Hide Forgot
Description of problem: Part of the issues reported in bug 1347334 should be fixed in 7.3.0, namely 1) oscapd run as non-root results in traceback: dbus.exceptions.DBusException: org.freedesktop.DBus.Error.AccessDenied: Connection ":1.8834" is not allowed to own the service "org.OpenSCAP.daemon" due to security policies in the configuration file ==== 2) oscapd-cli run as non-root results in traceback: dbus.exceptions.DBusException: org.freedesktop.DBus.Error.AccessDenied: Rejected send message, 2 matched rules; type="method_call", sender=":1.8853" (uid=25678 pid=32753 comm="/usr/bin/python /usr/bin/oscapd-cli status ") interface="org.OpenSCAP.daemon.Interface" member="GetVersion" error name="(unset)" requested_reply="0" destination=":1.8852" (uid=0 pid=32610 comm="/usr/bin/python /usr/bin/oscapd ") Version-Release number of selected component (if applicable): openscap-daemon-0.1.5-1.el7.noarch
This should all be fixed as part of https://bugzilla.redhat.com/show_bug.cgi?id=1367125
Issue 1) is not fixed: ========= OLD [0 root@qeos-177 ~]# su - testuser [0 testuser@qeos-177 ~]$ oscapd INFO:OpenSCAP Daemon 0.1.5 Traceback (most recent call last): File "/bin/oscapd", line 76, in <module> main() File "/bin/oscapd", line 64, in main name = dbus.service.BusName(dbus_utils.BUS_NAME, bus) File "/usr/lib64/python2.7/site-packages/dbus/service.py", line 131, in __new__ retval = bus.request_name(name, name_flags) File "/usr/lib64/python2.7/site-packages/dbus/bus.py", line 303, in request_name 'su', (name, flags)) File "/usr/lib64/python2.7/site-packages/dbus/connection.py", line 651, in call_blocking message, timeout) dbus.exceptions.DBusException: org.freedesktop.DBus.Error.AccessDenied: Connection ":1.28" is not allowed to own the service "org.OpenSCAP.daemon" due to security policies in the configuration file ========= NEW [0 root@qeos-159 ~]# su - testuser [0 testuser@qeos-159 ~]$ oscapd INFO:OpenSCAP Daemon 0.1.6 Traceback (most recent call last): File "/bin/oscapd", line 76, in <module> main() File "/bin/oscapd", line 64, in main name = dbus.service.BusName(dbus_utils.BUS_NAME, bus) File "/usr/lib64/python2.7/site-packages/dbus/service.py", line 131, in __new__ retval = bus.request_name(name, name_flags) File "/usr/lib64/python2.7/site-packages/dbus/bus.py", line 303, in request_name 'su', (name, flags)) File "/usr/lib64/python2.7/site-packages/dbus/connection.py", line 651, in call_blocking message, timeout) dbus.exceptions.DBusException: org.freedesktop.DBus.Error.AccessDenied: Connection ":1.34" is not allowed to own the service "org.OpenSCAP.daemon" due to security policies in the configuration file
Issue 2) is fixed ========= OLD [0 testuser@qeos-177 ~]$ oscapd-cli status ERROR:dbus.proxies:Introspect error on :1.30:/OpenSCAP/daemon: dbus.exceptions.DBusException: org.freedesktop.DBus.Error.AccessDenied: Rejected send message, 2 matched rules; type="method_call", sender=":1.32" (uid=1000 pid=1377 comm="/usr/bin/python /bin/oscapd-cli status ") interface="org.freedesktop.DBus.Introspectable" member="Introspect" error name="(unset)" requested_reply="0" destination=":1.30" (uid=0 pid=1348 comm="/usr/bin/python /usr/bin/oscapd ") Traceback (most recent call last): File "/bin/oscapd-cli", line 787, in <module> main() File "/bin/oscapd-cli", line 752, in main dbus_iface.GetVersion() File "/usr/lib64/python2.7/site-packages/dbus/proxies.py", line 70, in __call__ return self._proxy_method(*args, **keywords) File "/usr/lib64/python2.7/site-packages/dbus/proxies.py", line 145, in __call__ **keywords) File "/usr/lib64/python2.7/site-packages/dbus/connection.py", line 651, in call_blocking message, timeout) dbus.exceptions.DBusException: org.freedesktop.DBus.Error.AccessDenied: Rejected send message, 2 matched rules; type="method_call", sender=":1.32" (uid=1000 pid=1377 comm="/usr/bin/python /bin/oscapd-cli status ") interface="org.OpenSCAP.daemon.Interface" member="GetVersion" error name="(unset)" requested_reply="0" destination=":1.30" (uid=0 pid=1348 comm="/usr/bin/python /usr/bin/oscapd ") ========= NEW [0 testuser@qeos-159 ~]$ oscapd-cli status ERROR:dbus.proxies:Introspect error on :1.36:/OpenSCAP/daemon: dbus.exceptions.DBusException: org.freedesktop.DBus.Error.AccessDenied: Rejected send message, 2 matched rules; type="method_call", sender=":1.38" (uid=1000 pid=1523 comm="/usr/bin/python /bin/oscapd-cli status ") interface="org.freedesktop.DBus.Introspectable" member="Introspect" error name="(unset)" requested_reply="0" destination=":1.36" (uid=0 pid=1494 comm="/usr/bin/python /usr/bin/oscapd ") Error: Access denied on the DBus interface. Do you have required permissions?
Issue 1) fixed upstream in https://github.com/OpenSCAP/openscap-daemon/commit/3adfa9fae427667b4d760bebeb75e54edd922346
Fixed In Version: openscap-daemon-0.1.9-1
Issue 2 is fixed but Issue 1 is still ocuring in openscap-daemon-0.1.9-1.el7.noarch (there should be no tracebacks): # su - testuser $ $ oscapd-cli status ERROR:dbus.proxies:Introspect error on :1.26:/OpenSCAP/daemon: dbus.exceptions.DBusException: org.freedesktop.DBus.Error.AccessDenied: Rejected send message, 2 matched rules; type="method_call", sender=":1.32" (uid=1000 pid=9837 comm="/usr/bin/python /bin/oscapd-cli status ") interface="org.freedesktop.DBus.Introspectable" member="Introspect" error name="(unset)" requested_reply="0" destination=":1.26" (uid=0 pid=9805 comm="/usr/bin/python /usr/bin/oscapd ") Error: Access denied on the DBus interface. Do you have the necessary permissions? $ $ oscapd INFO:OpenSCAP Daemon 0.1.9 Error: DBus denied access to own 'org.OpenSCAP.daemon'. Do you have the necessary permissions? Traceback (most recent call last): File "/bin/oscapd", line 86, in <module> main() File "/bin/oscapd", line 65, in main name = dbus.service.BusName(dbus_utils.BUS_NAME, bus) File "/usr/lib64/python2.7/site-packages/dbus/service.py", line 131, in __new__ retval = bus.request_name(name, name_flags) File "/usr/lib64/python2.7/site-packages/dbus/bus.py", line 303, in request_name 'su', (name, flags)) File "/usr/lib64/python2.7/site-packages/dbus/connection.py", line 651, in call_blocking message, timeout) dbus.exceptions.DBusException: org.freedesktop.DBus.Error.AccessDenied: Connection ":1.33" is not allowed to own the service "org.OpenSCAP.daemon" due to security policies in the configuration file
We have agreed that the part 1 of the issue is actually fixed. There is a human-readable message and the displayed traceback enables user to find help more easily. The part 2 has been widely agree as fixed, so I am moving the issue status to POST.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:1093