core: rework policykit hookup

- Always issue selinux access check as early as possible, and PK check
  as late as possible.

- Introduce a new policykit action for altering environment

- Open most remaining bus calls to unprivileged clients via PK

1 files changed, 12 insertions, 2 deletions

diff --git a/src/core/org.freedesktop.systemd1.policy.in.in b/src/core/org.freedesktop.systemd1.policy.in.in
index fd771b4b26..cc39a9e1c3 100644
--- a/src/core/org.freedesktop.systemd1.policy.in.in
+++ b/src/core/org.freedesktop.systemd1.policy.in.in
@@ -28,8 +28,8 @@
         </action>
 
         <action id="org.freedesktop.systemd1.manage-units">
-                <_description>Manage system services or units</_description>
-                <_message>Authentication is required to manage system services or units.</_message>
+                <_description>Manage system services or other units</_description>
+                <_message>Authentication is required to manage system services or other units.</_message>
                 <defaults>
                         <allow_any>auth_admin</allow_any>
                         <allow_inactive>auth_admin</allow_inactive>
@@ -47,6 +47,16 @@
                 </defaults>
         </action>
 
+        <action id="org.freedesktop.systemd1.set-environment">
+                <_description>Set or unset system and service manager environment variables</_description>
+                <_message>Authentication is required to set or unset system and service manager environment variables.</_message>
+                <defaults>
+                        <allow_any>auth_admin</allow_any>
+                        <allow_inactive>auth_admin</allow_inactive>
+                        <allow_active>auth_admin_keep</allow_active>
+                </defaults>
+        </action>
+
         <action id="org.freedesktop.systemd1.reload-daemon">
                 <_description>Reload the systemd state</_description>
                 <_message>Authentication is required to reload the systemd state.</_message>