Bug 1288892 - polkit: Error opening directory '/etc/polkit-1/rules.d': Permission denied
polkit: Error opening directory '/etc/polkit-1/rules.d': Permission denied
Product: Fedora
Classification: Fedora
Component: polkit (Show other bugs)
x86_64 Linux
unspecified Severity unspecified
: ---
: ---
Assigned To: Miloslav Trmač
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2015-12-06 17:23 EST by woky
Modified: 2015-12-09 12:42 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2015-12-09 12:42:34 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description woky 2015-12-06 17:23:53 EST
Description of problem:

It seems that polkit fails to load rules from /etc/polkit-1/rules.d.

I've created the following file for libvirt permissions ("tn" is my username),

  polkit.addRule(function(action, subject) {
  	if (subject.user == "tn" &&
  		action.id == "org.libvirt.unix.manage")
  		return polkit.Result.YES;

restarted polkit and I was still prompted for password by virt-manager. Meanwhile, this was logged by polkit:

  # systemctl status polkit -l
  ● polkit.service - Authorization Manager
     Loaded: loaded (/usr/lib/systemd/system/polkit.service; static; vendor preset: enabled)
     Active: active (running) since Ne 2015-12-06 23:08:32 CET; 4min 45s ago
  pro 06 23:08:32 kyou polkitd[27310]: Started polkitd version 0.113
  pro 06 23:08:32 kyou polkitd[27310]: Loading rules from directory /etc/polkit-1/rules.d
  pro 06 23:08:32 kyou polkitd[27310]: Error opening rules directory: Error opening directory '/etc/polkit-1/rules.d': Permission denied (g-file-error-quark, 2)
  pro 06 23:08:32 kyou polkitd[27310]: Loading rules from directory /usr/share/polkit-1/rules.d
  pro 06 23:08:32 kyou polkitd[27310]: Finished loading, compiling and executing 2 rules

  # ls -ldZ /etc/polkit-1/rules.d
  drwx------. 1 root root system_u:object_r:etc_t:s0 144  6. pro 23.08 /etc/polkit-1/rules.d
  # ps -efZ|grep polkit
  system_u:system_r:policykit_t:s0 polkitd 27310     1  0 23:08 ?        00:00:00 /usr/lib/polkit-1/polkitd --no-debug

There wasn't any SELinux AVC alert.

Note that afterwards I found that rules for libvirt are actually in /usr/share/polkit-1/rules.d/50-libvirt.rules so I'm just going to add myself into libvirt group. But this seems like a bug nevertheless.

Version-Release number of selected component (if applicable): polkit-0.113-4.fc23.x86_64
Comment 1 Miloslav Trmač 2015-12-09 08:35:43 EST
Thanks for your report.

Can you reproduce it on a fresh install? The permissions are supposed to be
> drwx------. polkitd root system_u:object_r:etc_t:s0

so either the package is not being installed properly, or the ownership was changed by your editing process.

If the permissions are correct on a fresh install, but you can reproducibly change them by the the tool you used to create the new file, that might be also a bug worth fixing, in that tool.
Comment 2 woky 2015-12-09 12:42:34 EST
Hello. Sorry, this was probably my fault during migration of /etc from old installation. After `dnf reinstall polkit` the permissions appear to be as you wrote.

(I actually tried to reinstall it before but for some reason I didn't notice it's fine. I was probably looking at /etc/polkit-1.)

Note You need to log in before you can comment on or make changes to this bug.