Bug 1094750 - at_console in dbus policy makes policycoreutils hard to use on servers
Summary: at_console in dbus policy makes policycoreutils hard to use on servers
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: policycoreutils
Version: 20
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 1094121
TreeView+ depends on / blocked
 
Reported: 2014-05-06 12:08 UTC by Stef Walter
Modified: 2014-05-31 23:56 UTC (History)
2 users (show)

Fixed In Version: policycoreutils-2.2.5-4.fc20
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-05-31 23:56:20 UTC


Attachments (Terms of Use)

Description Stef Walter 2014-05-06 12:08:10 UTC
Description of problem:

Use of at_console="true" in the DBus policy file makes policycoreutils hard to use on servers, where users are logged in via ssh, or via Cockpit, but not at a console.

at_console="true" is a real old relic, that was never really implemented. Modern services should be using polkit.

For example, NetworkManager moved away from it for the same reasons (want to be usable on servers): bug #979416

Version-Release number of selected component (if applicable):

policycoreutils-python-2.2.5-3.fc20.x86_64

system.d/org.selinux.conf:  <policy at_console="true">

Comment 1 Daniel Walsh 2014-05-06 17:05:08 UTC
What do I replace it with. just allow any one to get the access?

  <policy context="default">

Comment 2 Stef Walter 2014-05-06 17:11:02 UTC
Usually yes. Unless your service has a special need to differentiate console users from other users ... in which case you would put that into your polkit policy (see <allow_inactive> and <allow_active>).

It goes without saying that you should usually treat privileged callers (ie: root and admins) differently from unprivileged callers. But unless you're managing hardware or seat specific resources that has nothing to do with whether they're at a console or not.

Comment 3 Miroslav Grepl 2014-05-07 09:31:09 UTC
Fixed in policycoreutils-2.2.5-4.fc20

Comment 4 Fedora Update System 2014-05-07 12:18:51 UTC
policycoreutils-2.2.5-4.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/policycoreutils-2.2.5-4.fc20

Comment 5 Fedora Update System 2014-05-08 10:06:42 UTC
Package policycoreutils-2.2.5-4.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing policycoreutils-2.2.5-4.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-6101/policycoreutils-2.2.5-4.fc20
then log in and leave karma (feedback).

Comment 6 Fedora Update System 2014-05-31 23:56:20 UTC
policycoreutils-2.2.5-4.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.