Bug 1288892 – polkit: Error opening directory '/etc/polkit-1/rules.d': Permission denied

Bug 1288892 - polkit: Error opening directory '/etc/polkit-1/rules.d': Permission denied

Summary:	polkit: Error opening directory '/etc/polkit-1/rules.d': Permission denied

Status:	CLOSED NOTABUG

Aliases:	None

Product:	Fedora
Classification:	Fedora
Component:	polkit (Show other bugs)
Sub Component:
Version:	23
Hardware:	x86_64 Linux

Priority	unspecified Severity unspecified
Target Milestone:	---
Target Release:	---
Assigned To:	Miloslav Trmač
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2015-12-06 17:23 EST by woky
Modified:	2015-12-09 12:42 EST (History)
CC List:	2 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2015-12-09 12:42:34 EST
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description woky 2015-12-06 17:23:53 EST

Description of problem:

It seems that polkit fails to load rules from /etc/polkit-1/rules.d.

I've created the following file for libvirt permissions ("tn" is my username),

  polkit.addRule(function(action, subject) {
  	if (subject.user == "tn" &&
  		action.id == "org.libvirt.unix.manage")
  		return polkit.Result.YES;
  });

restarted polkit and I was still prompted for password by virt-manager. Meanwhile, this was logged by polkit:

  # systemctl status polkit -l
  ● polkit.service - Authorization Manager
     Loaded: loaded (/usr/lib/systemd/system/polkit.service; static; vendor preset: enabled)
     Active: active (running) since Ne 2015-12-06 23:08:32 CET; 4min 45s ago
  [...SNIP...]
  pro 06 23:08:32 kyou polkitd[27310]: Started polkitd version 0.113
  pro 06 23:08:32 kyou polkitd[27310]: Loading rules from directory /etc/polkit-1/rules.d
  pro 06 23:08:32 kyou polkitd[27310]: Error opening rules directory: Error opening directory '/etc/polkit-1/rules.d': Permission denied (g-file-error-quark, 2)
  pro 06 23:08:32 kyou polkitd[27310]: Loading rules from directory /usr/share/polkit-1/rules.d
  pro 06 23:08:32 kyou polkitd[27310]: Finished loading, compiling and executing 2 rules
  [...SNIP...]

  # ls -ldZ /etc/polkit-1/rules.d
  drwx------. 1 root root system_u:object_r:etc_t:s0 144  6. pro 23.08 /etc/polkit-1/rules.d
  # ps -efZ|grep polkit
  system_u:system_r:policykit_t:s0 polkitd 27310     1  0 23:08 ?        00:00:00 /usr/lib/polkit-1/polkitd --no-debug

There wasn't any SELinux AVC alert.

Note that afterwards I found that rules for libvirt are actually in /usr/share/polkit-1/rules.d/50-libvirt.rules so I'm just going to add myself into libvirt group. But this seems like a bug nevertheless.

Version-Release number of selected component (if applicable): polkit-0.113-4.fc23.x86_64

Comment 1 Miloslav Trmač 2015-12-09 08:35:43 EST

Thanks for your report.

Can you reproduce it on a fresh install? The permissions are supposed to be
> drwx------. polkitd root system_u:object_r:etc_t:s0

so either the package is not being installed properly, or the ownership was changed by your editing process.

If the permissions are correct on a fresh install, but you can reproducibly change them by the the tool you used to create the new file, that might be also a bug worth fixing, in that tool.

Comment 2 woky 2015-12-09 12:42:34 EST

Hello. Sorry, this was probably my fault during migration of /etc from old installation. After `dnf reinstall polkit` the permissions appear to be as you wrote.

(I actually tried to reinstall it before but for some reason I didn't notice it's fine. I was probably looking at /etc/polkit-1.)

Note You need to log in before you can comment on or make changes to this bug.