Bug 517528
| Summary: | Policy required for cups-pk-helper | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Tim Waugh <twaugh> | ||||||
| Component: | cups-pk-helper | Assignee: | Marek Kašík <mkasik> | ||||||
| Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
| Severity: | medium | Docs Contact: | |||||||
| Priority: | low | ||||||||
| Version: | rawhide | CC: | dwalsh, jkubin, mclasen, mgrepl, mkasik | ||||||
| Target Milestone: | --- | Keywords: | Reopened | ||||||
| Target Release: | --- | ||||||||
| Hardware: | All | ||||||||
| OS: | Linux | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2009-08-24 10:30:29 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Bug Depends On: | |||||||||
| Bug Blocks: | 509829 | ||||||||
| Attachments: |
|
||||||||
Created attachment 357540 [details]
selinux-policy-cups-pk-helper.patch
I *think* this policy is required, in that I no longer get AVC messages -- but in my testing I get this in /var/log/messages:
Aug 15 14:24:33 worm kernel: cups-pk-helper-[9340]: segfault at 18 ip 000000322c4156a0 sp 00007fff8af444f8 error 4 in libpolkit-gobject-1.so.0.0.0[322c400000+1e000]
Possibly we should 'dontaudit' the getsched call instead of 'allow'ing it. I'll try that next. No, that doesn't work. :-( Changing component back to cups-pk-helper until that's resolved. Created attachment 357549 [details]
selinux-policy-cups-pk-helper.patch
I've tested this patch and it works.
OK, patch ready for selinux-policy inclusion. It would be really useful to have a package in koji as soon as possible so that it can be included in the Live CD for the printing fit-and-finish session on Tuesday. Thanks! Grr, changing back to cups-pk-helper again. It only works when SELinux is in permissive mode. Marek, this is the backtrace from cups-pk-helper-mechanism when running with selinux-policy patched as in comment #4. Can you take a look at it please? #0 0x000000322c4156a0 in polkit_authorization_result_get_is_authorized () from /usr/lib64/libpolkit-gobject-1.so.0 #1 0x00000000004083f8 in _check_polkit_for_action_internal ( mechanism=0x13a3400, context=0x13c72a0, action_method=0x40b91a "server-settings", error=0x7fff4244b8e8) at cups-pk-helper-mechanism.c:281 #2 0x000000000040857e in _check_polkit_for_action_v (mechanism=0x13a3400, context=0x13c72a0, first_action_method=0x40b91a "server-settings") at cups-pk-helper-mechanism.c:325 #3 0x0000000000408691 in _check_polkit_for_action (mechanism=0x13a3400, context=0x13c72a0, action_method=0x40b91a "server-settings") at cups-pk-helper-mechanism.c:357 #4 0x00000000004096d6 in cph_mechanism_server_get_settings ( mechanism=0x13a3400, context=0x13c72a0) at cups-pk-helper-mechanism.c:952 #5 0x000000322600c76f in ?? () from /usr/lib64/libdbus-glib-1.so.2 #6 0x000000322600cc3c in ?? () from /usr/lib64/libdbus-glib-1.so.2 #7 0x000000322001cbee in ?? () from /lib64/libdbus-1.so.3 #8 0x0000003220010a1c in dbus_connection_dispatch () from /lib64/libdbus-1.so.3 #9 0x00000032260098e5 in ?? () from /usr/lib64/libdbus-glib-1.so.2 #10 0x000000321d4391be in g_main_context_dispatch () from /lib64/libglib-2.0.so.0 #11 0x000000321d43cba8 in ?? () from /lib64/libglib-2.0.so.0 #12 0x000000321d43cff5 in g_main_loop_run () from /lib64/libglib-2.0.so.0 #13 0x0000000000409e26 in main (argc=1, argv=0x7fff4244c298) at main.c:142 Also: #1 0x00000000004083f8 in _check_polkit_for_action_internal ( mechanism=0x13a3400, context=0x13c72a0, action_method=0x40b91a "server-settings", error=0x7fff4244b8e8) at cups-pk-helper-mechanism.c:281 281 if (!polkit_authorization_result_get_is_authorized (pk_result)) { (gdb) p pk_result $2 = (PolkitAuthorizationResult *) 0x0 So the problems are: 1. For some reason polkit_authority_check_authorization_sync() is returning NULL 2. In addition, we aren't checking for that error (To get this backtrace I just added a 'sleep(20);' at the beginning of main()...) Note that you only get this segfault when running in enforcing mode. I found this while digging into the polkit_authority_check_authorization_sync() call:
(gdb) step
_polkit_authority_check_authorization_finish (instance=0xdb8940,
_out_result=0x7fff4c0de2e8, res=0xdb4800, error=0x7fff4c0de2e0)
at _polkitauthority.c:774
774 {
(gdb) n
775 GSimpleAsyncResult *simple = G_SIMPLE_ASYNC_RESULT (res);
(gdb)
779 g_return_val_if_fail (_POLKIT_IS_AUTHORITY (instance) && EGG_DBUS_IS_INTERFACE_PROXY (instance), FALSE);
(gdb)
781 g_warn_if_fail (g_simple_async_result_get_source_tag (simple) == _polkit_authority_check_authorization);
(gdb)
786 if (g_simple_async_result_propagate_error (simple, error))
(gdb)
806 }
(gdb) p error
$7 = (GError **) 0x7fff4c0de2e0
(gdb) p *error
$8 = (GError *) 0xd88d70
(gdb) p **error
$9 = {domain = 139, code = 12,
message = 0xdc0010 "Remote Exception invoking org.freedesktop.PolicyKit1.Authority.CheckAuthorization() on /org/freedesktop/PolicyKit1/Authority at name org.freedesktop.PolicyKit1: org.freedesktop.DBus.Error.AccessDenied"...}
Hi Tim, I can not reproduce the problem, but I prepared a scratch build with a patch checking the result of polkit_authority_check_authorization_sync(). Its here http://koji.fedoraproject.org/koji/taskinfo?taskID=1609175. Could you try whether it solves the problem for you? Thank you Marek With this package, and with SELinux policy modified like this:
-- serefpolicy-3.6.26/policy/modules/system/init.te.cups-pk-helper 2009-08-16 11:12:55.196914451 +0100
+++ serefpolicy-3.6.26/policy/modules/system/init.te 2009-08-16 11:13:28.905914087 +0100
@@ -439,6 +439,11 @@ userdom_read_user_home_content_files(ini
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
# started from init should be placed in their own domain.
userdom_use_user_terminals(initrc_t)
+optional_policy(`
+ # Allow interaction with cupsd
+ cups_stream_connect(initrc_t)
+ cups_tcp_connect(initrc_t)
+')
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
the mechanism no longer segfaults, but I still don't get a PolicyKit authorization dialog.
Here's 'strace -s1000 -p ...' output from the cups-pk-helper-mechanism process when trying to fetch server settings:
Process 8494 attached - interrupt to quit
restart_syscall(<... resuming interrupted call ...>) = 1
read(3, "l\4\1\1\35\0\0\0\16\0\0\0\211\0\0\0\1\1o\0\25\0\0\0/org/freedesktop/DBus\0\0\0\2\1s\0\24\0\0\0org.freedesktop.DBus\0\0\0\0\3\1s\0\20\0\0\0NameOwnerChanged\0\0\0\0\0\0\0\0\7\1s\0\24\0\0\0org.freedesktop.DBus\0\0\0\0\10\1g\0\3sss\0\0\0\0\0\0\0\0\6\0\0\0:1.118\0\0\6\0\0\0:1.118\0\0\0\0\0\0\0"..., 2048) = 189
read(3, 0x1ea93f0, 2048) = -1 EAGAIN (Resource temporarily unavailable)
poll([{fd=5, events=POLLIN}, {fd=9, events=POLLIN}, {fd=3, events=POLLIN}], 3, 0) = 0 (Timeout)
poll([{fd=5, events=POLLIN}, {fd=9, events=POLLIN}, {fd=3, events=POLLIN}], 3, 15308) = 1 ([{fd=3, revents=POLLIN}])
read(3, "l\4\1\1\37\0\0\0\17\0\0\0\211\0\0\0\1\1o\0\25\0\0\0/org/freedesktop/DBus\0\0\0\2\1s\0\24\0\0\0org.freedesktop.DBus\0\0\0\0\3\1s\0\20\0\0\0NameOwnerChanged\0\0\0\0\0\0\0\0\7\1s\0\24\0\0\0org.freedesktop.DBus\0\0\0\0\10\1g\0\3sss\0\0\0\0\0\0\0\0\6\0\0\0:1.120\0\0\0\0\0\0\0\0\0\0\6\0\0\0:1.120\0"..., 2048) = 191
read(3, 0x1ea93f0, 2048) = -1 EAGAIN (Resource temporarily unavailable)
poll([{fd=5, events=POLLIN}, {fd=9, events=POLLIN}, {fd=3, events=POLLIN}], 3, 0) = 0 (Timeout)
poll([{fd=5, events=POLLIN}, {fd=9, events=POLLIN}, {fd=3, events=POLLIN}], 3, 11707) = 1 ([{fd=3, revents=POLLIN}])
read(3, "l\1\0\1\0\0\0\0\4\0\0\0w\0\0\0\1\1o\0\1\0\0\0/\0\0\0\0\0\0\0\6\1s\0\6\0\0\0:1.116\0\0\2\1s\0#\0\0\0org.freedesktop.DBus.Introspectable\0\0\0\0\0\3\1s\0\n\0\0\0Introspect\0\0\0\0\0\0\7\1s\0\6\0\0\0:1.120\0\0"..., 2048) = 136
read(3, 0x1ea93f0, 2048) = -1 EAGAIN (Resource temporarily unavailable)
poll([{fd=5, events=POLLIN}, {fd=9, events=POLLIN}, {fd=3, events=POLLIN}], 3, 0) = 0 (Timeout)
writev(3, [{"l\2\1\1\17\33\0\0\22\0\0\0\37\0\0\0\6\1s\0\6\0\0\0:1.120\0\0\5\1u\0\4\0\0\0\10\1g\0\1s\0\0"..., 48}, {"\n\33\0\0<!DOCTYPE node PUBLIC \"-//freedesktop//DTD D-BUS Object Introspection 1.0//EN\"\n\"http://www.freedesktop.org/standards/dbus/1.0/introspect.dtd\">\n<node>\n <interface name=\"org.freedesktop.DBus.Introspectable\">\n <method name=\"Introspect\">\n <arg name=\"data\" direction=\"out\" type=\"s\"/>\n </method>\n </interface>\n <interface name=\"org.freedesktop.DBus.Properties\">\n <method name=\"Get\">\n <arg name=\"interface\" direction=\"in\" type=\"s\"/>\n <arg name=\"propname\" direction=\"in\" type=\"s\"/>\n <arg name=\"value\" direction=\"out\" type=\"v\"/>\n </method>\n <method name=\"Set\">\n <arg name=\"interface\" direction=\"in\" type=\"s\"/>\n <arg name=\"propname\" direction=\"in\" type=\"s\"/>\n <arg name=\"value\" direction=\"in\" type=\"v\"/>\n </method>\n <method name=\"GetAll\">\n <arg name=\"interface\" direction=\"in\" type=\"s\"/>\n <arg name=\"props\" direction=\"out\" type=\"a{sv}\"/>\n </method>\n </interface>\n <interface name=\"org.opensuse.CupsPkHelper.Mechanism\">\n <method na"..., 6927}], 2) = 6975
poll([{fd=5, events=POLLIN}, {fd=9, events=POLLIN}, {fd=3, events=POLLIN}], 3, 10212) = 1 ([{fd=3, revents=POLLIN}])
read(3, "l\1\0\1\0\0\0\0\5\0\0\0\177\0\0\0\1\1o\0\1\0\0\0/\0\0\0\0\0\0\0\6\1s\0\6\0\0\0:1.116\0\0\2\1s\0#\0\0\0org.opensuse.CupsPkHelper.Mechanism\0\0\0\0\0\3\1s\0\21\0\0\0ServerGetSettings\0\0\0\0\0\0\0\7\1s\0\6\0\0\0:1.120\0\0"..., 2048) = 144
read(3, 0x1ea93f0, 2048) = -1 EAGAIN (Resource temporarily unavailable)
poll([{fd=5, events=POLLIN}, {fd=9, events=POLLIN}, {fd=3, events=POLLIN}], 3, 0) = 0 (Timeout)
writev(9, [{"l\1\0\1y\0\0\0\v\0\0\0\276\0\0\0\1\1o\0%\0\0\0/org/freedesktop/PolicyKit1/Authority\0\0\0\6\1s\0\32\0\0\0org.freedesktop.PolicyKit1\0\0\0\0\0\0\2\1s\0$\0\0\0org.freedesktop.PolicyKit1.Authority\0\0\0\0\3\1s\0\22\0\0\0CheckAuthorization\0\0\0\0\0\0\10\1g\0\20(sa{sv})sa{ss}us\0\0\0"..., 208}, {"\17\0\0\0system-bus-name\0\27\0\0\0\4\0\0\0name\0\1s\0\6\0\0\0:1.120\0\0003\0\0\0org.opensuse.cupspkhelper.mechanism.server-settings\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0"..., 121}], 2) = 329
poll([{fd=9, events=POLLIN}], 1, -1) = 1 ([{fd=9, revents=POLLIN}])
read(9, "l\3\1\1\t\1\0\0\f\0\0\0m\0\0\0\6\1s\0\6\0\0\0:1.117\0\0\4\1s\0'\0\0\0org.freedesktop.DBus.Error.AccessDenied\0\5\1u\0\v\0\0\0\10\1g\0\1s\0\0\7\1s\0\24\0\0\0org.freedesktop.DBus\0\0\0\0\4\1\0\0An SELinux policy prevents this sender from sending this message to this recipient (rejected message had sender \":1.117\" interface \"org.freedesktop.PolicyKit1.Authority\" member \"CheckAuthorization\" error name \"(unset)\" destination \"org.freedesktop.PolicyKit1\")\0"..., 2048) = 393
read(9, 0x1ecc710, 2048) = -1 EAGAIN (Resource temporarily unavailable)
writev(3, [{"l\3\1\1H\0\0\0\23\0\0\0_\0\0\0\6\1s\0\6\0\0\0:1.120\0\0\4\1s\0001\0\0\0org.opensuse.CupsPkHelper.Mechanism.NotPrivileged\0\0\0\0\0\0\0\5\1u\0\5\0\0\0\10\1g\0\1s\0\0"..., 112}, {"C\0\0\0Not Authorized: org.opensuse.cupspkhelper.mechanism.server-settings\0"..., 72}], 2) = 184
poll([{fd=5, events=POLLIN}, {fd=9, events=POLLIN}, {fd=3, events=POLLIN}], 3, 30000) = 1 ([{fd=3, revents=POLLIN}])
read(3, "l\4\1\1\37\0\0\0\20\0\0\0\211\0\0\0\1\1o\0\25\0\0\0/org/freedesktop/DBus\0\0\0\2\1s\0\24\0\0\0org.freedesktop.DBus\0\0\0\0\3\1s\0\20\0\0\0NameOwnerChanged\0\0\0\0\0\0\0\0\7\1s\0\24\0\0\0org.freedesktop.DBus\0\0\0\0\10\1g\0\3sss\0\0\0\0\0\0\0\0\6\0\0\0:1.121\0\0\0\0\0\0\0\0\0\0\6\0\0\0:1.121\0"..., 2048) = 191
read(3, 0x1ea93f0, 2048) = -1 EAGAIN (Resource temporarily unavailable)
poll([{fd=5, events=POLLIN}, {fd=9, events=POLLIN}, {fd=3, events=POLLIN}], 3, 0) = 0 (Timeout)
poll([{fd=5, events=POLLIN}, {fd=9, events=POLLIN}, {fd=3, events=POLLIN}], 3, 30000) = 1 ([{fd=3, revents=POLLIN}])
read(3, "l\1\0\1\0\0\0\0\7\0\0\0w\0\0\0\1\1o\0\1\0\0\0/\0\0\0\0\0\0\0\6\1s\0\6\0\0\0:1.116\0\0\2\1s\0#\0\0\0org.freedesktop.DBus.Introspectable\0\0\0\0\0\3\1s\0\n\0\0\0Introspect\0\0\0\0\0\0\7\1s\0\6\0\0\0:1.120\0\0"..., 2048) = 136
read(3, 0x1ea93f0, 2048) = -1 EAGAIN (Resource temporarily unavailable)
poll([{fd=5, events=POLLIN}, {fd=9, events=POLLIN}, {fd=3, events=POLLIN}], 3, 0) = 0 (Timeout)
writev(3, [{"l\2\1\1\17\33\0\0\24\0\0\0\37\0\0\0\6\1s\0\6\0\0\0:1.120\0\0\5\1u\0\7\0\0\0\10\1g\0\1s\0\0"..., 48}, {"\n\33\0\0<!DOCTYPE node PUBLIC \"-//freedesktop//DTD D-BUS Object Introspection 1.0//EN\"\n\"http://www.freedesktop.org/standards/dbus/1.0/introspect.dtd\">\n<node>\n <interface name=\"org.freedesktop.DBus.Introspectable\">\n <method name=\"Introspect\">\n <arg name=\"data\" direction=\"out\" type=\"s\"/>\n </method>\n </interface>\n <interface name=\"org.freedesktop.DBus.Properties\">\n <method name=\"Get\">\n <arg name=\"interface\" direction=\"in\" type=\"s\"/>\n <arg name=\"propname\" direction=\"in\" type=\"s\"/>\n <arg name=\"value\" direction=\"out\" type=\"v\"/>\n </method>\n <method name=\"Set\">\n <arg name=\"interface\" direction=\"in\" type=\"s\"/>\n <arg name=\"propname\" direction=\"in\" type=\"s\"/>\n <arg name=\"value\" direction=\"in\" type=\"v\"/>\n </method>\n <method name=\"GetAll\">\n <arg name=\"interface\" direction=\"in\" type=\"s\"/>\n <arg name=\"props\" direction=\"out\" type=\"a{sv}\"/>\n </method>\n </interface>\n <interface name=\"org.opensuse.CupsPkHelper.Mechanism\">\n <method na"..., 6927}], 2) = 6975
poll([{fd=5, events=POLLIN}, {fd=9, events=POLLIN}, {fd=3, events=POLLIN}], 3, 30000) = 1 ([{fd=3, revents=POLLIN}])
read(3, "l\1\0\1\0\0\0\0\10\0\0\0\177\0\0\0\1\1o\0\1\0\0\0/\0\0\0\0\0\0\0\6\1s\0\6\0\0\0:1.116\0\0\2\1s\0#\0\0\0org.opensuse.CupsPkHelper.Mechanism\0\0\0\0\0\3\1s\0\21\0\0\0ServerGetSettings\0\0\0\0\0\0\0\7\1s\0\6\0\0\0:1.120\0\0"..., 2048) = 144
read(3, 0x1ea93f0, 2048) = -1 EAGAIN (Resource temporarily unavailable)
poll([{fd=5, events=POLLIN}, {fd=9, events=POLLIN}, {fd=3, events=POLLIN}], 3, 0) = 0 (Timeout)
writev(9, [{"l\1\0\1y\0\0\0\f\0\0\0\276\0\0\0\1\1o\0%\0\0\0/org/freedesktop/PolicyKit1/Authority\0\0\0\6\1s\0\32\0\0\0org.freedesktop.PolicyKit1\0\0\0\0\0\0\2\1s\0$\0\0\0org.freedesktop.PolicyKit1.Authority\0\0\0\0\3\1s\0\22\0\0\0CheckAuthorization\0\0\0\0\0\0\10\1g\0\20(sa{sv})sa{ss}us\0\0\0"..., 208}, {"\17\0\0\0system-bus-name\0\27\0\0\0\4\0\0\0name\0\1s\0\6\0\0\0:1.120\0\0003\0\0\0org.opensuse.cupspkhelper.mechanism.server-settings\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0"..., 121}], 2) = 329
poll([{fd=9, events=POLLIN}], 1, -1) = 1 ([{fd=9, revents=POLLIN}])
read(9, "l\3\1\1\t\1\0\0\r\0\0\0m\0\0\0\6\1s\0\6\0\0\0:1.117\0\0\4\1s\0'\0\0\0org.freedesktop.DBus.Error.AccessDenied\0\5\1u\0\f\0\0\0\10\1g\0\1s\0\0\7\1s\0\24\0\0\0org.freedesktop.DBus\0\0\0\0\4\1\0\0An SELinux policy prevents this sender from sending this message to this recipient (rejected message had sender \":1.117\" interface \"org.freedesktop.PolicyKit1.Authority\" member \"CheckAuthorization\" error name \"(unset)\" destination \"org.freedesktop.PolicyKit1\")\0"..., 2048) = 393
read(9, 0x1ecc710, 2048) = -1 EAGAIN (Resource temporarily unavailable)
writev(3, [{"l\3\1\1H\0\0\0\25\0\0\0_\0\0\0\6\1s\0\6\0\0\0:1.120\0\0\4\1s\0001\0\0\0org.opensuse.CupsPkHelper.Mechanism.NotPrivileged\0\0\0\0\0\0\0\5\1u\0\10\0\0\0\10\1g\0\1s\0\0"..., 112}, {"C\0\0\0Not Authorized: org.opensuse.cupspkhelper.mechanism.server-settings\0"..., 72}], 2) = 184
poll([{fd=5, events=POLLIN}, {fd=9, events=POLLIN}, {fd=3, events=POLLIN}], 3, 30000) = 1 ([{fd=3, revents=POLLIN}])
read(3, "l\1\0\1\0\0\0\0\n\0\0\0w\0\0\0\1\1o\0\1\0\0\0/\0\0\0\0\0\0\0\6\1s\0\6\0\0\0:1.116\0\0\2\1s\0#\0\0\0org.freedesktop.DBus.Introspectable\0\0\0\0\0\3\1s\0\n\0\0\0Introspect\0\0\0\0\0\0\7\1s\0\6\0\0\0:1.120\0\0"..., 2048) = 136
read(3, 0x1ea93f0, 2048) = -1 EAGAIN (Resource temporarily unavailable)
poll([{fd=5, events=POLLIN}, {fd=9, events=POLLIN}, {fd=3, events=POLLIN}], 3, 0) = 0 (Timeout)
writev(3, [{"l\2\1\1\17\33\0\0\26\0\0\0\37\0\0\0\6\1s\0\6\0\0\0:1.120\0\0\5\1u\0\n\0\0\0\10\1g\0\1s\0\0"..., 48}, {"\n\33\0\0<!DOCTYPE node PUBLIC \"-//freedesktop//DTD D-BUS Object Introspection 1.0//EN\"\n\"http://www.freedesktop.org/standards/dbus/1.0/introspect.dtd\">\n<node>\n <interface name=\"org.freedesktop.DBus.Introspectable\">\n <method name=\"Introspect\">\n <arg name=\"data\" direction=\"out\" type=\"s\"/>\n </method>\n </interface>\n <interface name=\"org.freedesktop.DBus.Properties\">\n <method name=\"Get\">\n <arg name=\"interface\" direction=\"in\" type=\"s\"/>\n <arg name=\"propname\" direction=\"in\" type=\"s\"/>\n <arg name=\"value\" direction=\"out\" type=\"v\"/>\n </method>\n <method name=\"Set\">\n <arg name=\"interface\" direction=\"in\" type=\"s\"/>\n <arg name=\"propname\" direction=\"in\" type=\"s\"/>\n <arg name=\"value\" direction=\"in\" type=\"v\"/>\n </method>\n <method name=\"GetAll\">\n <arg name=\"interface\" direction=\"in\" type=\"s\"/>\n <arg name=\"props\" direction=\"out\" type=\"a{sv}\"/>\n </method>\n </interface>\n <interface name=\"org.opensuse.CupsPkHelper.Mechanism\">\n <method na"..., 6927}], 2) = 6975
poll([{fd=5, events=POLLIN}, {fd=9, events=POLLIN}, {fd=3, events=POLLIN}], 3, 20908) = 1 ([{fd=3, revents=POLLIN}])
read(3, "l\1\0\1\0\0\0\0\v\0\0\0\177\0\0\0\1\1o\0\1\0\0\0/\0\0\0\0\0\0\0\6\1s\0\6\0\0\0:1.116\0\0\2\1s\0#\0\0\0org.opensuse.CupsPkHelper.Mechanism\0\0\0\0\0\3\1s\0\21\0\0\0ServerGetSettings\0\0\0\0\0\0\0\7\1s\0\6\0\0\0:1.120\0\0"..., 2048) = 144
read(3, 0x1ea93f0, 2048) = -1 EAGAIN (Resource temporarily unavailable)
poll([{fd=5, events=POLLIN}, {fd=9, events=POLLIN}, {fd=3, events=POLLIN}], 3, 0) = 0 (Timeout)
writev(9, [{"l\1\0\1y\0\0\0\r\0\0\0\276\0\0\0\1\1o\0%\0\0\0/org/freedesktop/PolicyKit1/Authority\0\0\0\6\1s\0\32\0\0\0org.freedesktop.PolicyKit1\0\0\0\0\0\0\2\1s\0$\0\0\0org.freedesktop.PolicyKit1.Authority\0\0\0\0\3\1s\0\22\0\0\0CheckAuthorization\0\0\0\0\0\0\10\1g\0\20(sa{sv})sa{ss}us\0\0\0"..., 208}, {"\17\0\0\0system-bus-name\0\27\0\0\0\4\0\0\0name\0\1s\0\6\0\0\0:1.120\0\0003\0\0\0org.opensuse.cupspkhelper.mechanism.server-settings\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0"..., 121}], 2) = 329
poll([{fd=9, events=POLLIN}], 1, -1) = 1 ([{fd=9, revents=POLLIN}])
read(9, "l\3\1\1\t\1\0\0\16\0\0\0m\0\0\0\6\1s\0\6\0\0\0:1.117\0\0\4\1s\0'\0\0\0org.freedesktop.DBus.Error.AccessDenied\0\5\1u\0\r\0\0\0\10\1g\0\1s\0\0\7\1s\0\24\0\0\0org.freedesktop.DBus\0\0\0\0\4\1\0\0An SELinux policy prevents this sender from sending this message to this recipient (rejected message had sender \":1.117\" interface \"org.freedesktop.PolicyKit1.Authority\" member \"CheckAuthorization\" error name \"(unset)\" destination \"org.freedesktop.PolicyKit1\")\0"..., 2048) = 393
read(9, 0x1ecc710, 2048) = -1 EAGAIN (Resource temporarily unavailable)
writev(3, [{"l\3\1\1H\0\0\0\27\0\0\0_\0\0\0\6\1s\0\6\0\0\0:1.120\0\0\4\1s\0001\0\0\0org.opensuse.CupsPkHelper.Mechanism.NotPrivileged\0\0\0\0\0\0\0\5\1u\0\v\0\0\0\10\1g\0\1s\0\0"..., 112}, {"C\0\0\0Not Authorized: org.opensuse.cupspkhelper.mechanism.server-settings\0"..., 72}], 2) = 184
poll([{fd=5, events=POLLIN}, {fd=9, events=POLLIN}, {fd=3, events=POLLIN}], 3, 29903) = 1 ([{fd=3, revents=POLLIN}])
read(3, "l\4\1\1\35\0\0\0\21\0\0\0\211\0\0\0\1\1o\0\25\0\0\0/org/freedesktop/DBus\0\0\0\2\1s\0\24\0\0\0org.freedesktop.DBus\0\0\0\0\3\1s\0\20\0\0\0NameOwnerChanged\0\0\0\0\0\0\0\0\7\1s\0\24\0\0\0org.freedesktop.DBus\0\0\0\0\10\1g\0\3sss\0\0\0\0\0\0\0\0\6\0\0\0:1.120\0\0\6\0\0\0:1.120\0\0\0\0\0\0\0"..., 2048) = 189
read(3, 0x1ea93f0, 2048) = -1 EAGAIN (Resource temporarily unavailable)
poll([{fd=5, events=POLLIN}, {fd=9, events=POLLIN}, {fd=3, events=POLLIN}], 3, 0) = 0 (Timeout)
poll([{fd=5, events=POLLIN}, {fd=9, events=POLLIN}, {fd=3, events=POLLIN}], 3, 29097^C <unfinished ...>
Process 8494 detached
One other thing of note: I don't see any of the cupspkhelper methods in the list at System->Preferences->Authorizations.
> One other thing of note: I don't see any of the cupspkhelper methods in the
> list at System->Preferences->Authorizations.
You don't see it there because polkit-gnome-authorization is from PolicyKit (old style) and not from polkit (new style).
Which versions of these packages do you have?
Marek
You can try 'pkaction' (polkit) to see cups-pk-helper's methods (vs. 'polkit-action' - PolicyKit). OK, pkaction shows them. I have polkit-0.93-3.fc12.x86_64. Is cups-pk-helper working correctly for you in rawhide? It worked for me, but now it doesn't. It shows me old authentication dialog instead of the polkit's one. If I run /usr/libexec/cups-pk-helper-mechanism manually as root then it works. Marek Fixed in selinux-policy-3.6.27-2.fc12.noarch Re-opening for cups-pk-helper crash noted in comment #1. Fixed in cups-pk-helper-0.0.4-6.fc12. It still doesn't work. Marek Hi,
I tried this (in Permissive mode):
yum erase selinux-policy-targeted
mv /etc/selinux/targeted/modules /etc/selinux/targeted/modules.old
yum install selinux-policy-targeted
turn on Enforcing mode
mark system to relabel on reboot
reboot
and it shows polkit's dialog correctly.
tested with:
cups-pk-helper-0.0.4-7
system-config-printer-1.1.10-8
selinux-policy-3.6.26-8
selinux-policy-targeted-3.6.26-8
the rawhide is an update of F11 and runs in qemu
Tim, could you confirm whether this works for you?
Thanks
Marek
Bizarrely, this works. (I tried on a machine that was freshly installed from rawhide on the 12th of August...) I tried system-config-printer in fresh install of F12-alpha-RC2 now and it works without any problem (in Enforcing mode). Marek OK, let's mark this as fixed then. |
Description of problem: Looks like cups-pk-helper-mechanism is running in the wrong SELinux context. node=worm.elk type=AVC msg=audit(1250256339.322:28150): avc: denied { write } for pid=2279 comm="cups-pk-helper-" name="cups.sock" dev=dm-1 ino=4139 scontext=system_u:system_r:initrc_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cupsd_var_run_t:s0 tclass=sock_file node=worm.elk type=AVC msg=audit(1250256339.322:28150): avc: denied { connectto } for pid=2279 comm="cups-pk-helper-" path="/var/run/cups/cups.sock" scontext=system_u:system_r:initrc_t:s0-s0:c0.c1023 tcontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=worm.elk type=SYSCALL msg=audit(1250256339.322:28150): arch=c000003e syscall=42 success=yes exit=0 a0=8 a1=8a6cd8 a2=1a a3=7fff707ef0b0 items=0 ppid=1 pid=2279 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cups-pk-helper-" exe="/usr/libexec/cups-pk-helper-mechanism" subj=system_u:system_r:initrc_t:s0-s0:c0.c1023 key=(null) Version-Release number of selected component (if applicable): cups-pk-helper-0.0.4-5.fc12.x86_64 selinux-policy-3.6.26-11.fc12.noarch How reproducible: 100% Steps to Reproduce: 1.Use system-config-printer and try to change something.