Bug 1094750

Summary: at_console in dbus policy makes policycoreutils hard to use on servers
Product: [Fedora] Fedora Reporter: Stef Walter <stefw>
Component: policycoreutilsAssignee: Daniel Walsh <dwalsh>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 20CC: dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: policycoreutils-2.2.5-4.fc20 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-05-31 23:56:20 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1094121    

Description Stef Walter 2014-05-06 12:08:10 UTC 
Description of problem:

Use of at_console="true" in the DBus policy file makes policycoreutils hard to use on servers, where users are logged in via ssh, or via Cockpit, but not at a console.

at_console="true" is a real old relic, that was never really implemented. Modern services should be using polkit.

For example, NetworkManager moved away from it for the same reasons (want to be usable on servers): bug #979416

Version-Release number of selected component (if applicable):

policycoreutils-python-2.2.5-3.fc20.x86_64

system.d/org.selinux.conf:  <policy at_console="true">
Comment 1 Daniel Walsh 2014-05-06 17:05:08 UTC 
What do I replace it with. just allow any one to get the access?

  <policy context="default">
Comment 2 Stef Walter 2014-05-06 17:11:02 UTC 
Usually yes. Unless your service has a special need to differentiate console users from other users ... in which case you would put that into your polkit policy (see <allow_inactive> and <allow_active>).

It goes without saying that you should usually treat privileged callers (ie: root and admins) differently from unprivileged callers. But unless you're managing hardware or seat specific resources that has nothing to do with whether they're at a console or not.
Comment 3 Miroslav Grepl 2014-05-07 09:31:09 UTC 
Fixed in policycoreutils-2.2.5-4.fc20
Comment 4 Fedora Update System 2014-05-07 12:18:51 UTC 
policycoreutils-2.2.5-4.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/policycoreutils-2.2.5-4.fc20
Comment 5 Fedora Update System 2014-05-08 10:06:42 UTC 
Package policycoreutils-2.2.5-4.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing policycoreutils-2.2.5-4.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-6101/policycoreutils-2.2.5-4.fc20
then log in and leave karma (feedback).
Comment 6 Fedora Update System 2014-05-31 23:56:20 UTC 
policycoreutils-2.2.5-4.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.