# cat /lib/systemd/system/reboot.target cat: /lib/systemd/system/reboot.target: Permission denied # systemctl reboot ... it reboots Should systemd be doing some sort of access check on reboot.target? -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/
[-- Attachment #1: Type: text/plain, Size: 649 bytes --] On Mon, Jul 15, 2019 at 01:10:48AM +1000, Russell Coker wrote: > # cat /lib/systemd/system/reboot.target > cat: /lib/systemd/system/reboot.target: Permission denied > # systemctl reboot > ... it reboots > > Should systemd be doing some sort of access check on reboot.target? I don't think so. The access check is on systemd-reboot.service i believe. > > -- > My Main Blog http://etbe.coker.com.au/ > My Documents Blog http://doc.coker.com.au/ > > > -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 659 bytes --]
[-- Attachment #1: Type: text/plain, Size: 718 bytes --] On Mon, Jul 15, 2019 at 01:10:48AM +1000, Russell Coker wrote: > # cat /lib/systemd/system/reboot.target > cat: /lib/systemd/system/reboot.target: Permission denied > # systemctl reboot > ... it reboots > > Should systemd be doing some sort of access check on reboot.target? I was wrong. It is doing an acccess check on reboot.target I tried it out here: https://www.youtube.com/watch?v=YUATkv6R6Ys&feature=youtu.be > > -- > My Main Blog http://etbe.coker.com.au/ > My Documents Blog http://doc.coker.com.au/ > > > -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 659 bytes --]
On Monday, 15 July 2019 2:16:19 AM AEDT Dominick Grift wrote: > On Mon, Jul 15, 2019 at 01:10:48AM +1000, Russell Coker wrote: > > # cat /lib/systemd/system/reboot.target > > cat: /lib/systemd/system/reboot.target: Permission denied > > # systemctl reboot > > ... it reboots > > > > Should systemd be doing some sort of access check on reboot.target? > > I was wrong. It is doing an acccess check on reboot.target > > I tried it out here: > https://www.youtube.com/watch?v=YUATkv6R6Ys&feature=youtu.be Thanks for the pointer, I put in an auditallow rule and got the following when user_t runs "systemctl reboot". It's doing the permission check on systemd- logind. Do you have any idea of where I should look for the cause of this? type=USER_AVC msg=audit(1585309343.652:285): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: granted { start } for auid=n/a uid=0 gid=0 path="/lib/systemd/system/reboot.target" cmdline="/ lib/systemd/systemd-logind" scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:power_unit_t:s0 tclass=service exe="/usr/lib/ systemd/systemd" sauid=0 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1585309343.660:287): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: granted { start } for auid=n/a uid=0 gid=0 path="/lib/systemd/system/reboot.target" cmdline="/ lib/systemd/systemd-logind" scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:power_unit_t:s0 tclass=service exe="/usr/lib/ systemd/systemd" sauid=0 hostname=? addr=? terminal=?' -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/