Re: systemctl reboot is allowed as normal user, where is this configured

[Hans de Goede <hdegoede@xxxxxxxxxx>]

Hi again,

On 7/13/20 4:11 PM, Hans de Goede wrote:
> Hi All,
>
> $subject is somewhat misleading, what I actually want is to make:
>
> systemctl reboot --boot-loader-menu=60
>
> Work as a regular user (who is physically present at the console).
>
> So I looked at:
>
> /usr/share/polkit-1/actions/org.freedesktop.login1.policy, which has:
>
>          <action id="org.freedesktop.login1.reboot">
>                  <description gettext-domain="systemd">Reboot the system</description>
>                  <message gettext-domain="systemd">Authentication is required to ...
>                  <defaults>
>                          <allow_any>auth_admin_keep</allow_any>
>                          <allow_inactive>auth_admin_keep</allow_inactive>
>                          <allow_active>yes</allow_active>
>                  </defaults>
>          </action>
>
> This doesexplain why "systemctl reboot" works for "active" (aka console)
> users. But the snippet for reboot --boot-loader-menu looks the same, but yet
> that is not allowed as regular user ? :
>
>          <action id="org.freedesktop.login1.set-reboot-to-boot-loader-menu">
>                  <description gettext-domain="systemd">Indicate to the boot loader to boot to the boot loader menu</description>
>                  <message gettext-domain="systemd">Authentication is required to ...
>                  <defaults>
>                          <allow_any>auth_admin_keep</allow_any>
>                          <allow_inactive>auth_admin_keep</allow_inactive>
>                          <allow_active>yes</allow_active>
>                  </defaults>
>                  <annotate key="org.freedesktop.policykit.imply">org.freedesktop.login1.reboot</annotate>
>          </action>
>
> [hans@x1 ~]$ systemctl reboot --boot-loader-menu=60
> Cannot indicate to boot loader to enter boot loader entry menu: Access denied
>
> /usr/share/polkit-1/rules.d/
>
> Does not contain any rules explaining why org.freedesktop.login1.reboot is
> allowed, while org.freedesktop.login1.set-reboot-to-boot-loader-menu is not
> allowed ?
>
> Maybe selinux ?

Answering my own question, yes of course it is selinux. I was thinking that
logind was saying "Access Denied", but that is not what is happening logind
is encountering a selinux denial when creating:

/run/systemd/reboot-to-boot-loader-menu

And is forwarding the -PERM error from that, which caused me to focus
on the polkit stuff...

I've filed a bug for this against Fedora's selinux policy:

https://bugzilla.redhat.com/show_bug.cgi?id=1856399

Regards,

Hans

_______________________________________________
systemd-devel mailing list
systemd-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/systemd-devel