User systemd unit files are forced to the systemd_unit_file_t type: policy/modules/system/systemd.fc 2:HOME_DIR/\.config/systemd/user(/.*)? gen_context(system_u:object_r:systemd_unit_file_t,s0) But, attempting to edit them gives (this is as staff_t, but it's the same as user_t): type=AVC msg=audit(1534012749.473:23309811): avc: denied { write } for pid=1085 comm="vim" name="glekitufa.service" dev="vde" ino=141294043 scontext=staff_u:staff_r:staff_t:s0 tcontext=staff_u:object_r:systemd_unit_file_t:s0 tclass=file permissive=1 type=AVC msg=audit(1534012749.473:23309812): avc: denied { write } for pid=1085 comm="vim" name="user" dev="vde" ino=141291633 scontext=staff_u:staff_r:staff_t:s0 tcontext=staff_u:object_r:systemd_unit_file_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1534012749.473:23309812): avc: denied { add_name } for pid=1085 comm="vim" name="4913" scontext=staff_u:staff_r:staff_t:s0 tcontext=staff_u:object_r:systemd_unit_file_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1534012749.473:23309812): avc: denied { create } for pid=1085 comm="vim" name="4913" scontext=staff_u:staff_r:staff_t:s0 tcontext=staff_u:object_r:systemd_unit_file_t:s0 tclass=file permissive=1 type=AVC msg=audit(1534012749.474:23309813): avc: denied { setattr } for pid=1085 comm="vim" name="4913" dev="vde" ino=141291520 scontext=staff_u:staff_r:staff_t:s0 tcontext=staff_u:object_r:systemd_unit_file_t:s0 tclass=file permissive=1 type=AVC msg=audit(1534012749.474:23309814): avc: denied { remove_name } for pid=1085 comm="vim" name="4913" dev="vde" ino=141291520 scontext=staff_u:staff_r:staff_t:s0 tcontext=staff_u:object_r:systemd_unit_file_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1534012749.474:23309814): avc: denied { unlink } for pid=1085 comm="vim" name="4913" dev="vde" ino=141291520 scontext=staff_u:staff_r:staff_t:s0 tcontext=staff_u:object_r:systemd_unit_file_t:s0 tclass=file permissive=1 type=AVC msg=audit(1534012749.475:23309815): avc: denied { rename } for pid=1085 comm="vim" name="glekitufa.service" dev="vde" ino=141294043 scontext=staff_u:staff_r:staff_t:s0 tcontext=staff_u:object_r:systemd_unit_file_t:s0 tclass=file permissive=1 Looking at the policy, the only relevant bits are: policy/modules/roles/unprivuser.te 109: systemd_read_unit_files(user_t) 110: systemd_exec_systemctl(user_t) policy/modules/roles/staff.te 264: systemd_read_unit_files(staff_t) 265: systemd_config_all_services(staff_t) 266: systemd_exec_systemctl(staff_t) 267: systemd_hwdb_mmap_config(staff_t) Not sure what the right solution is; I'll be curious to see what you come up with.
selinux-policy-3.14.1-42.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-2d1b09d217
selinux-policy-3.14.1-42.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-2d1b09d217
selinux-policy-3.14.1-42.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.