Bug 1094150 - policycoreutils polkit policy is desktop centric, prevents server usage
Summary: policycoreutils polkit policy is desktop centric, prevents server usage
Alias: None
Product: Fedora
Classification: Fedora
Component: policycoreutils
Version: 20
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
Depends On:
Blocks: 1094121
TreeView+ depends on / blocked
Reported: 2014-05-05 07:45 UTC by Stef Walter
Modified: 2014-05-31 23:56 UTC (History)
2 users (show)

Fixed In Version: policycoreutils-2.2.5-4.fc20
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2014-05-31 23:56:15 UTC
Type: Bug

Attachments (Terms of Use)
Patch to fix org.selinux.policy (3.21 KB, patch)
2014-05-05 07:50 UTC, Stef Walter
no flags Details | Diff

Description Stef Walter 2014-05-05 07:45:09 UTC
Description of problem:

The shipped polkit policy is completely desktop-centric and expects that the admin user is logged in an active local session (ie: a seat in logind parlance, with a monitor and keyboard).

This prevents DBus API use when logged in via ssh (and using pkttyagent as your polkit agent) or via Cockpit.

The <allow_any> tag in polkit policy applies to non-local sessions. It should be set to something other than 'no' unless the action directly affects hardware of the login seat.

Version-Release number of selected component (if applicable):


Comment 1 Stef Walter 2014-05-05 07:50:16 UTC
Created attachment 892453 [details]
Patch to fix org.selinux.policy

Comment 2 Stef Walter 2014-05-05 07:50:57 UTC
No upstream patch, upstream git repo was hanging ... but I hope attaching the patch here helps.

Comment 3 Miroslav Grepl 2014-05-06 13:30:37 UTC

Do you use policycoreutils with this patch?

Comment 4 Stef Walter 2014-05-06 14:05:37 UTC
No (at least not yet). I've tried to find all the relevant instances where polkit policy would prevent server use for no good reason, and help provide patches. I haven't run with this patch.

Comment 5 Daniel Walsh 2014-05-06 20:05:01 UTC
I have added this fix in policycoreutils-2.3-1.fc21

Comment 6 Fedora Update System 2014-05-07 12:18:47 UTC
policycoreutils-2.2.5-4.fc20 has been submitted as an update for Fedora 20.

Comment 7 Fedora Update System 2014-05-08 10:06:39 UTC
Package policycoreutils-2.2.5-4.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing policycoreutils-2.2.5-4.fc20'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).

Comment 8 Fedora Update System 2014-05-31 23:56:15 UTC
policycoreutils-2.2.5-4.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.