Created attachment 829785 [details] [PATCH] kdumpgui: Allow accessing and creating the libblkid cache +++ This bug was initially created as a clone of Bug #1022762 +++ Apart from the systemd shortcoming that's being addressed in the above bug, I believe there still are two changes needed to the policy. Please have a look at attached patch files, they contain explanations in their headers. The denials: type=AVC msg=audit(1385565744.551:108): avc: denied { write } for pid=2565 comm="grubby" name="/" dev="tmpfs" ino=1185 scontext=system_u:system_r:kdumpgui_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=dir type=USER_AVC msg=audit(1385565751.354:111): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { reload } for auid=-1 uid=0 gid=0 scontext=system_u:system_r:kdumpgui_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' Systemd log for "systemctl enable kdump.service" and "systemctl disable kdump.service" (from an unconfined shell session): Nov 27 15:51:37 odvarok systemd[1]: Got D-Bus request: org.freedesktop.systemd1.Manager.DisableUnitFiles() on /org/freedesktop/systemd1 Nov 27 15:51:37 odvarok systemd[1]: SELinux access check scon=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcon=system_u:object_r:kdump_unit_file_t:s0 tclass=service perm=disable path=/usr/lib/systemd/system/kdump.service cmdline=systemctl disable kdump.service: 0 Nov 27 15:51:37 odvarok systemd[1]: Got D-Bus request: org.freedesktop.systemd1.Manager.Reload() on /org/freedesktop/systemd1 Nov 27 15:51:37 odvarok systemd[1]: SELinux access check scon=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcon=system_u:system_r:init_t:s0 tclass=system perm=reload path=(null) cmdline=systemctl disable kdump.service: 0 Nov 27 15:52:09 odvarok systemd[1]: Got D-Bus request: org.freedesktop.systemd1.Manager.EnableUnitFiles() on /org/freedesktop/systemd1 Nov 27 15:52:09 odvarok systemd[1]: SELinux access check scon=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcon=system_u:object_r:kdump_unit_file_t:s0 tclass=service perm=enable path=/usr/lib/systemd/system/kdump.service cmdline=systemctl enable kdump.service: 0 Nov 27 15:52:09 odvarok systemd[1]: Got D-Bus request: org.freedesktop.systemd1.Manager.Reload() on /org/freedesktop/systemd1 Nov 27 15:52:09 odvarok systemd[1]: SELinux access check scon=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcon=system_u:system_r:init_t:s0 tclass=system perm=reload path=(null) cmdline=systemctl enable kdump.service: 0
Created attachment 829786 [details] [PATCH] systemd: Allow systemctl users to reload systemd state
Ping? The enable/disable access vectors have been fixed in upstream systemd Git now. What about the additional two patches needed to make s-c-k works that are attached here; do those make sense?
(In reply to Lubomir Rintel from comment #2) > Ping? > > The enable/disable access vectors have been fixed in upstream systemd Git > now. To which upstream? > What about the additional two patches needed to make s-c-k works that are > attached here; do those make sense?
(In reply to Miroslav Grepl from comment #3) > (In reply to Lubomir Rintel from comment #2) > > Ping? > > > > The enable/disable access vectors have been fixed in upstream systemd Git > > now. > > To which upstream? systemd. See the bug this one was cloned from.