From: mgrepl@redhat.com (Miroslav Grepl)
Date: Tue, 28 Jan 2014 11:05:05 +0100
Subject: [refpolicy] systemd slice systemd-logind : tclass=system
	perm=start
In-Reply-To: <52E264E7.6060405@altlinux.org>
References: <52E2642E.2080906@altlinux.org> <52E264E7.6060405@altlinux.org>
Message-ID: <52E780D1.5000706@redhat.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 01/24/2014 02:04 PM, Andrew V. Stepanov wrote:
> Hello.
>
> Could you help me?
>
> Let's see logs from FC20:
>
> [   14.778999] systemd[1]: Got D-Bus request:
> org.freedesktop.systemd1.Manager.StartUnit() on /org/freedesktop/systemd1
> [   14.781936] systemd[1]: SELinux access check
> scon=system_u:system_r:systemd_logind_t:s0
> tcon=system_u:system_r:init_t:s0 tclass=system perm=start path=(null)
> cmdline=(null): 0
> [   14.781944] systemd[1]: Trying to enqueue job user-994.slice/start/fail
> [   14.781970] systemd[1]: Installed new job user-994.slice/start as 424
> [   14.781974] systemd[1]: Enqueued job user-994.slice/start as 424
> [   14.782023] systemd[1]: Starting user-994.slice.
> [   14.782189] systemd[1]: user-994.slice changed dead -> active
> [   14.782194] systemd[1]: Job user-994.slice/start finished, result=done
> [   14.782293] systemd[1]: Created slice user-994.slice.
>
> Please!!! Give me some idea why next rule is allowed:
>
> [   14.781936] systemd[1]: SELinux access check
> scon=system_u:system_r:systemd_logind_t:s0
> tcon=system_u:system_r:init_t:s0 tclass=system perm=start path=(null)
> cmdline=(null): 0
>
> Please! Please! Please!
>
> class "system" doesn't have permission "start":
>
> [root at localhost ~]# seinfo -csystem -x
>      system
>         status
>         module_request
>         reboot
>         disable
>         enable
>         undefined
>         ipc_info
>         syslog_read
>         halt
>         reload
>         syslog_console
>         syslog_mod
>
> # cat /etc/redhat-release
> Fedora release 20 (Heisenbug)
>
> Why does it return 0 ? (ALLOW) ?
>
> I am stucked with it in my distro. Because my distro denies this action.
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
There is a bug for this issue.

Regards,
Miroslav