Fixes:
-bash-4.3# echo 1 >/sys/fs/selinux/enforce
-bash-4.3# runcon -t systemd_test_start_t systemctl start hola
-bash-4.3# sesearch --allow -s systemd_test_reload_t -c service
Found 1 semantic av rules:
allow systemd_test_reload_t systemd_unit_file_t : service reload ;
-bash-4.3# runcon -t systemd_test_reload_t systemctl reload hola
Failed to reload hola.service: Access denied
See system logs and 'systemctl status hola.service' for details.
-bash-4.3# journalctl -b | grep -i user_avc | grep reload
USER_AVC pid=1 uid=0 auid=
4294967295 ses=
4294967295 subj=system_u:system_r:init_t:s0
msg='
avc: denied { start } for auid=0 uid=0 gid=0 path="/etc/systemd/system/hola.service" cmdline="systemctl reload hola"
scontext=unconfined_u:unconfined_r:systemd_test_reload_t:s0-s0:c0.c1023
tcontext=system_u:object_r:systemd_unit_file_t:s0
tclass=service
See
https://fedoraproject.org/wiki/Features/SELinuxSystemdAccessControl#Documentation
assert(u);
assert(job_type >= 0 && job_type < _JOB_TYPE_MAX);
- r = mac_selinux_unit_access_check(u, message, job_type == JOB_STOP ? "stop" : "start", error);
+ r = mac_selinux_unit_access_check(
+ u, message,
+ (job_type == JOB_START || job_type == JOB_RESTART || job_type == JOB_TRY_RESTART) ? "start" :
+ job_type == JOB_STOP ? "stop" : "reload", error);
if (r < 0)
return r;