[refpolicy] systemd slice systemd-logind : tclass=system perm=start

[refpolicy] systemd slice systemd-logind : tclass=system perm=start

[Andrew V. Stepanov]

Hello.

Could you help me?

Let's see logs from FC20:

[   14.778999] systemd[1]: Got D-Bus request:
org.freedesktop.systemd1.Manager.StartUnit() on /org/freedesktop/systemd1
[   14.781936] systemd[1]: SELinux access check
scon=system_u:system_r:systemd_logind_t:s0
tcon=system_u:system_r:init_t:s0 tclass=system perm=start path=(null)
cmdline=(null): 0
[   14.781944] systemd[1]: Trying to enqueue job user-994.slice/start/fail
[   14.781970] systemd[1]: Installed new job user-994.slice/start as 424
[   14.781974] systemd[1]: Enqueued job user-994.slice/start as 424
[   14.782023] systemd[1]: Starting user-994.slice.
[   14.782189] systemd[1]: user-994.slice changed dead -> active
[   14.782194] systemd[1]: Job user-994.slice/start finished, result=done
[   14.782293] systemd[1]: Created slice user-994.slice.

Please!!! Give me some idea why next rule is allowed:

[   14.781936] systemd[1]: SELinux access check
scon=system_u:system_r:systemd_logind_t:s0
tcon=system_u:system_r:init_t:s0 tclass=system perm=start path=(null)
cmdline=(null): 0

Please! Please! Please!

class "system" doesn't have permission "start":

[root at localhost ~]# seinfo -csystem -x
    system
       status
       module_request
       reboot
       disable
       enable
       undefined
       ipc_info
       syslog_read
       halt
       reload
       syslog_console
       syslog_mod

# cat /etc/redhat-release
Fedora release 20 (Heisenbug)

Why does it return 0 ? (ALLOW) ?

I am stucked with it in my distro. Because my distro denies this action.

[refpolicy] systemd slice systemd-logind : tclass=system perm=start

[Miroslav Grepl]

On 01/24/2014 02:04 PM, Andrew V. Stepanov wrote:
> Hello.
>
> Could you help me?
>
> Let's see logs from FC20:
>
> [   14.778999] systemd[1]: Got D-Bus request:
> org.freedesktop.systemd1.Manager.StartUnit() on /org/freedesktop/systemd1
> [   14.781936] systemd[1]: SELinux access check
> scon=system_u:system_r:systemd_logind_t:s0
> tcon=system_u:system_r:init_t:s0 tclass=system perm=start path=(null)
> cmdline=(null): 0
> [   14.781944] systemd[1]: Trying to enqueue job user-994.slice/start/fail
> [   14.781970] systemd[1]: Installed new job user-994.slice/start as 424
> [   14.781974] systemd[1]: Enqueued job user-994.slice/start as 424
> [   14.782023] systemd[1]: Starting user-994.slice.
> [   14.782189] systemd[1]: user-994.slice changed dead -> active
> [   14.782194] systemd[1]: Job user-994.slice/start finished, result=done
> [   14.782293] systemd[1]: Created slice user-994.slice.
>
> Please!!! Give me some idea why next rule is allowed:
>
> [   14.781936] systemd[1]: SELinux access check
> scon=system_u:system_r:systemd_logind_t:s0
> tcon=system_u:system_r:init_t:s0 tclass=system perm=start path=(null)
> cmdline=(null): 0
>
> Please! Please! Please!
>
> class "system" doesn't have permission "start":
>
> [root at localhost ~]# seinfo -csystem -x
>      system
>         status
>         module_request
>         reboot
>         disable
>         enable
>         undefined
>         ipc_info
>         syslog_read
>         halt
>         reload
>         syslog_console
>         syslog_mod
>
> # cat /etc/redhat-release
> Fedora release 20 (Heisenbug)
>
> Why does it return 0 ? (ALLOW) ?
>
> I am stucked with it in my distro. Because my distro denies this action.
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
There is a bug for this issue.

Regards,
Miroslav