[systemd-devel] systemctl reboot is allowed as normal user, where is this configured

Hans de Goede hdegoede at redhat.com
Mon Jul 13 14:21:04 UTC 2020 

Hi again,

On 7/13/20 4:11 PM, Hans de Goede wrote:
> Hi All,
> 
> $subject is somewhat misleading, what I actually want is to make:
> 
> systemctl reboot --boot-loader-menu=60
> 
> Work as a regular user (who is physically present at the console).
> 
> So I looked at:
> 
> /usr/share/polkit-1/actions/org.freedesktop.login1.policy, which has:
> 
>          <action id="org.freedesktop.login1.reboot">
>                  <description gettext-domain="systemd">Reboot the system</description>
>                  <message gettext-domain="systemd">Authentication is required to ...
>                  <defaults>
>                          <allow_any>auth_admin_keep</allow_any>
>                          <allow_inactive>auth_admin_keep</allow_inactive>
>                          <allow_active>yes</allow_active>
>                  </defaults>
>          </action>
> 
> This doesexplain why "systemctl reboot" works for "active" (aka console)
> users. But the snippet for reboot --boot-loader-menu looks the same, but yet
> that is not allowed as regular user ? :
> 
>          <action id="org.freedesktop.login1.set-reboot-to-boot-loader-menu">
>                  <description gettext-domain="systemd">Indicate to the boot loader to boot to the boot loader menu</description>
>                  <message gettext-domain="systemd">Authentication is required to ...
>                  <defaults>
>                          <allow_any>auth_admin_keep</allow_any>
>                          <allow_inactive>auth_admin_keep</allow_inactive>
>                          <allow_active>yes</allow_active>
>                  </defaults>
>                  <annotate key="org.freedesktop.policykit.imply">org.freedesktop.login1.reboot</annotate>
>          </action>
> 
> [hans at x1 ~]$ systemctl reboot --boot-loader-menu=60
> Cannot indicate to boot loader to enter boot loader entry menu: Access denied
> 
> /usr/share/polkit-1/rules.d/
> 
> Does not contain any rules explaining why org.freedesktop.login1.reboot is
> allowed, while org.freedesktop.login1.set-reboot-to-boot-loader-menu is not
> allowed ?
> 
> Maybe selinux ?

Answering my own question, yes of course it is selinux. I was thinking that
logind was saying "Access Denied", but that is not what is happening logind
is encountering a selinux denial when creating:

/run/systemd/reboot-to-boot-loader-menu

And is forwarding the -PERM error from that, which caused me to focus
on the polkit stuff...

I've filed a bug for this against Fedora's selinux policy:

https://bugzilla.redhat.com/show_bug.cgi?id=1856399

Regards,

Hans

More information about the systemd-devel mailing list