Bug 1288892

Summary: polkit: Error opening directory '/etc/polkit-1/rules.d': Permission denied
Product: [Fedora] Fedora Reporter: woky <nechtom>
Component: polkitAssignee: Miloslav Trmač <mitr>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 23CC: mitr, nechtom
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-12-09 17:42:34 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description woky 2015-12-06 22:23:53 UTC 
Description of problem:

It seems that polkit fails to load rules from /etc/polkit-1/rules.d.

I've created the following file for libvirt permissions ("tn" is my username),

  polkit.addRule(function(action, subject) {
  	if (subject.user == "tn" &&
  		action.id == "org.libvirt.unix.manage")
  		return polkit.Result.YES;
  });

restarted polkit and I was still prompted for password by virt-manager. Meanwhile, this was logged by polkit:

  # systemctl status polkit -l
  ● polkit.service - Authorization Manager
     Loaded: loaded (/usr/lib/systemd/system/polkit.service; static; vendor preset: enabled)
     Active: active (running) since Ne 2015-12-06 23:08:32 CET; 4min 45s ago
  [...SNIP...]
  pro 06 23:08:32 kyou polkitd[27310]: Started polkitd version 0.113
  pro 06 23:08:32 kyou polkitd[27310]: Loading rules from directory /etc/polkit-1/rules.d
  pro 06 23:08:32 kyou polkitd[27310]: Error opening rules directory: Error opening directory '/etc/polkit-1/rules.d': Permission denied (g-file-error-quark, 2)
  pro 06 23:08:32 kyou polkitd[27310]: Loading rules from directory /usr/share/polkit-1/rules.d
  pro 06 23:08:32 kyou polkitd[27310]: Finished loading, compiling and executing 2 rules
  [...SNIP...]

  # ls -ldZ /etc/polkit-1/rules.d
  drwx------. 1 root root system_u:object_r:etc_t:s0 144  6. pro 23.08 /etc/polkit-1/rules.d
  # ps -efZ|grep polkit
  system_u:system_r:policykit_t:s0 polkitd 27310     1  0 23:08 ?        00:00:00 /usr/lib/polkit-1/polkitd --no-debug

There wasn't any SELinux AVC alert.

Note that afterwards I found that rules for libvirt are actually in /usr/share/polkit-1/rules.d/50-libvirt.rules so I'm just going to add myself into libvirt group. But this seems like a bug nevertheless.

Version-Release number of selected component (if applicable): polkit-0.113-4.fc23.x86_64
Comment 1 Miloslav Trmač 2015-12-09 13:35:43 UTC 
Thanks for your report.

Can you reproduce it on a fresh install? The permissions are supposed to be
> drwx------. polkitd root system_u:object_r:etc_t:s0

so either the package is not being installed properly, or the ownership was changed by your editing process.

If the permissions are correct on a fresh install, but you can reproducibly change them by the the tool you used to create the new file, that might be also a bug worth fixing, in that tool.
Comment 2 woky 2015-12-09 17:42:34 UTC 
Hello. Sorry, this was probably my fault during migration of /etc from old installation. After `dnf reinstall polkit` the permissions appear to be as you wrote.

(I actually tried to reinstall it before but for some reason I didn't notice it's fine. I was probably looking at /etc/polkit-1.)