Bug 475203 - system-config-service: incorrect default DBUS configuration
Summary: system-config-service: incorrect default DBUS configuration
Status: CLOSED NEXTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: system-config-services (Show other bugs)
(Show other bugs)
Version: rawhide
Hardware: All Linux
high
high
Target Milestone: ---
Assignee: Nils Philippsen
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords:
: 475162 475939 476425 (view as bug list)
Depends On: 475200
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-12-08 14:41 UTC by Tomas Hoger
Modified: 2008-12-18 22:26 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-12-13 14:58:09 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Tomas Hoger 2008-12-08 14:41:11 UTC
Recent fix of the DBUS default policy for system bus:
  https://bugs.freedesktop.org/show_bug.cgi?id=18229
  https://bugzilla.redhat.com/show_bug.cgi?id=469151

seems to uncover a bug in the system-config-services default DBUS policy.  The policy allows anyone to send messages to the org.fedoraproject.Config.Services interface.  However, few more interfaces are implemented and required by s-c-services: .ServiceHerder, .Service, .SysVService, .ChkconfigService.

If messages using those interfaces are supposed to be accepted, they need to be allowed by the policy.  Alternatively, if all interfaces implemented by the s-c-services are expected to get dbus messages from anyone (and rely on PolicyKit to do the real authorization), you can use following intead:

  <!-- Only root can own the service -->
  <policy user="root">
    <allow own="org.fedoraproject.Config.Services"/>
  </policy>

  <!-- Allow anyone to invoke all methods -->
  <policy context="default">
    <allow send_destination="org.fedoraproject.Config.Services"/>
  </policy>

As mentioned in e.g.:
  https://bugzilla.redhat.com/show_bug.cgi?id=475111#c1
this problem prevent s-c-services from starting on systems with updated dbus.

Comment 1 Tomas Hoger 2008-12-08 14:42:22 UTC
Besides this problem, there's also an issue with PolicyKit policy that breaks s-c-services, see bug #475200.

Comment 2 Fedora Update System 2008-12-09 14:43:27 UTC
system-config-services-0.99.28-2.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/system-config-services-0.99.28-2.fc10

Comment 3 Janos Laube 2008-12-09 15:01:42 UTC
doesn't fix the issue quite yet :-(, now i get:

Traceback (most recent call last):
  File "/usr/bin/system-config-services", line 945, in <module>
    GUI (use_dbus = use_dbus).run ()
  File "/usr/bin/system-config-services", line 900, in __init__
    self.serviceherders.append (cls (bus = self._bus))
  File "/usr/lib/python2.5/site-packages/scservices/dbus/proxy/serviceherders.py", line 53, in __init__
    for service_name in self.list_services ():
  File "/usr/lib/python2.5/site-packages/slip/dbus/polkit.py", line 48, in enable_proxy_wrapper
    return func (*p, **k)
  File "/usr/lib/python2.5/site-packages/scservices/dbus/proxy/serviceherders.py", line 66, in list_services
    return self.dbus_object.list_services (dbus_interface = "org.fedoraproject.Config.Services.ServiceHerder")
  File "/usr/lib/python2.5/site-packages/dbus/proxies.py", line 68, in __call__
    return self._proxy_method(*args, **keywords)
  File "/usr/lib/python2.5/site-packages/dbus/proxies.py", line 140, in __call__
    **keywords)
  File "/usr/lib/python2.5/site-packages/dbus/connection.py", line 630, in call_blocking
    message, timeout)
dbus.exceptions.DBusException: org.freedesktop.DBus.Error.AccessDenied: A security policy in place prevents this sender from sending this message to this recipient, see message bus configuration file (rejected message had interface "org.freedesktop.PolicyKit" member "IsSystemBusNameAuthorized" error name "(unset)" destination ":1.39")

Comment 4 Tomas Hoger 2008-12-09 15:45:42 UTC
(In reply to comment #3)
> doesn't fix the issue quite yet :-(, now i get:

You need this as well:
  https://bugzilla.redhat.com/show_bug.cgi?id=475200#c7

Comment 5 Janos Laube 2008-12-09 15:54:27 UTC
ah thanks, system-config-services works with those packages :-)

Comment 6 Janos Laube 2008-12-09 16:11:59 UTC
wait, actually it does not. starting system-config-services results in a window showing no services at all in the list and "no services selected" in the right panel. leaving the first instance opened and starting a new one gives me the services list as expected.

Comment 7 Fedora Update System 2008-12-10 04:37:29 UTC
system-config-services-0.99.28-2.fc10 has been pushed to the Fedora 10 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update system-config-services'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F10/FEDORA-2008-11098

Comment 8 Nils Philippsen 2008-12-10 13:47:13 UTC
Bah, the mechanism also needs permissions to send signals:

<allow send_type="signal" send_interface="org.fedoraproject.Config.Services.ServiceHerder" send_member="notify"/>

Comment 9 Janos Laube 2008-12-10 13:53:49 UTC
that line in /etc/dbus-1/system.conf (if it's supposed to be placed in there) fixed it :-)

Comment 10 Nils Philippsen 2008-12-10 14:18:04 UTC
(In reply to comment #9)
> that line in /etc/dbus-1/system.conf (if it's supposed to be placed in there)
> fixed it :-)

I'd rather put it in /etc/dbus-1/system.d/org.fedoraproject.Config.Services.conf or wait for system-config-services-0.99.28-3.fc10 to be pushed.

Comment 11 Janos Laube 2008-12-10 14:33:10 UTC
true, that can save much hassle. thanks for the advice :-)

Comment 12 Fedora Update System 2008-12-11 08:00:05 UTC
system-config-services-0.99.28-3.fc10 has been pushed to the Fedora 10 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update system-config-services'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F10/FEDORA-2008-11098

Comment 13 Nils Philippsen 2008-12-11 13:39:33 UTC
*** Bug 475939 has been marked as a duplicate of this bug. ***

Comment 14 Nils Philippsen 2008-12-11 14:56:16 UTC
*** Bug 475162 has been marked as a duplicate of this bug. ***

Comment 15 Fedora Update System 2008-12-13 14:58:06 UTC
system-config-services-0.99.28-3.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 16 Nils Philippsen 2008-12-15 14:07:23 UTC
*** Bug 476425 has been marked as a duplicate of this bug. ***

Comment 17 Jahrome 2008-12-18 16:13:58 UTC
Could not launch system-config-services until updating PolicyKit using the test repository:

su -c 'yum --enablerepo=updates-testing update PolicyKit'

Fortunately, it is now fixed.


Note You need to log in before you can comment on or make changes to this bug.