Red Hat Bugzilla – Bug 1362542
warn nicely about insufficient permissions when changing logging level
Last modified: 2016-11-03 15:27:45 EDT
Description of problem: vbenes@trautenberg:~$ nmcli general logging level TRACE domains all Error: failed to set logging: Rejected send message, 4 matched rules; type="method_call", sender=":1.205" (uid=1000 pid=23534 comm="nmcli general logging level TRACE domains all ") interface="org.freedesktop.NetworkManager" member="SetLogging" error name="(unset)" requested_reply="0" destination=":1.118" (uid=0 pid=19337 comm="/usr/sbin/NetworkManager --no-daemon ") Version-Release number of selected component (if applicable): NetworkManager-1.4.0-0.3.git20160727.9446481f.el7.x86_64
Created attachment 1187415 [details] [PATCH 1/2] core: add nm_bus_manager_ensure_root() helper
Created attachment 1187416 [details] [PATCH 2/2] core: drop some rules from dbus policy file
For the second patch, the reason Sleep() didn't have these checks originally is for pm-tools. These were scripts that used to trigger sleep/wake before systemd and upower, and I think we still technically support them. They used to call dbus-send without --wait-reply, which means the dbus-send process didn't exist at the time NM asks dbus-daemon for the name-owner to ensure root, which caused the sleep calls to fail. So we either decide to no longer support pm-utils and manual sleep/wake calls without --wait-reply, or we keep the root-only rule in the dbus permissions file. Otherwise LGTM.
Created attachment 1188568 [details] [PATCH 2/2] core: drop some rules from dbus policy file (In reply to Dan Williams from comment #3) > So we either decide to no longer support pm-utils and manual sleep/wake > calls without --wait-reply, or we keep the root-only rule in the dbus > permissions file. I've updated the second patch to leave the existing checks for the Sleep() call, so that we don't break pm-utils.
Created attachment 1192098 [details] [PATCH v2 1/2] core: drop root requirement for load_connection(s)/set_logging D-Bus calls
Created attachment 1192099 [details] [PATCH v2 2/2] cli: return sane error message for D-Bus policy permission errors After discussion with Thomas, I have removed the checks in the daemon and restored them in the d-bus configuration; nmcli now translates the D-Bus denial error in something more user-friendly.
lgtm (both from v2)
Both applied to nm-1-4 (and master): https://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?h=nm-1-4&id=a77ed0de9729ebcc9cb96d5bd1f4bd4da9d4e0d5 https://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?h=nm-1-4&id=e9f96024ae0abc8530ed8bd63ee7e3a7e615f587
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2016-2581.html