[systemd-devel] systemctl reboot is allowed as normal user, where is this configured
Hans de Goede
hdegoede at redhat.com
Mon Jul 13 14:11:23 UTC 2020
Hi All,
$subject is somewhat misleading, what I actually want is to make:
systemctl reboot --boot-loader-menu=60
Work as a regular user (who is physically present at the console).
So I looked at:
/usr/share/polkit-1/actions/org.freedesktop.login1.policy, which has:
<action id="org.freedesktop.login1.reboot">
<description gettext-domain="systemd">Reboot the system</description>
<message gettext-domain="systemd">Authentication is required to ...
<defaults>
<allow_any>auth_admin_keep</allow_any>
<allow_inactive>auth_admin_keep</allow_inactive>
<allow_active>yes</allow_active>
</defaults>
</action>
This doesexplain why "systemctl reboot" works for "active" (aka console)
users. But the snippet for reboot --boot-loader-menu looks the same, but yet
that is not allowed as regular user ? :
<action id="org.freedesktop.login1.set-reboot-to-boot-loader-menu">
<description gettext-domain="systemd">Indicate to the boot loader to boot to the boot loader menu</description>
<message gettext-domain="systemd">Authentication is required to ...
<defaults>
<allow_any>auth_admin_keep</allow_any>
<allow_inactive>auth_admin_keep</allow_inactive>
<allow_active>yes</allow_active>
</defaults>
<annotate key="org.freedesktop.policykit.imply">org.freedesktop.login1.reboot</annotate>
</action>
[hans at x1 ~]$ systemctl reboot --boot-loader-menu=60
Cannot indicate to boot loader to enter boot loader entry menu: Access denied
/usr/share/polkit-1/rules.d/
Does not contain any rules explaining why org.freedesktop.login1.reboot is
allowed, while org.freedesktop.login1.set-reboot-to-boot-loader-menu is not
allowed ?
Maybe selinux ?
Regards,
Hans
More information about the systemd-devel
mailing list