Description of problem: Looks like cups-pk-helper-mechanism is running in the wrong SELinux context. node=worm.elk type=AVC msg=audit(1250256339.322:28150): avc: denied { write } for pid=2279 comm="cups-pk-helper-" name="cups.sock" dev=dm-1 ino=4139 scontext=system_u:system_r:initrc_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cupsd_var_run_t:s0 tclass=sock_file node=worm.elk type=AVC msg=audit(1250256339.322:28150): avc: denied { connectto } for pid=2279 comm="cups-pk-helper-" path="/var/run/cups/cups.sock" scontext=system_u:system_r:initrc_t:s0-s0:c0.c1023 tcontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=worm.elk type=SYSCALL msg=audit(1250256339.322:28150): arch=c000003e syscall=42 success=yes exit=0 a0=8 a1=8a6cd8 a2=1a a3=7fff707ef0b0 items=0 ppid=1 pid=2279 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cups-pk-helper-" exe="/usr/libexec/cups-pk-helper-mechanism" subj=system_u:system_r:initrc_t:s0-s0:c0.c1023 key=(null) Version-Release number of selected component (if applicable): cups-pk-helper-0.0.4-5.fc12.x86_64 selinux-policy-3.6.26-11.fc12.noarch How reproducible: 100% Steps to Reproduce: 1.Use system-config-printer and try to change something.
Created attachment 357540 [details] selinux-policy-cups-pk-helper.patch I *think* this policy is required, in that I no longer get AVC messages -- but in my testing I get this in /var/log/messages: Aug 15 14:24:33 worm kernel: cups-pk-helper-[9340]: segfault at 18 ip 000000322c4156a0 sp 00007fff8af444f8 error 4 in libpolkit-gobject-1.so.0.0.0[322c400000+1e000]
Possibly we should 'dontaudit' the getsched call instead of 'allow'ing it. I'll try that next.
No, that doesn't work. :-( Changing component back to cups-pk-helper until that's resolved.
Created attachment 357549 [details] selinux-policy-cups-pk-helper.patch I've tested this patch and it works.
OK, patch ready for selinux-policy inclusion. It would be really useful to have a package in koji as soon as possible so that it can be included in the Live CD for the printing fit-and-finish session on Tuesday. Thanks!
Grr, changing back to cups-pk-helper again. It only works when SELinux is in permissive mode. Marek, this is the backtrace from cups-pk-helper-mechanism when running with selinux-policy patched as in comment #4. Can you take a look at it please? #0 0x000000322c4156a0 in polkit_authorization_result_get_is_authorized () from /usr/lib64/libpolkit-gobject-1.so.0 #1 0x00000000004083f8 in _check_polkit_for_action_internal ( mechanism=0x13a3400, context=0x13c72a0, action_method=0x40b91a "server-settings", error=0x7fff4244b8e8) at cups-pk-helper-mechanism.c:281 #2 0x000000000040857e in _check_polkit_for_action_v (mechanism=0x13a3400, context=0x13c72a0, first_action_method=0x40b91a "server-settings") at cups-pk-helper-mechanism.c:325 #3 0x0000000000408691 in _check_polkit_for_action (mechanism=0x13a3400, context=0x13c72a0, action_method=0x40b91a "server-settings") at cups-pk-helper-mechanism.c:357 #4 0x00000000004096d6 in cph_mechanism_server_get_settings ( mechanism=0x13a3400, context=0x13c72a0) at cups-pk-helper-mechanism.c:952 #5 0x000000322600c76f in ?? () from /usr/lib64/libdbus-glib-1.so.2 #6 0x000000322600cc3c in ?? () from /usr/lib64/libdbus-glib-1.so.2 #7 0x000000322001cbee in ?? () from /lib64/libdbus-1.so.3 #8 0x0000003220010a1c in dbus_connection_dispatch () from /lib64/libdbus-1.so.3 #9 0x00000032260098e5 in ?? () from /usr/lib64/libdbus-glib-1.so.2 #10 0x000000321d4391be in g_main_context_dispatch () from /lib64/libglib-2.0.so.0 #11 0x000000321d43cba8 in ?? () from /lib64/libglib-2.0.so.0 #12 0x000000321d43cff5 in g_main_loop_run () from /lib64/libglib-2.0.so.0 #13 0x0000000000409e26 in main (argc=1, argv=0x7fff4244c298) at main.c:142 Also: #1 0x00000000004083f8 in _check_polkit_for_action_internal ( mechanism=0x13a3400, context=0x13c72a0, action_method=0x40b91a "server-settings", error=0x7fff4244b8e8) at cups-pk-helper-mechanism.c:281 281 if (!polkit_authorization_result_get_is_authorized (pk_result)) { (gdb) p pk_result $2 = (PolkitAuthorizationResult *) 0x0 So the problems are: 1. For some reason polkit_authority_check_authorization_sync() is returning NULL 2. In addition, we aren't checking for that error (To get this backtrace I just added a 'sleep(20);' at the beginning of main()...) Note that you only get this segfault when running in enforcing mode.
I found this while digging into the polkit_authority_check_authorization_sync() call: (gdb) step _polkit_authority_check_authorization_finish (instance=0xdb8940, _out_result=0x7fff4c0de2e8, res=0xdb4800, error=0x7fff4c0de2e0) at _polkitauthority.c:774 774 { (gdb) n 775 GSimpleAsyncResult *simple = G_SIMPLE_ASYNC_RESULT (res); (gdb) 779 g_return_val_if_fail (_POLKIT_IS_AUTHORITY (instance) && EGG_DBUS_IS_INTERFACE_PROXY (instance), FALSE); (gdb) 781 g_warn_if_fail (g_simple_async_result_get_source_tag (simple) == _polkit_authority_check_authorization); (gdb) 786 if (g_simple_async_result_propagate_error (simple, error)) (gdb) 806 } (gdb) p error $7 = (GError **) 0x7fff4c0de2e0 (gdb) p *error $8 = (GError *) 0xd88d70 (gdb) p **error $9 = {domain = 139, code = 12, message = 0xdc0010 "Remote Exception invoking org.freedesktop.PolicyKit1.Authority.CheckAuthorization() on /org/freedesktop/PolicyKit1/Authority at name org.freedesktop.PolicyKit1: org.freedesktop.DBus.Error.AccessDenied"...}
Hi Tim, I can not reproduce the problem, but I prepared a scratch build with a patch checking the result of polkit_authority_check_authorization_sync(). Its here http://koji.fedoraproject.org/koji/taskinfo?taskID=1609175. Could you try whether it solves the problem for you? Thank you Marek
With this package, and with SELinux policy modified like this: -- serefpolicy-3.6.26/policy/modules/system/init.te.cups-pk-helper 2009-08-16 11:12:55.196914451 +0100 +++ serefpolicy-3.6.26/policy/modules/system/init.te 2009-08-16 11:13:28.905914087 +0100 @@ -439,6 +439,11 @@ userdom_read_user_home_content_files(ini # TTYs to any process in the initrc_t domain. Therefore, daemons and such # started from init should be placed in their own domain. userdom_use_user_terminals(initrc_t) +optional_policy(` + # Allow interaction with cupsd + cups_stream_connect(initrc_t) + cups_tcp_connect(initrc_t) +') ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) the mechanism no longer segfaults, but I still don't get a PolicyKit authorization dialog. Here's 'strace -s1000 -p ...' output from the cups-pk-helper-mechanism process when trying to fetch server settings: Process 8494 attached - interrupt to quit restart_syscall(<... resuming interrupted call ...>) = 1 read(3, "l\4\1\1\35\0\0\0\16\0\0\0\211\0\0\0\1\1o\0\25\0\0\0/org/freedesktop/DBus\0\0\0\2\1s\0\24\0\0\0org.freedesktop.DBus\0\0\0\0\3\1s\0\20\0\0\0NameOwnerChanged\0\0\0\0\0\0\0\0\7\1s\0\24\0\0\0org.freedesktop.DBus\0\0\0\0\10\1g\0\3sss\0\0\0\0\0\0\0\0\6\0\0\0:1.118\0\0\6\0\0\0:1.118\0\0\0\0\0\0\0"..., 2048) = 189 read(3, 0x1ea93f0, 2048) = -1 EAGAIN (Resource temporarily unavailable) poll([{fd=5, events=POLLIN}, {fd=9, events=POLLIN}, {fd=3, events=POLLIN}], 3, 0) = 0 (Timeout) poll([{fd=5, events=POLLIN}, {fd=9, events=POLLIN}, {fd=3, events=POLLIN}], 3, 15308) = 1 ([{fd=3, revents=POLLIN}]) read(3, "l\4\1\1\37\0\0\0\17\0\0\0\211\0\0\0\1\1o\0\25\0\0\0/org/freedesktop/DBus\0\0\0\2\1s\0\24\0\0\0org.freedesktop.DBus\0\0\0\0\3\1s\0\20\0\0\0NameOwnerChanged\0\0\0\0\0\0\0\0\7\1s\0\24\0\0\0org.freedesktop.DBus\0\0\0\0\10\1g\0\3sss\0\0\0\0\0\0\0\0\6\0\0\0:1.120\0\0\0\0\0\0\0\0\0\0\6\0\0\0:1.120\0"..., 2048) = 191 read(3, 0x1ea93f0, 2048) = -1 EAGAIN (Resource temporarily unavailable) poll([{fd=5, events=POLLIN}, {fd=9, events=POLLIN}, {fd=3, events=POLLIN}], 3, 0) = 0 (Timeout) poll([{fd=5, events=POLLIN}, {fd=9, events=POLLIN}, {fd=3, events=POLLIN}], 3, 11707) = 1 ([{fd=3, revents=POLLIN}]) read(3, "l\1\0\1\0\0\0\0\4\0\0\0w\0\0\0\1\1o\0\1\0\0\0/\0\0\0\0\0\0\0\6\1s\0\6\0\0\0:1.116\0\0\2\1s\0#\0\0\0org.freedesktop.DBus.Introspectable\0\0\0\0\0\3\1s\0\n\0\0\0Introspect\0\0\0\0\0\0\7\1s\0\6\0\0\0:1.120\0\0"..., 2048) = 136 read(3, 0x1ea93f0, 2048) = -1 EAGAIN (Resource temporarily unavailable) poll([{fd=5, events=POLLIN}, {fd=9, events=POLLIN}, {fd=3, events=POLLIN}], 3, 0) = 0 (Timeout) writev(3, [{"l\2\1\1\17\33\0\0\22\0\0\0\37\0\0\0\6\1s\0\6\0\0\0:1.120\0\0\5\1u\0\4\0\0\0\10\1g\0\1s\0\0"..., 48}, {"\n\33\0\0<!DOCTYPE node PUBLIC \"-//freedesktop//DTD D-BUS Object Introspection 1.0//EN\"\n\"http://www.freedesktop.org/standards/dbus/1.0/introspect.dtd\">\n<node>\n <interface name=\"org.freedesktop.DBus.Introspectable\">\n <method name=\"Introspect\">\n <arg name=\"data\" direction=\"out\" type=\"s\"/>\n </method>\n </interface>\n <interface name=\"org.freedesktop.DBus.Properties\">\n <method name=\"Get\">\n <arg name=\"interface\" direction=\"in\" type=\"s\"/>\n <arg name=\"propname\" direction=\"in\" type=\"s\"/>\n <arg name=\"value\" direction=\"out\" type=\"v\"/>\n </method>\n <method name=\"Set\">\n <arg name=\"interface\" direction=\"in\" type=\"s\"/>\n <arg name=\"propname\" direction=\"in\" type=\"s\"/>\n <arg name=\"value\" direction=\"in\" type=\"v\"/>\n </method>\n <method name=\"GetAll\">\n <arg name=\"interface\" direction=\"in\" type=\"s\"/>\n <arg name=\"props\" direction=\"out\" type=\"a{sv}\"/>\n </method>\n </interface>\n <interface name=\"org.opensuse.CupsPkHelper.Mechanism\">\n <method na"..., 6927}], 2) = 6975 poll([{fd=5, events=POLLIN}, {fd=9, events=POLLIN}, {fd=3, events=POLLIN}], 3, 10212) = 1 ([{fd=3, revents=POLLIN}]) read(3, "l\1\0\1\0\0\0\0\5\0\0\0\177\0\0\0\1\1o\0\1\0\0\0/\0\0\0\0\0\0\0\6\1s\0\6\0\0\0:1.116\0\0\2\1s\0#\0\0\0org.opensuse.CupsPkHelper.Mechanism\0\0\0\0\0\3\1s\0\21\0\0\0ServerGetSettings\0\0\0\0\0\0\0\7\1s\0\6\0\0\0:1.120\0\0"..., 2048) = 144 read(3, 0x1ea93f0, 2048) = -1 EAGAIN (Resource temporarily unavailable) poll([{fd=5, events=POLLIN}, {fd=9, events=POLLIN}, {fd=3, events=POLLIN}], 3, 0) = 0 (Timeout) writev(9, [{"l\1\0\1y\0\0\0\v\0\0\0\276\0\0\0\1\1o\0%\0\0\0/org/freedesktop/PolicyKit1/Authority\0\0\0\6\1s\0\32\0\0\0org.freedesktop.PolicyKit1\0\0\0\0\0\0\2\1s\0$\0\0\0org.freedesktop.PolicyKit1.Authority\0\0\0\0\3\1s\0\22\0\0\0CheckAuthorization\0\0\0\0\0\0\10\1g\0\20(sa{sv})sa{ss}us\0\0\0"..., 208}, {"\17\0\0\0system-bus-name\0\27\0\0\0\4\0\0\0name\0\1s\0\6\0\0\0:1.120\0\0003\0\0\0org.opensuse.cupspkhelper.mechanism.server-settings\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0"..., 121}], 2) = 329 poll([{fd=9, events=POLLIN}], 1, -1) = 1 ([{fd=9, revents=POLLIN}]) read(9, "l\3\1\1\t\1\0\0\f\0\0\0m\0\0\0\6\1s\0\6\0\0\0:1.117\0\0\4\1s\0'\0\0\0org.freedesktop.DBus.Error.AccessDenied\0\5\1u\0\v\0\0\0\10\1g\0\1s\0\0\7\1s\0\24\0\0\0org.freedesktop.DBus\0\0\0\0\4\1\0\0An SELinux policy prevents this sender from sending this message to this recipient (rejected message had sender \":1.117\" interface \"org.freedesktop.PolicyKit1.Authority\" member \"CheckAuthorization\" error name \"(unset)\" destination \"org.freedesktop.PolicyKit1\")\0"..., 2048) = 393 read(9, 0x1ecc710, 2048) = -1 EAGAIN (Resource temporarily unavailable) writev(3, [{"l\3\1\1H\0\0\0\23\0\0\0_\0\0\0\6\1s\0\6\0\0\0:1.120\0\0\4\1s\0001\0\0\0org.opensuse.CupsPkHelper.Mechanism.NotPrivileged\0\0\0\0\0\0\0\5\1u\0\5\0\0\0\10\1g\0\1s\0\0"..., 112}, {"C\0\0\0Not Authorized: org.opensuse.cupspkhelper.mechanism.server-settings\0"..., 72}], 2) = 184 poll([{fd=5, events=POLLIN}, {fd=9, events=POLLIN}, {fd=3, events=POLLIN}], 3, 30000) = 1 ([{fd=3, revents=POLLIN}]) read(3, "l\4\1\1\37\0\0\0\20\0\0\0\211\0\0\0\1\1o\0\25\0\0\0/org/freedesktop/DBus\0\0\0\2\1s\0\24\0\0\0org.freedesktop.DBus\0\0\0\0\3\1s\0\20\0\0\0NameOwnerChanged\0\0\0\0\0\0\0\0\7\1s\0\24\0\0\0org.freedesktop.DBus\0\0\0\0\10\1g\0\3sss\0\0\0\0\0\0\0\0\6\0\0\0:1.121\0\0\0\0\0\0\0\0\0\0\6\0\0\0:1.121\0"..., 2048) = 191 read(3, 0x1ea93f0, 2048) = -1 EAGAIN (Resource temporarily unavailable) poll([{fd=5, events=POLLIN}, {fd=9, events=POLLIN}, {fd=3, events=POLLIN}], 3, 0) = 0 (Timeout) poll([{fd=5, events=POLLIN}, {fd=9, events=POLLIN}, {fd=3, events=POLLIN}], 3, 30000) = 1 ([{fd=3, revents=POLLIN}]) read(3, "l\1\0\1\0\0\0\0\7\0\0\0w\0\0\0\1\1o\0\1\0\0\0/\0\0\0\0\0\0\0\6\1s\0\6\0\0\0:1.116\0\0\2\1s\0#\0\0\0org.freedesktop.DBus.Introspectable\0\0\0\0\0\3\1s\0\n\0\0\0Introspect\0\0\0\0\0\0\7\1s\0\6\0\0\0:1.120\0\0"..., 2048) = 136 read(3, 0x1ea93f0, 2048) = -1 EAGAIN (Resource temporarily unavailable) poll([{fd=5, events=POLLIN}, {fd=9, events=POLLIN}, {fd=3, events=POLLIN}], 3, 0) = 0 (Timeout) writev(3, [{"l\2\1\1\17\33\0\0\24\0\0\0\37\0\0\0\6\1s\0\6\0\0\0:1.120\0\0\5\1u\0\7\0\0\0\10\1g\0\1s\0\0"..., 48}, {"\n\33\0\0<!DOCTYPE node PUBLIC \"-//freedesktop//DTD D-BUS Object Introspection 1.0//EN\"\n\"http://www.freedesktop.org/standards/dbus/1.0/introspect.dtd\">\n<node>\n <interface name=\"org.freedesktop.DBus.Introspectable\">\n <method name=\"Introspect\">\n <arg name=\"data\" direction=\"out\" type=\"s\"/>\n </method>\n </interface>\n <interface name=\"org.freedesktop.DBus.Properties\">\n <method name=\"Get\">\n <arg name=\"interface\" direction=\"in\" type=\"s\"/>\n <arg name=\"propname\" direction=\"in\" type=\"s\"/>\n <arg name=\"value\" direction=\"out\" type=\"v\"/>\n </method>\n <method name=\"Set\">\n <arg name=\"interface\" direction=\"in\" type=\"s\"/>\n <arg name=\"propname\" direction=\"in\" type=\"s\"/>\n <arg name=\"value\" direction=\"in\" type=\"v\"/>\n </method>\n <method name=\"GetAll\">\n <arg name=\"interface\" direction=\"in\" type=\"s\"/>\n <arg name=\"props\" direction=\"out\" type=\"a{sv}\"/>\n </method>\n </interface>\n <interface name=\"org.opensuse.CupsPkHelper.Mechanism\">\n <method na"..., 6927}], 2) = 6975 poll([{fd=5, events=POLLIN}, {fd=9, events=POLLIN}, {fd=3, events=POLLIN}], 3, 30000) = 1 ([{fd=3, revents=POLLIN}]) read(3, "l\1\0\1\0\0\0\0\10\0\0\0\177\0\0\0\1\1o\0\1\0\0\0/\0\0\0\0\0\0\0\6\1s\0\6\0\0\0:1.116\0\0\2\1s\0#\0\0\0org.opensuse.CupsPkHelper.Mechanism\0\0\0\0\0\3\1s\0\21\0\0\0ServerGetSettings\0\0\0\0\0\0\0\7\1s\0\6\0\0\0:1.120\0\0"..., 2048) = 144 read(3, 0x1ea93f0, 2048) = -1 EAGAIN (Resource temporarily unavailable) poll([{fd=5, events=POLLIN}, {fd=9, events=POLLIN}, {fd=3, events=POLLIN}], 3, 0) = 0 (Timeout) writev(9, [{"l\1\0\1y\0\0\0\f\0\0\0\276\0\0\0\1\1o\0%\0\0\0/org/freedesktop/PolicyKit1/Authority\0\0\0\6\1s\0\32\0\0\0org.freedesktop.PolicyKit1\0\0\0\0\0\0\2\1s\0$\0\0\0org.freedesktop.PolicyKit1.Authority\0\0\0\0\3\1s\0\22\0\0\0CheckAuthorization\0\0\0\0\0\0\10\1g\0\20(sa{sv})sa{ss}us\0\0\0"..., 208}, {"\17\0\0\0system-bus-name\0\27\0\0\0\4\0\0\0name\0\1s\0\6\0\0\0:1.120\0\0003\0\0\0org.opensuse.cupspkhelper.mechanism.server-settings\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0"..., 121}], 2) = 329 poll([{fd=9, events=POLLIN}], 1, -1) = 1 ([{fd=9, revents=POLLIN}]) read(9, "l\3\1\1\t\1\0\0\r\0\0\0m\0\0\0\6\1s\0\6\0\0\0:1.117\0\0\4\1s\0'\0\0\0org.freedesktop.DBus.Error.AccessDenied\0\5\1u\0\f\0\0\0\10\1g\0\1s\0\0\7\1s\0\24\0\0\0org.freedesktop.DBus\0\0\0\0\4\1\0\0An SELinux policy prevents this sender from sending this message to this recipient (rejected message had sender \":1.117\" interface \"org.freedesktop.PolicyKit1.Authority\" member \"CheckAuthorization\" error name \"(unset)\" destination \"org.freedesktop.PolicyKit1\")\0"..., 2048) = 393 read(9, 0x1ecc710, 2048) = -1 EAGAIN (Resource temporarily unavailable) writev(3, [{"l\3\1\1H\0\0\0\25\0\0\0_\0\0\0\6\1s\0\6\0\0\0:1.120\0\0\4\1s\0001\0\0\0org.opensuse.CupsPkHelper.Mechanism.NotPrivileged\0\0\0\0\0\0\0\5\1u\0\10\0\0\0\10\1g\0\1s\0\0"..., 112}, {"C\0\0\0Not Authorized: org.opensuse.cupspkhelper.mechanism.server-settings\0"..., 72}], 2) = 184 poll([{fd=5, events=POLLIN}, {fd=9, events=POLLIN}, {fd=3, events=POLLIN}], 3, 30000) = 1 ([{fd=3, revents=POLLIN}]) read(3, "l\1\0\1\0\0\0\0\n\0\0\0w\0\0\0\1\1o\0\1\0\0\0/\0\0\0\0\0\0\0\6\1s\0\6\0\0\0:1.116\0\0\2\1s\0#\0\0\0org.freedesktop.DBus.Introspectable\0\0\0\0\0\3\1s\0\n\0\0\0Introspect\0\0\0\0\0\0\7\1s\0\6\0\0\0:1.120\0\0"..., 2048) = 136 read(3, 0x1ea93f0, 2048) = -1 EAGAIN (Resource temporarily unavailable) poll([{fd=5, events=POLLIN}, {fd=9, events=POLLIN}, {fd=3, events=POLLIN}], 3, 0) = 0 (Timeout) writev(3, [{"l\2\1\1\17\33\0\0\26\0\0\0\37\0\0\0\6\1s\0\6\0\0\0:1.120\0\0\5\1u\0\n\0\0\0\10\1g\0\1s\0\0"..., 48}, {"\n\33\0\0<!DOCTYPE node PUBLIC \"-//freedesktop//DTD D-BUS Object Introspection 1.0//EN\"\n\"http://www.freedesktop.org/standards/dbus/1.0/introspect.dtd\">\n<node>\n <interface name=\"org.freedesktop.DBus.Introspectable\">\n <method name=\"Introspect\">\n <arg name=\"data\" direction=\"out\" type=\"s\"/>\n </method>\n </interface>\n <interface name=\"org.freedesktop.DBus.Properties\">\n <method name=\"Get\">\n <arg name=\"interface\" direction=\"in\" type=\"s\"/>\n <arg name=\"propname\" direction=\"in\" type=\"s\"/>\n <arg name=\"value\" direction=\"out\" type=\"v\"/>\n </method>\n <method name=\"Set\">\n <arg name=\"interface\" direction=\"in\" type=\"s\"/>\n <arg name=\"propname\" direction=\"in\" type=\"s\"/>\n <arg name=\"value\" direction=\"in\" type=\"v\"/>\n </method>\n <method name=\"GetAll\">\n <arg name=\"interface\" direction=\"in\" type=\"s\"/>\n <arg name=\"props\" direction=\"out\" type=\"a{sv}\"/>\n </method>\n </interface>\n <interface name=\"org.opensuse.CupsPkHelper.Mechanism\">\n <method na"..., 6927}], 2) = 6975 poll([{fd=5, events=POLLIN}, {fd=9, events=POLLIN}, {fd=3, events=POLLIN}], 3, 20908) = 1 ([{fd=3, revents=POLLIN}]) read(3, "l\1\0\1\0\0\0\0\v\0\0\0\177\0\0\0\1\1o\0\1\0\0\0/\0\0\0\0\0\0\0\6\1s\0\6\0\0\0:1.116\0\0\2\1s\0#\0\0\0org.opensuse.CupsPkHelper.Mechanism\0\0\0\0\0\3\1s\0\21\0\0\0ServerGetSettings\0\0\0\0\0\0\0\7\1s\0\6\0\0\0:1.120\0\0"..., 2048) = 144 read(3, 0x1ea93f0, 2048) = -1 EAGAIN (Resource temporarily unavailable) poll([{fd=5, events=POLLIN}, {fd=9, events=POLLIN}, {fd=3, events=POLLIN}], 3, 0) = 0 (Timeout) writev(9, [{"l\1\0\1y\0\0\0\r\0\0\0\276\0\0\0\1\1o\0%\0\0\0/org/freedesktop/PolicyKit1/Authority\0\0\0\6\1s\0\32\0\0\0org.freedesktop.PolicyKit1\0\0\0\0\0\0\2\1s\0$\0\0\0org.freedesktop.PolicyKit1.Authority\0\0\0\0\3\1s\0\22\0\0\0CheckAuthorization\0\0\0\0\0\0\10\1g\0\20(sa{sv})sa{ss}us\0\0\0"..., 208}, {"\17\0\0\0system-bus-name\0\27\0\0\0\4\0\0\0name\0\1s\0\6\0\0\0:1.120\0\0003\0\0\0org.opensuse.cupspkhelper.mechanism.server-settings\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0"..., 121}], 2) = 329 poll([{fd=9, events=POLLIN}], 1, -1) = 1 ([{fd=9, revents=POLLIN}]) read(9, "l\3\1\1\t\1\0\0\16\0\0\0m\0\0\0\6\1s\0\6\0\0\0:1.117\0\0\4\1s\0'\0\0\0org.freedesktop.DBus.Error.AccessDenied\0\5\1u\0\r\0\0\0\10\1g\0\1s\0\0\7\1s\0\24\0\0\0org.freedesktop.DBus\0\0\0\0\4\1\0\0An SELinux policy prevents this sender from sending this message to this recipient (rejected message had sender \":1.117\" interface \"org.freedesktop.PolicyKit1.Authority\" member \"CheckAuthorization\" error name \"(unset)\" destination \"org.freedesktop.PolicyKit1\")\0"..., 2048) = 393 read(9, 0x1ecc710, 2048) = -1 EAGAIN (Resource temporarily unavailable) writev(3, [{"l\3\1\1H\0\0\0\27\0\0\0_\0\0\0\6\1s\0\6\0\0\0:1.120\0\0\4\1s\0001\0\0\0org.opensuse.CupsPkHelper.Mechanism.NotPrivileged\0\0\0\0\0\0\0\5\1u\0\v\0\0\0\10\1g\0\1s\0\0"..., 112}, {"C\0\0\0Not Authorized: org.opensuse.cupspkhelper.mechanism.server-settings\0"..., 72}], 2) = 184 poll([{fd=5, events=POLLIN}, {fd=9, events=POLLIN}, {fd=3, events=POLLIN}], 3, 29903) = 1 ([{fd=3, revents=POLLIN}]) read(3, "l\4\1\1\35\0\0\0\21\0\0\0\211\0\0\0\1\1o\0\25\0\0\0/org/freedesktop/DBus\0\0\0\2\1s\0\24\0\0\0org.freedesktop.DBus\0\0\0\0\3\1s\0\20\0\0\0NameOwnerChanged\0\0\0\0\0\0\0\0\7\1s\0\24\0\0\0org.freedesktop.DBus\0\0\0\0\10\1g\0\3sss\0\0\0\0\0\0\0\0\6\0\0\0:1.120\0\0\6\0\0\0:1.120\0\0\0\0\0\0\0"..., 2048) = 189 read(3, 0x1ea93f0, 2048) = -1 EAGAIN (Resource temporarily unavailable) poll([{fd=5, events=POLLIN}, {fd=9, events=POLLIN}, {fd=3, events=POLLIN}], 3, 0) = 0 (Timeout) poll([{fd=5, events=POLLIN}, {fd=9, events=POLLIN}, {fd=3, events=POLLIN}], 3, 29097^C <unfinished ...> Process 8494 detached One other thing of note: I don't see any of the cupspkhelper methods in the list at System->Preferences->Authorizations.
> One other thing of note: I don't see any of the cupspkhelper methods in the > list at System->Preferences->Authorizations. You don't see it there because polkit-gnome-authorization is from PolicyKit (old style) and not from polkit (new style). Which versions of these packages do you have? Marek
You can try 'pkaction' (polkit) to see cups-pk-helper's methods (vs. 'polkit-action' - PolicyKit).
OK, pkaction shows them. I have polkit-0.93-3.fc12.x86_64. Is cups-pk-helper working correctly for you in rawhide?
It worked for me, but now it doesn't. It shows me old authentication dialog instead of the polkit's one. If I run /usr/libexec/cups-pk-helper-mechanism manually as root then it works. Marek
Fixed in selinux-policy-3.6.27-2.fc12.noarch
Re-opening for cups-pk-helper crash noted in comment #1.
Fixed in cups-pk-helper-0.0.4-6.fc12.
It still doesn't work. Marek
Hi, I tried this (in Permissive mode): yum erase selinux-policy-targeted mv /etc/selinux/targeted/modules /etc/selinux/targeted/modules.old yum install selinux-policy-targeted turn on Enforcing mode mark system to relabel on reboot reboot and it shows polkit's dialog correctly. tested with: cups-pk-helper-0.0.4-7 system-config-printer-1.1.10-8 selinux-policy-3.6.26-8 selinux-policy-targeted-3.6.26-8 the rawhide is an update of F11 and runs in qemu Tim, could you confirm whether this works for you? Thanks Marek
Bizarrely, this works. (I tried on a machine that was freshly installed from rawhide on the 12th of August...)
I tried system-config-printer in fresh install of F12-alpha-RC2 now and it works without any problem (in Enforcing mode). Marek
OK, let's mark this as fixed then.