Hi All,
$subject is somewhat misleading, what I actually want is to make:
systemctl reboot --boot-loader-menu=60
Work as a regular user (who is physically present at the console).
So I looked at:
/usr/share/polkit-1/actions/org.freedesktop.login1.policy, which has:
<action id="org.freedesktop.login1.reboot">
<description gettext-domain="systemd">Reboot the system</description>
<message gettext-domain="systemd">Authentication is required to ...
<defaults>
<allow_any>auth_admin_keep</allow_any>
<allow_inactive>auth_admin_keep</allow_inactive>
<allow_active>yes</allow_active>
</defaults>
</action>
This doesexplain why "systemctl reboot" works for "active" (aka console)
users. But the snippet for reboot --boot-loader-menu looks the same, but yet
that is not allowed as regular user ? :
<action id="org.freedesktop.login1.set-reboot-to-boot-loader-menu">
<description gettext-domain="systemd">Indicate to the boot loader to boot to the boot loader menu</description>
<message gettext-domain="systemd">Authentication is required to ...
<defaults>
<allow_any>auth_admin_keep</allow_any>
<allow_inactive>auth_admin_keep</allow_inactive>
<allow_active>yes</allow_active>
</defaults>
<annotate key="org.freedesktop.policykit.imply">org.freedesktop.login1.reboot</annotate>
</action>
[hans@x1 ~]$ systemctl reboot --boot-loader-menu=60
Cannot indicate to boot loader to enter boot loader entry menu: Access denied
/usr/share/polkit-1/rules.d/
Does not contain any rules explaining why org.freedesktop.login1.reboot is
allowed, while org.freedesktop.login1.set-reboot-to-boot-loader-menu is not
allowed ?
Maybe selinux ?
Regards,
Hans
_______________________________________________
systemd-devel mailing list
systemd-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/systemd-devel
systemctl reboot is allowed as normal user, where is this configured
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: systemctl reboot is allowed as normal user, where is this configured
- From: Hans de Goede <hdegoede@xxxxxxxxxx>
- Date: Mon, 13 Jul 2020 16:11:23 +0200
- User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.9.0
- Follow-Ups:
- Re: systemctl reboot is allowed as normal user, where is this configured
- From: Hans de Goede
- Re: systemctl reboot is allowed as normal user, where is this configured
- Prev by Date: Re: Seccomp allow/log action
- Next by Date: Re: systemctl reboot is allowed as normal user, where is this configured
- Previous by thread: systemd-analyze security and SystemCallFilter
- Next by thread: Re: systemctl reboot is allowed as normal user, where is this configured
- Index(es):
 |