On a host with unconfined disabled, running this as a
staff_u/staff_t user:
[sampre_mw@jukni ~]$ systemctl --user status
Failed to read server status: Access denied
worked until recently. I just upgraded to Fedora 27, but I *think*
this worked after the upgrade, so I don't know what's going on
there.
I get nothing whatever in auditd, which is weird. In syslog I get:
Dec 25 09:48:07 jukni systemd[669]: selinux: avc: denied { status } for auid=n/a
uid=1086 gid=1086 cmdline="" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023
tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=system permissive=0
Further, this:
[sampre_mw@jukni ~]$ systemctl --user restart lojban_mediawiki_web
Failed to restart lojban_mediawiki_web.service: Access denied
See user logs and 'systemctl --user status lojban_mediawiki_web.service' for
details.
Gives this in syslog:
Dec 25 09:49:06 jukni systemd[669]: selinux: avc: denied { start } for auid=n/a uid=1086
gid=1086
path="/home/sampre_mw/.config/systemd/user/lojban_mediawiki_web.service"
cmdline="" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023
tcontext=staff_u:object_r:systemd_unit_file_t:s0 tclass=service permissive=0
I can't find anything in sesearch about self:system, and all I can
find in
https://github.com/TresysTechnology/refpolicy.git or
https://github.com/TresysTechnology/refpolicy-contrib.git is:
policy/modules/kernel/kernel.te
481: allow can_load_kernmodule self:system module_load;
policy/modules/system/init.te
225: allow init_t self:system { status reboot halt reload };
It strikes me as unlikely that F27 *actually* shipped with a setup
that makes systemctl user operations not work.
I don't have a comparable user to test with, really, but at first
glance my other F27 systems seem OK.
Any idea what I broke?