Bug 1288892 - polkit: Error opening directory '/etc/polkit-1/rules.d': Permission denied
Summary: polkit: Error opening directory '/etc/polkit-1/rules.d': Permission denied
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: polkit
Version: 23
Hardware: x86_64
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Miloslav Trmač
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-12-06 22:23 UTC by woky
Modified: 2015-12-09 17:42 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2015-12-09 17:42:34 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description woky 2015-12-06 22:23:53 UTC 
Description of problem:

It seems that polkit fails to load rules from /etc/polkit-1/rules.d.

I've created the following file for libvirt permissions ("tn" is my username),

  polkit.addRule(function(action, subject) {
  	if (subject.user == "tn" &&
  		action.id == "org.libvirt.unix.manage")
  		return polkit.Result.YES;
  });

restarted polkit and I was still prompted for password by virt-manager. Meanwhile, this was logged by polkit:

  # systemctl status polkit -l
  ● polkit.service - Authorization Manager
     Loaded: loaded (/usr/lib/systemd/system/polkit.service; static; vendor preset: enabled)
     Active: active (running) since Ne 2015-12-06 23:08:32 CET; 4min 45s ago
  [...SNIP...]
  pro 06 23:08:32 kyou polkitd[27310]: Started polkitd version 0.113
  pro 06 23:08:32 kyou polkitd[27310]: Loading rules from directory /etc/polkit-1/rules.d
  pro 06 23:08:32 kyou polkitd[27310]: Error opening rules directory: Error opening directory '/etc/polkit-1/rules.d': Permission denied (g-file-error-quark, 2)
  pro 06 23:08:32 kyou polkitd[27310]: Loading rules from directory /usr/share/polkit-1/rules.d
  pro 06 23:08:32 kyou polkitd[27310]: Finished loading, compiling and executing 2 rules
  [...SNIP...]

  # ls -ldZ /etc/polkit-1/rules.d
  drwx------. 1 root root system_u:object_r:etc_t:s0 144  6. pro 23.08 /etc/polkit-1/rules.d
  # ps -efZ|grep polkit
  system_u:system_r:policykit_t:s0 polkitd 27310     1  0 23:08 ?        00:00:00 /usr/lib/polkit-1/polkitd --no-debug

There wasn't any SELinux AVC alert.

Note that afterwards I found that rules for libvirt are actually in /usr/share/polkit-1/rules.d/50-libvirt.rules so I'm just going to add myself into libvirt group. But this seems like a bug nevertheless.

Version-Release number of selected component (if applicable): polkit-0.113-4.fc23.x86_64
Comment 1 Miloslav Trmač 2015-12-09 13:35:43 UTC 
Thanks for your report.

Can you reproduce it on a fresh install? The permissions are supposed to be
> drwx------. polkitd root system_u:object_r:etc_t:s0

so either the package is not being installed properly, or the ownership was changed by your editing process.

If the permissions are correct on a fresh install, but you can reproducibly change them by the the tool you used to create the new file, that might be also a bug worth fixing, in that tool.
Comment 2 woky 2015-12-09 17:42:34 UTC 
Hello. Sorry, this was probably my fault during migration of /etc from old installation. After `dnf reinstall polkit` the permissions appear to be as you wrote.

(I actually tried to reinstall it before but for some reason I didn't notice it's fine. I was probably looking at /etc/polkit-1.)
Note You need to log in before you can comment on or make changes to this bug.