Hello.
Could you help me?
Let's see logs from FC20:
[ 14.778999] systemd[1]: Got D-Bus request:
org.freedesktop.systemd1.Manager.StartUnit() on /org/freedesktop/systemd1
[ 14.781936] systemd[1]: SELinux access check
scon=system_u:system_r:systemd_logind_t:s0
tcon=system_u:system_r:init_t:s0 tclass=system perm=start path=(null)
cmdline=(null): 0
[ 14.781944] systemd[1]: Trying to enqueue job user-994.slice/start/fail
[ 14.781970] systemd[1]: Installed new job user-994.slice/start as 424
[ 14.781974] systemd[1]: Enqueued job user-994.slice/start as 424
[ 14.782023] systemd[1]: Starting user-994.slice.
[ 14.782189] systemd[1]: user-994.slice changed dead -> active
[ 14.782194] systemd[1]: Job user-994.slice/start finished, result=done
[ 14.782293] systemd[1]: Created slice user-994.slice.
Please!!! Give me some idea why next rule is allowed:
[ 14.781936] systemd[1]: SELinux access check
scon=system_u:system_r:systemd_logind_t:s0
tcon=system_u:system_r:init_t:s0 tclass=system perm=start path=(null)
cmdline=(null): 0
Please! Please! Please!
class "system" doesn't have permission "start":
[root at localhost ~]# seinfo -csystem -x
system
status
module_request
reboot
disable
enable
undefined
ipc_info
syslog_read
halt
reload
syslog_console
syslog_mod
# cat /etc/redhat-release
Fedora release 20 (Heisenbug)
Why does it return 0 ? (ALLOW) ?
I am stucked with it in my distro. Because my distro denies this action.
On 01/24/2014 02:04 PM, Andrew V. Stepanov wrote:
> Hello.
>
> Could you help me?
>
> Let's see logs from FC20:
>
> [ 14.778999] systemd[1]: Got D-Bus request:
> org.freedesktop.systemd1.Manager.StartUnit() on /org/freedesktop/systemd1
> [ 14.781936] systemd[1]: SELinux access check
> scon=system_u:system_r:systemd_logind_t:s0
> tcon=system_u:system_r:init_t:s0 tclass=system perm=start path=(null)
> cmdline=(null): 0
> [ 14.781944] systemd[1]: Trying to enqueue job user-994.slice/start/fail
> [ 14.781970] systemd[1]: Installed new job user-994.slice/start as 424
> [ 14.781974] systemd[1]: Enqueued job user-994.slice/start as 424
> [ 14.782023] systemd[1]: Starting user-994.slice.
> [ 14.782189] systemd[1]: user-994.slice changed dead -> active
> [ 14.782194] systemd[1]: Job user-994.slice/start finished, result=done
> [ 14.782293] systemd[1]: Created slice user-994.slice.
>
> Please!!! Give me some idea why next rule is allowed:
>
> [ 14.781936] systemd[1]: SELinux access check
> scon=system_u:system_r:systemd_logind_t:s0
> tcon=system_u:system_r:init_t:s0 tclass=system perm=start path=(null)
> cmdline=(null): 0
>
> Please! Please! Please!
>
> class "system" doesn't have permission "start":
>
> [root at localhost ~]# seinfo -csystem -x
> system
> status
> module_request
> reboot
> disable
> enable
> undefined
> ipc_info
> syslog_read
> halt
> reload
> syslog_console
> syslog_mod
>
> # cat /etc/redhat-release
> Fedora release 20 (Heisenbug)
>
> Why does it return 0 ? (ALLOW) ?
>
> I am stucked with it in my distro. Because my distro denies this action.
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
There is a bug for this issue.
Regards,
Miroslav