2ef6e14 Create systemd-user HBAC service and rule

Authored and Committed by cheimes 4 years ago
    Create systemd-user HBAC service and rule
    authselect changed pam_systemd session from optional to required. When
    the HBAC rule allow_all is disabled and replaced with more fine grained
    rules, loginsi now to fail, because systemd's user@.service is able to
    create a systemd session.
    Add systemd-user HBAC service and a HBAC rule that allows systemd-user
    to run on all hosts for all users by default. ipa-server-upgrade creates
    the service and rule, too. In case the service already exists, no
    attempt is made to create the rule. This allows admins to delete the
    rule permanently.
    See: https://bugzilla.redhat.com/show_bug.cgi?id=1643928
    Fixes: https://pagure.io/freeipa/issue/7831
    Signed-off-by: Christian Heimes <cheimes@redhat.com>
    Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>