From: stanv@altlinux.org (Andrew V. Stepanov)
Date: Fri, 24 Jan 2014 17:04:39 +0400
Subject: [refpolicy] systemd slice systemd-logind : tclass=system perm=start
In-Reply-To: <52E2642E.2080906@altlinux.org>
References: <52E2642E.2080906@altlinux.org>
Message-ID: <52E264E7.6060405@altlinux.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Hello.

Could you help me?

Let's see logs from FC20:

[   14.778999] systemd[1]: Got D-Bus request:
org.freedesktop.systemd1.Manager.StartUnit() on /org/freedesktop/systemd1
[   14.781936] systemd[1]: SELinux access check
scon=system_u:system_r:systemd_logind_t:s0
tcon=system_u:system_r:init_t:s0 tclass=system perm=start path=(null)
cmdline=(null): 0
[   14.781944] systemd[1]: Trying to enqueue job user-994.slice/start/fail
[   14.781970] systemd[1]: Installed new job user-994.slice/start as 424
[   14.781974] systemd[1]: Enqueued job user-994.slice/start as 424
[   14.782023] systemd[1]: Starting user-994.slice.
[   14.782189] systemd[1]: user-994.slice changed dead -> active
[   14.782194] systemd[1]: Job user-994.slice/start finished, result=done
[   14.782293] systemd[1]: Created slice user-994.slice.

Please!!! Give me some idea why next rule is allowed:

[   14.781936] systemd[1]: SELinux access check
scon=system_u:system_r:systemd_logind_t:s0
tcon=system_u:system_r:init_t:s0 tclass=system perm=start path=(null)
cmdline=(null): 0

Please! Please! Please!

class "system" doesn't have permission "start":

[root at localhost ~]# seinfo -csystem -x
    system
       status
       module_request
       reboot
       disable
       enable
       undefined
       ipc_info
       syslog_read
       halt
       reload
       syslog_console
       syslog_mod

# cat /etc/redhat-release
Fedora release 20 (Heisenbug)

Why does it return 0 ? (ALLOW) ?

I am stucked with it in my distro. Because my distro denies this action.