?v=YUATkv6R6Ys&feature=youtu.be
Thanks for the pointer, I put in an auditallow rule and got the following when
user_t runs "systemctl reboot". It's doing the permission check on systemd-
logind.
Do you have any idea of where I should look for the cause of this?
type=USER_AVC msg=audit(1585309343.652:285): pid=1 uid=0 auid=4294967295
ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: granted { start }
for auid=n/a uid=0 gid=0 path="/lib/systemd/system/reboot.target" cmdline="/
lib/systemd/systemd-logind" scontext=system_u:system_r:systemd_logind_t:s0
tcontext=system_u:object_r:power_unit_t:s0 tclass=service exe="/usr/lib/
systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1585309343.660:287): pid=1 uid=0 auid=4294967295
ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: granted { start }
for auid=n/a uid=0 gid=0 path="/lib/systemd/system/reboot.target" cmdline="/
lib/systemd/systemd-logind" scontext=system_u:system_r:systemd_logind_t:s0
tcontext=system_u:object_r:power_unit_t:s0 tclass=service exe="/usr/lib/
systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/