SELinux-Refpolicy Archive on lore.kernel.org
 help / color / Atom feed
* systemd reboot
@ 2019-07-14 15:10 Russell Coker
  2019-07-14 15:23 ` Dominick Grift
  2019-07-14 16:16 ` Dominick Grift
  0 siblings, 2 replies; 4+ messages in thread
From: Russell Coker @ 2019-07-14 15:10 UTC (permalink / raw)
  To: selinux-refpolicy

# cat /lib/systemd/system/reboot.target
cat: /lib/systemd/system/reboot.target: Permission denied
# systemctl reboot
... it reboots

Should systemd be doing some sort of access check on reboot.target?

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/




^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: systemd reboot
  2019-07-14 15:10 systemd reboot Russell Coker
@ 2019-07-14 15:23 ` Dominick Grift
  2019-07-14 16:16 ` Dominick Grift
  1 sibling, 0 replies; 4+ messages in thread
From: Dominick Grift @ 2019-07-14 15:23 UTC (permalink / raw)
  To: Russell Coker; +Cc: selinux-refpolicy


[-- Attachment #1: Type: text/plain, Size: 649 bytes --]

On Mon, Jul 15, 2019 at 01:10:48AM +1000, Russell Coker wrote:
> # cat /lib/systemd/system/reboot.target
> cat: /lib/systemd/system/reboot.target: Permission denied
> # systemctl reboot
> ... it reboots
> 
> Should systemd be doing some sort of access check on reboot.target?

I don't think so. The access check is on systemd-reboot.service i believe.

> 
> -- 
> My Main Blog         http://etbe.coker.com.au/
> My Documents Blog    http://doc.coker.com.au/
> 
> 
> 

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: systemd reboot
  2019-07-14 15:10 systemd reboot Russell Coker
  2019-07-14 15:23 ` Dominick Grift
@ 2019-07-14 16:16 ` Dominick Grift
  2020-03-27 11:52   ` Russell Coker
  1 sibling, 1 reply; 4+ messages in thread
From: Dominick Grift @ 2019-07-14 16:16 UTC (permalink / raw)
  To: Russell Coker; +Cc: selinux-refpolicy


[-- Attachment #1: Type: text/plain, Size: 718 bytes --]

On Mon, Jul 15, 2019 at 01:10:48AM +1000, Russell Coker wrote:
> # cat /lib/systemd/system/reboot.target
> cat: /lib/systemd/system/reboot.target: Permission denied
> # systemctl reboot
> ... it reboots
> 
> Should systemd be doing some sort of access check on reboot.target?

I was wrong. It is doing an acccess check on reboot.target

I tried it out here: https://www.youtube.com/watch?v=YUATkv6R6Ys&feature=youtu.be

> 
> -- 
> My Main Blog         http://etbe.coker.com.au/
> My Documents Blog    http://doc.coker.com.au/
> 
> 
> 

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: systemd reboot
  2019-07-14 16:16 ` Dominick Grift
@ 2020-03-27 11:52   ` Russell Coker
  0 siblings, 0 replies; 4+ messages in thread
From: Russell Coker @ 2020-03-27 11:52 UTC (permalink / raw)
  To: Dominick Grift; +Cc: selinux-refpolicy

On Monday, 15 July 2019 2:16:19 AM AEDT Dominick Grift wrote:
> On Mon, Jul 15, 2019 at 01:10:48AM +1000, Russell Coker wrote:
> > # cat /lib/systemd/system/reboot.target
> > cat: /lib/systemd/system/reboot.target: Permission denied
> > # systemctl reboot
> > ... it reboots
> > 
> > Should systemd be doing some sort of access check on reboot.target?
> 
> I was wrong. It is doing an acccess check on reboot.target
> 
> I tried it out here:
> https://www.youtube.com/watch?v=YUATkv6R6Ys&feature=youtu.be

Thanks for the pointer, I put in an auditallow rule and got the following when 
user_t runs "systemctl reboot".  It's doing the permission check on systemd-
logind.

Do you have any idea of where I should look for the cause of this?

type=USER_AVC msg=audit(1585309343.652:285): pid=1 uid=0 auid=4294967295 
ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  granted  { start } 
for auid=n/a uid=0 gid=0 path="/lib/systemd/system/reboot.target" cmdline="/
lib/systemd/systemd-logind" scontext=system_u:system_r:systemd_logind_t:s0 
tcontext=system_u:object_r:power_unit_t:s0 tclass=service  exe="/usr/lib/
systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1585309343.660:287): pid=1 uid=0 auid=4294967295 
ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  granted  { start } 
for auid=n/a uid=0 gid=0 path="/lib/systemd/system/reboot.target" cmdline="/
lib/systemd/systemd-logind" scontext=system_u:system_r:systemd_logind_t:s0 
tcontext=system_u:object_r:power_unit_t:s0 tclass=service  exe="/usr/lib/
systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/


^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, back to index

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-07-14 15:10 systemd reboot Russell Coker
2019-07-14 15:23 ` Dominick Grift
2019-07-14 16:16 ` Dominick Grift
2020-03-27 11:52   ` Russell Coker

SELinux-Refpolicy Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux-refpolicy/0 selinux-refpolicy/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux-refpolicy selinux-refpolicy/ https://lore.kernel.org/selinux-refpolicy \
		selinux-refpolicy@vger.kernel.org
	public-inbox-index selinux-refpolicy

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux-refpolicy


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git