Bug 517528 - Policy required for cups-pk-helper
Policy required for cups-pk-helper
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: cups-pk-helper (Show other bugs)
rawhide
All Linux
low Severity medium
: ---
: ---
Assigned To: Marek Kašík
Fedora Extras Quality Assurance
: Reopened
Depends On:
Blocks: fitandfinish
  Show dependency treegraph
 
Reported: 2009-08-14 09:32 EDT by Tim Waugh
Modified: 2009-08-24 06:30 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-08-24 06:30:29 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
selinux-policy-cups-pk-helper.patch (1.60 KB, patch)
2009-08-15 09:27 EDT, Tim Waugh
no flags Details | Diff
selinux-policy-cups-pk-helper.patch (1.60 KB, patch)
2009-08-15 16:53 EDT, Tim Waugh
no flags Details | Diff

  None (edit)
Description Tim Waugh 2009-08-14 09:32:36 EDT
Description of problem:
Looks like cups-pk-helper-mechanism is running in the wrong SELinux context.

node=worm.elk type=AVC msg=audit(1250256339.322:28150): avc: denied { write } for pid=2279 comm="cups-pk-helper-" name="cups.sock" dev=dm-1 ino=4139 scontext=system_u:system_r:initrc_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cupsd_var_run_t:s0 tclass=sock_file

node=worm.elk type=AVC msg=audit(1250256339.322:28150): avc: denied { connectto } for pid=2279 comm="cups-pk-helper-" path="/var/run/cups/cups.sock" scontext=system_u:system_r:initrc_t:s0-s0:c0.c1023 tcontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tclass=unix_stream_socket

node=worm.elk type=SYSCALL msg=audit(1250256339.322:28150): arch=c000003e syscall=42 success=yes exit=0 a0=8 a1=8a6cd8 a2=1a a3=7fff707ef0b0 items=0 ppid=1 pid=2279 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cups-pk-helper-" exe="/usr/libexec/cups-pk-helper-mechanism" subj=system_u:system_r:initrc_t:s0-s0:c0.c1023 key=(null)

Version-Release number of selected component (if applicable):
cups-pk-helper-0.0.4-5.fc12.x86_64
selinux-policy-3.6.26-11.fc12.noarch

How reproducible:
100%

Steps to Reproduce:
1.Use system-config-printer and try to change something.
Comment 1 Tim Waugh 2009-08-15 09:27:40 EDT
Created attachment 357540 [details]
selinux-policy-cups-pk-helper.patch

I *think* this policy is required, in that I no longer get AVC messages -- but in my testing I get this in /var/log/messages:

Aug 15 14:24:33 worm kernel: cups-pk-helper-[9340]: segfault at 18 ip 000000322c4156a0 sp 00007fff8af444f8 error 4 in libpolkit-gobject-1.so.0.0.0[322c400000+1e000]
Comment 2 Tim Waugh 2009-08-15 09:29:10 EDT
Possibly we should 'dontaudit' the getsched call instead of 'allow'ing it.  I'll try that next.
Comment 3 Tim Waugh 2009-08-15 09:39:02 EDT
No, that doesn't work. :-(

Changing component back to cups-pk-helper until that's resolved.
Comment 4 Tim Waugh 2009-08-15 16:53:10 EDT
Created attachment 357549 [details]
selinux-policy-cups-pk-helper.patch

I've tested this patch and it works.
Comment 5 Tim Waugh 2009-08-15 16:54:21 EDT
OK, patch ready for selinux-policy inclusion.

It would be really useful to have a package in koji as soon as possible so that it can be included in the Live CD for the printing fit-and-finish session on Tuesday.  Thanks!
Comment 6 Tim Waugh 2009-08-15 17:18:57 EDT
Grr, changing back to cups-pk-helper again.  It only works when SELinux is in permissive mode.

Marek, this is the backtrace from cups-pk-helper-mechanism when running with selinux-policy patched as in comment #4.  Can you take a look at it please?

#0  0x000000322c4156a0 in polkit_authorization_result_get_is_authorized ()
   from /usr/lib64/libpolkit-gobject-1.so.0
#1  0x00000000004083f8 in _check_polkit_for_action_internal (
    mechanism=0x13a3400, context=0x13c72a0, 
    action_method=0x40b91a "server-settings", error=0x7fff4244b8e8)
    at cups-pk-helper-mechanism.c:281
#2  0x000000000040857e in _check_polkit_for_action_v (mechanism=0x13a3400, 
    context=0x13c72a0, first_action_method=0x40b91a "server-settings")
    at cups-pk-helper-mechanism.c:325
#3  0x0000000000408691 in _check_polkit_for_action (mechanism=0x13a3400, 
    context=0x13c72a0, action_method=0x40b91a "server-settings")
    at cups-pk-helper-mechanism.c:357
#4  0x00000000004096d6 in cph_mechanism_server_get_settings (
    mechanism=0x13a3400, context=0x13c72a0) at cups-pk-helper-mechanism.c:952
#5  0x000000322600c76f in ?? () from /usr/lib64/libdbus-glib-1.so.2
#6  0x000000322600cc3c in ?? () from /usr/lib64/libdbus-glib-1.so.2
#7  0x000000322001cbee in ?? () from /lib64/libdbus-1.so.3
#8  0x0000003220010a1c in dbus_connection_dispatch ()
   from /lib64/libdbus-1.so.3
#9  0x00000032260098e5 in ?? () from /usr/lib64/libdbus-glib-1.so.2
#10 0x000000321d4391be in g_main_context_dispatch ()
   from /lib64/libglib-2.0.so.0
#11 0x000000321d43cba8 in ?? () from /lib64/libglib-2.0.so.0
#12 0x000000321d43cff5 in g_main_loop_run () from /lib64/libglib-2.0.so.0
#13 0x0000000000409e26 in main (argc=1, argv=0x7fff4244c298) at main.c:142

Also:

#1  0x00000000004083f8 in _check_polkit_for_action_internal (
    mechanism=0x13a3400, context=0x13c72a0, 
    action_method=0x40b91a "server-settings", error=0x7fff4244b8e8)
    at cups-pk-helper-mechanism.c:281
281	        if (!polkit_authorization_result_get_is_authorized (pk_result)) {
(gdb) p pk_result
$2 = (PolkitAuthorizationResult *) 0x0

So the problems are:

1. For some reason polkit_authority_check_authorization_sync() is returning NULL
2. In addition, we aren't checking for that error

(To get this backtrace I just added a 'sleep(20);' at the beginning of main()...)

Note that you only get this segfault when running in enforcing mode.
Comment 7 Tim Waugh 2009-08-16 06:33:07 EDT
I found this while digging into the polkit_authority_check_authorization_sync() call:

(gdb) step
_polkit_authority_check_authorization_finish (instance=0xdb8940, 
    _out_result=0x7fff4c0de2e8, res=0xdb4800, error=0x7fff4c0de2e0)
    at _polkitauthority.c:774
774	{
(gdb) n
775	  GSimpleAsyncResult *simple = G_SIMPLE_ASYNC_RESULT (res);
(gdb) 
779	  g_return_val_if_fail (_POLKIT_IS_AUTHORITY (instance) && EGG_DBUS_IS_INTERFACE_PROXY (instance), FALSE);
(gdb) 
781	  g_warn_if_fail (g_simple_async_result_get_source_tag (simple) == _polkit_authority_check_authorization);
(gdb) 
786	  if (g_simple_async_result_propagate_error (simple, error))
(gdb) 
806	}
(gdb) p error
$7 = (GError **) 0x7fff4c0de2e0
(gdb) p *error
$8 = (GError *) 0xd88d70
(gdb) p **error
$9 = {domain = 139, code = 12, 
  message = 0xdc0010 "Remote Exception invoking org.freedesktop.PolicyKit1.Authority.CheckAuthorization() on /org/freedesktop/PolicyKit1/Authority at name org.freedesktop.PolicyKit1: org.freedesktop.DBus.Error.AccessDenied"...}
Comment 8 Marek Kašík 2009-08-17 06:33:53 EDT
Hi Tim,

I can not reproduce the problem, but I prepared a scratch build with a patch checking the result of polkit_authority_check_authorization_sync(). Its here http://koji.fedoraproject.org/koji/taskinfo?taskID=1609175.
Could you try whether it solves the problem for you?

Thank you

Marek
Comment 9 Tim Waugh 2009-08-17 07:21:08 EDT
With this package, and with SELinux policy modified like this:

-- serefpolicy-3.6.26/policy/modules/system/init.te.cups-pk-helper	2009-08-16 11:12:55.196914451 +0100
+++ serefpolicy-3.6.26/policy/modules/system/init.te	2009-08-16 11:13:28.905914087 +0100
@@ -439,6 +439,11 @@ userdom_read_user_home_content_files(ini
 # TTYs to any process in the initrc_t domain. Therefore, daemons and such
 # started from init should be placed in their own domain.
 userdom_use_user_terminals(initrc_t)
+optional_policy(`
+	# Allow interaction with cupsd
+	cups_stream_connect(initrc_t)
+	cups_tcp_connect(initrc_t)
+')
 
 ifdef(`distro_debian',`
 	dev_setattr_generic_dirs(initrc_t)

the mechanism no longer segfaults, but I still don't get a PolicyKit authorization dialog.

Here's 'strace -s1000 -p ...' output from the cups-pk-helper-mechanism process when trying to fetch server settings:

Process 8494 attached - interrupt to quit
restart_syscall(<... resuming interrupted call ...>) = 1
read(3, "l\4\1\1\35\0\0\0\16\0\0\0\211\0\0\0\1\1o\0\25\0\0\0/org/freedesktop/DBus\0\0\0\2\1s\0\24\0\0\0org.freedesktop.DBus\0\0\0\0\3\1s\0\20\0\0\0NameOwnerChanged\0\0\0\0\0\0\0\0\7\1s\0\24\0\0\0org.freedesktop.DBus\0\0\0\0\10\1g\0\3sss\0\0\0\0\0\0\0\0\6\0\0\0:1.118\0\0\6\0\0\0:1.118\0\0\0\0\0\0\0"..., 2048) = 189
read(3, 0x1ea93f0, 2048)                = -1 EAGAIN (Resource temporarily unavailable)
poll([{fd=5, events=POLLIN}, {fd=9, events=POLLIN}, {fd=3, events=POLLIN}], 3, 0) = 0 (Timeout)
poll([{fd=5, events=POLLIN}, {fd=9, events=POLLIN}, {fd=3, events=POLLIN}], 3, 15308) = 1 ([{fd=3, revents=POLLIN}])
read(3, "l\4\1\1\37\0\0\0\17\0\0\0\211\0\0\0\1\1o\0\25\0\0\0/org/freedesktop/DBus\0\0\0\2\1s\0\24\0\0\0org.freedesktop.DBus\0\0\0\0\3\1s\0\20\0\0\0NameOwnerChanged\0\0\0\0\0\0\0\0\7\1s\0\24\0\0\0org.freedesktop.DBus\0\0\0\0\10\1g\0\3sss\0\0\0\0\0\0\0\0\6\0\0\0:1.120\0\0\0\0\0\0\0\0\0\0\6\0\0\0:1.120\0"..., 2048) = 191
read(3, 0x1ea93f0, 2048)                = -1 EAGAIN (Resource temporarily unavailable)
poll([{fd=5, events=POLLIN}, {fd=9, events=POLLIN}, {fd=3, events=POLLIN}], 3, 0) = 0 (Timeout)
poll([{fd=5, events=POLLIN}, {fd=9, events=POLLIN}, {fd=3, events=POLLIN}], 3, 11707) = 1 ([{fd=3, revents=POLLIN}])
read(3, "l\1\0\1\0\0\0\0\4\0\0\0w\0\0\0\1\1o\0\1\0\0\0/\0\0\0\0\0\0\0\6\1s\0\6\0\0\0:1.116\0\0\2\1s\0#\0\0\0org.freedesktop.DBus.Introspectable\0\0\0\0\0\3\1s\0\n\0\0\0Introspect\0\0\0\0\0\0\7\1s\0\6\0\0\0:1.120\0\0"..., 2048) = 136
read(3, 0x1ea93f0, 2048)                = -1 EAGAIN (Resource temporarily unavailable)
poll([{fd=5, events=POLLIN}, {fd=9, events=POLLIN}, {fd=3, events=POLLIN}], 3, 0) = 0 (Timeout)
writev(3, [{"l\2\1\1\17\33\0\0\22\0\0\0\37\0\0\0\6\1s\0\6\0\0\0:1.120\0\0\5\1u\0\4\0\0\0\10\1g\0\1s\0\0"..., 48}, {"\n\33\0\0<!DOCTYPE node PUBLIC \"-//freedesktop//DTD D-BUS Object Introspection 1.0//EN\"\n\"http://www.freedesktop.org/standards/dbus/1.0/introspect.dtd\">\n<node>\n  <interface name=\"org.freedesktop.DBus.Introspectable\">\n    <method name=\"Introspect\">\n      <arg name=\"data\" direction=\"out\" type=\"s\"/>\n    </method>\n  </interface>\n  <interface name=\"org.freedesktop.DBus.Properties\">\n    <method name=\"Get\">\n      <arg name=\"interface\" direction=\"in\" type=\"s\"/>\n      <arg name=\"propname\" direction=\"in\" type=\"s\"/>\n      <arg name=\"value\" direction=\"out\" type=\"v\"/>\n    </method>\n    <method name=\"Set\">\n      <arg name=\"interface\" direction=\"in\" type=\"s\"/>\n      <arg name=\"propname\" direction=\"in\" type=\"s\"/>\n      <arg name=\"value\" direction=\"in\" type=\"v\"/>\n    </method>\n    <method name=\"GetAll\">\n      <arg name=\"interface\" direction=\"in\" type=\"s\"/>\n      <arg name=\"props\" direction=\"out\" type=\"a{sv}\"/>\n    </method>\n  </interface>\n  <interface name=\"org.opensuse.CupsPkHelper.Mechanism\">\n    <method na"..., 6927}], 2) = 6975
poll([{fd=5, events=POLLIN}, {fd=9, events=POLLIN}, {fd=3, events=POLLIN}], 3, 10212) = 1 ([{fd=3, revents=POLLIN}])
read(3, "l\1\0\1\0\0\0\0\5\0\0\0\177\0\0\0\1\1o\0\1\0\0\0/\0\0\0\0\0\0\0\6\1s\0\6\0\0\0:1.116\0\0\2\1s\0#\0\0\0org.opensuse.CupsPkHelper.Mechanism\0\0\0\0\0\3\1s\0\21\0\0\0ServerGetSettings\0\0\0\0\0\0\0\7\1s\0\6\0\0\0:1.120\0\0"..., 2048) = 144
read(3, 0x1ea93f0, 2048)                = -1 EAGAIN (Resource temporarily unavailable)
poll([{fd=5, events=POLLIN}, {fd=9, events=POLLIN}, {fd=3, events=POLLIN}], 3, 0) = 0 (Timeout)
writev(9, [{"l\1\0\1y\0\0\0\v\0\0\0\276\0\0\0\1\1o\0%\0\0\0/org/freedesktop/PolicyKit1/Authority\0\0\0\6\1s\0\32\0\0\0org.freedesktop.PolicyKit1\0\0\0\0\0\0\2\1s\0$\0\0\0org.freedesktop.PolicyKit1.Authority\0\0\0\0\3\1s\0\22\0\0\0CheckAuthorization\0\0\0\0\0\0\10\1g\0\20(sa{sv})sa{ss}us\0\0\0"..., 208}, {"\17\0\0\0system-bus-name\0\27\0\0\0\4\0\0\0name\0\1s\0\6\0\0\0:1.120\0\0003\0\0\0org.opensuse.cupspkhelper.mechanism.server-settings\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0"..., 121}], 2) = 329
poll([{fd=9, events=POLLIN}], 1, -1)    = 1 ([{fd=9, revents=POLLIN}])
read(9, "l\3\1\1\t\1\0\0\f\0\0\0m\0\0\0\6\1s\0\6\0\0\0:1.117\0\0\4\1s\0'\0\0\0org.freedesktop.DBus.Error.AccessDenied\0\5\1u\0\v\0\0\0\10\1g\0\1s\0\0\7\1s\0\24\0\0\0org.freedesktop.DBus\0\0\0\0\4\1\0\0An SELinux policy prevents this sender from sending this message to this recipient (rejected message had sender \":1.117\" interface \"org.freedesktop.PolicyKit1.Authority\" member \"CheckAuthorization\" error name \"(unset)\" destination \"org.freedesktop.PolicyKit1\")\0"..., 2048) = 393
read(9, 0x1ecc710, 2048)                = -1 EAGAIN (Resource temporarily unavailable)
writev(3, [{"l\3\1\1H\0\0\0\23\0\0\0_\0\0\0\6\1s\0\6\0\0\0:1.120\0\0\4\1s\0001\0\0\0org.opensuse.CupsPkHelper.Mechanism.NotPrivileged\0\0\0\0\0\0\0\5\1u\0\5\0\0\0\10\1g\0\1s\0\0"..., 112}, {"C\0\0\0Not Authorized: org.opensuse.cupspkhelper.mechanism.server-settings\0"..., 72}], 2) = 184
poll([{fd=5, events=POLLIN}, {fd=9, events=POLLIN}, {fd=3, events=POLLIN}], 3, 30000) = 1 ([{fd=3, revents=POLLIN}])
read(3, "l\4\1\1\37\0\0\0\20\0\0\0\211\0\0\0\1\1o\0\25\0\0\0/org/freedesktop/DBus\0\0\0\2\1s\0\24\0\0\0org.freedesktop.DBus\0\0\0\0\3\1s\0\20\0\0\0NameOwnerChanged\0\0\0\0\0\0\0\0\7\1s\0\24\0\0\0org.freedesktop.DBus\0\0\0\0\10\1g\0\3sss\0\0\0\0\0\0\0\0\6\0\0\0:1.121\0\0\0\0\0\0\0\0\0\0\6\0\0\0:1.121\0"..., 2048) = 191
read(3, 0x1ea93f0, 2048)                = -1 EAGAIN (Resource temporarily unavailable)
poll([{fd=5, events=POLLIN}, {fd=9, events=POLLIN}, {fd=3, events=POLLIN}], 3, 0) = 0 (Timeout)
poll([{fd=5, events=POLLIN}, {fd=9, events=POLLIN}, {fd=3, events=POLLIN}], 3, 30000) = 1 ([{fd=3, revents=POLLIN}])
read(3, "l\1\0\1\0\0\0\0\7\0\0\0w\0\0\0\1\1o\0\1\0\0\0/\0\0\0\0\0\0\0\6\1s\0\6\0\0\0:1.116\0\0\2\1s\0#\0\0\0org.freedesktop.DBus.Introspectable\0\0\0\0\0\3\1s\0\n\0\0\0Introspect\0\0\0\0\0\0\7\1s\0\6\0\0\0:1.120\0\0"..., 2048) = 136
read(3, 0x1ea93f0, 2048)                = -1 EAGAIN (Resource temporarily unavailable)
poll([{fd=5, events=POLLIN}, {fd=9, events=POLLIN}, {fd=3, events=POLLIN}], 3, 0) = 0 (Timeout)
writev(3, [{"l\2\1\1\17\33\0\0\24\0\0\0\37\0\0\0\6\1s\0\6\0\0\0:1.120\0\0\5\1u\0\7\0\0\0\10\1g\0\1s\0\0"..., 48}, {"\n\33\0\0<!DOCTYPE node PUBLIC \"-//freedesktop//DTD D-BUS Object Introspection 1.0//EN\"\n\"http://www.freedesktop.org/standards/dbus/1.0/introspect.dtd\">\n<node>\n  <interface name=\"org.freedesktop.DBus.Introspectable\">\n    <method name=\"Introspect\">\n      <arg name=\"data\" direction=\"out\" type=\"s\"/>\n    </method>\n  </interface>\n  <interface name=\"org.freedesktop.DBus.Properties\">\n    <method name=\"Get\">\n      <arg name=\"interface\" direction=\"in\" type=\"s\"/>\n      <arg name=\"propname\" direction=\"in\" type=\"s\"/>\n      <arg name=\"value\" direction=\"out\" type=\"v\"/>\n    </method>\n    <method name=\"Set\">\n      <arg name=\"interface\" direction=\"in\" type=\"s\"/>\n      <arg name=\"propname\" direction=\"in\" type=\"s\"/>\n      <arg name=\"value\" direction=\"in\" type=\"v\"/>\n    </method>\n    <method name=\"GetAll\">\n      <arg name=\"interface\" direction=\"in\" type=\"s\"/>\n      <arg name=\"props\" direction=\"out\" type=\"a{sv}\"/>\n    </method>\n  </interface>\n  <interface name=\"org.opensuse.CupsPkHelper.Mechanism\">\n    <method na"..., 6927}], 2) = 6975
poll([{fd=5, events=POLLIN}, {fd=9, events=POLLIN}, {fd=3, events=POLLIN}], 3, 30000) = 1 ([{fd=3, revents=POLLIN}])
read(3, "l\1\0\1\0\0\0\0\10\0\0\0\177\0\0\0\1\1o\0\1\0\0\0/\0\0\0\0\0\0\0\6\1s\0\6\0\0\0:1.116\0\0\2\1s\0#\0\0\0org.opensuse.CupsPkHelper.Mechanism\0\0\0\0\0\3\1s\0\21\0\0\0ServerGetSettings\0\0\0\0\0\0\0\7\1s\0\6\0\0\0:1.120\0\0"..., 2048) = 144
read(3, 0x1ea93f0, 2048)                = -1 EAGAIN (Resource temporarily unavailable)
poll([{fd=5, events=POLLIN}, {fd=9, events=POLLIN}, {fd=3, events=POLLIN}], 3, 0) = 0 (Timeout)
writev(9, [{"l\1\0\1y\0\0\0\f\0\0\0\276\0\0\0\1\1o\0%\0\0\0/org/freedesktop/PolicyKit1/Authority\0\0\0\6\1s\0\32\0\0\0org.freedesktop.PolicyKit1\0\0\0\0\0\0\2\1s\0$\0\0\0org.freedesktop.PolicyKit1.Authority\0\0\0\0\3\1s\0\22\0\0\0CheckAuthorization\0\0\0\0\0\0\10\1g\0\20(sa{sv})sa{ss}us\0\0\0"..., 208}, {"\17\0\0\0system-bus-name\0\27\0\0\0\4\0\0\0name\0\1s\0\6\0\0\0:1.120\0\0003\0\0\0org.opensuse.cupspkhelper.mechanism.server-settings\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0"..., 121}], 2) = 329
poll([{fd=9, events=POLLIN}], 1, -1)    = 1 ([{fd=9, revents=POLLIN}])
read(9, "l\3\1\1\t\1\0\0\r\0\0\0m\0\0\0\6\1s\0\6\0\0\0:1.117\0\0\4\1s\0'\0\0\0org.freedesktop.DBus.Error.AccessDenied\0\5\1u\0\f\0\0\0\10\1g\0\1s\0\0\7\1s\0\24\0\0\0org.freedesktop.DBus\0\0\0\0\4\1\0\0An SELinux policy prevents this sender from sending this message to this recipient (rejected message had sender \":1.117\" interface \"org.freedesktop.PolicyKit1.Authority\" member \"CheckAuthorization\" error name \"(unset)\" destination \"org.freedesktop.PolicyKit1\")\0"..., 2048) = 393
read(9, 0x1ecc710, 2048)                = -1 EAGAIN (Resource temporarily unavailable)
writev(3, [{"l\3\1\1H\0\0\0\25\0\0\0_\0\0\0\6\1s\0\6\0\0\0:1.120\0\0\4\1s\0001\0\0\0org.opensuse.CupsPkHelper.Mechanism.NotPrivileged\0\0\0\0\0\0\0\5\1u\0\10\0\0\0\10\1g\0\1s\0\0"..., 112}, {"C\0\0\0Not Authorized: org.opensuse.cupspkhelper.mechanism.server-settings\0"..., 72}], 2) = 184
poll([{fd=5, events=POLLIN}, {fd=9, events=POLLIN}, {fd=3, events=POLLIN}], 3, 30000) = 1 ([{fd=3, revents=POLLIN}])
read(3, "l\1\0\1\0\0\0\0\n\0\0\0w\0\0\0\1\1o\0\1\0\0\0/\0\0\0\0\0\0\0\6\1s\0\6\0\0\0:1.116\0\0\2\1s\0#\0\0\0org.freedesktop.DBus.Introspectable\0\0\0\0\0\3\1s\0\n\0\0\0Introspect\0\0\0\0\0\0\7\1s\0\6\0\0\0:1.120\0\0"..., 2048) = 136
read(3, 0x1ea93f0, 2048)                = -1 EAGAIN (Resource temporarily unavailable)
poll([{fd=5, events=POLLIN}, {fd=9, events=POLLIN}, {fd=3, events=POLLIN}], 3, 0) = 0 (Timeout)
writev(3, [{"l\2\1\1\17\33\0\0\26\0\0\0\37\0\0\0\6\1s\0\6\0\0\0:1.120\0\0\5\1u\0\n\0\0\0\10\1g\0\1s\0\0"..., 48}, {"\n\33\0\0<!DOCTYPE node PUBLIC \"-//freedesktop//DTD D-BUS Object Introspection 1.0//EN\"\n\"http://www.freedesktop.org/standards/dbus/1.0/introspect.dtd\">\n<node>\n  <interface name=\"org.freedesktop.DBus.Introspectable\">\n    <method name=\"Introspect\">\n      <arg name=\"data\" direction=\"out\" type=\"s\"/>\n    </method>\n  </interface>\n  <interface name=\"org.freedesktop.DBus.Properties\">\n    <method name=\"Get\">\n      <arg name=\"interface\" direction=\"in\" type=\"s\"/>\n      <arg name=\"propname\" direction=\"in\" type=\"s\"/>\n      <arg name=\"value\" direction=\"out\" type=\"v\"/>\n    </method>\n    <method name=\"Set\">\n      <arg name=\"interface\" direction=\"in\" type=\"s\"/>\n      <arg name=\"propname\" direction=\"in\" type=\"s\"/>\n      <arg name=\"value\" direction=\"in\" type=\"v\"/>\n    </method>\n    <method name=\"GetAll\">\n      <arg name=\"interface\" direction=\"in\" type=\"s\"/>\n      <arg name=\"props\" direction=\"out\" type=\"a{sv}\"/>\n    </method>\n  </interface>\n  <interface name=\"org.opensuse.CupsPkHelper.Mechanism\">\n    <method na"..., 6927}], 2) = 6975
poll([{fd=5, events=POLLIN}, {fd=9, events=POLLIN}, {fd=3, events=POLLIN}], 3, 20908) = 1 ([{fd=3, revents=POLLIN}])
read(3, "l\1\0\1\0\0\0\0\v\0\0\0\177\0\0\0\1\1o\0\1\0\0\0/\0\0\0\0\0\0\0\6\1s\0\6\0\0\0:1.116\0\0\2\1s\0#\0\0\0org.opensuse.CupsPkHelper.Mechanism\0\0\0\0\0\3\1s\0\21\0\0\0ServerGetSettings\0\0\0\0\0\0\0\7\1s\0\6\0\0\0:1.120\0\0"..., 2048) = 144
read(3, 0x1ea93f0, 2048)                = -1 EAGAIN (Resource temporarily unavailable)
poll([{fd=5, events=POLLIN}, {fd=9, events=POLLIN}, {fd=3, events=POLLIN}], 3, 0) = 0 (Timeout)
writev(9, [{"l\1\0\1y\0\0\0\r\0\0\0\276\0\0\0\1\1o\0%\0\0\0/org/freedesktop/PolicyKit1/Authority\0\0\0\6\1s\0\32\0\0\0org.freedesktop.PolicyKit1\0\0\0\0\0\0\2\1s\0$\0\0\0org.freedesktop.PolicyKit1.Authority\0\0\0\0\3\1s\0\22\0\0\0CheckAuthorization\0\0\0\0\0\0\10\1g\0\20(sa{sv})sa{ss}us\0\0\0"..., 208}, {"\17\0\0\0system-bus-name\0\27\0\0\0\4\0\0\0name\0\1s\0\6\0\0\0:1.120\0\0003\0\0\0org.opensuse.cupspkhelper.mechanism.server-settings\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0"..., 121}], 2) = 329
poll([{fd=9, events=POLLIN}], 1, -1)    = 1 ([{fd=9, revents=POLLIN}])
read(9, "l\3\1\1\t\1\0\0\16\0\0\0m\0\0\0\6\1s\0\6\0\0\0:1.117\0\0\4\1s\0'\0\0\0org.freedesktop.DBus.Error.AccessDenied\0\5\1u\0\r\0\0\0\10\1g\0\1s\0\0\7\1s\0\24\0\0\0org.freedesktop.DBus\0\0\0\0\4\1\0\0An SELinux policy prevents this sender from sending this message to this recipient (rejected message had sender \":1.117\" interface \"org.freedesktop.PolicyKit1.Authority\" member \"CheckAuthorization\" error name \"(unset)\" destination \"org.freedesktop.PolicyKit1\")\0"..., 2048) = 393
read(9, 0x1ecc710, 2048)                = -1 EAGAIN (Resource temporarily unavailable)
writev(3, [{"l\3\1\1H\0\0\0\27\0\0\0_\0\0\0\6\1s\0\6\0\0\0:1.120\0\0\4\1s\0001\0\0\0org.opensuse.CupsPkHelper.Mechanism.NotPrivileged\0\0\0\0\0\0\0\5\1u\0\v\0\0\0\10\1g\0\1s\0\0"..., 112}, {"C\0\0\0Not Authorized: org.opensuse.cupspkhelper.mechanism.server-settings\0"..., 72}], 2) = 184
poll([{fd=5, events=POLLIN}, {fd=9, events=POLLIN}, {fd=3, events=POLLIN}], 3, 29903) = 1 ([{fd=3, revents=POLLIN}])
read(3, "l\4\1\1\35\0\0\0\21\0\0\0\211\0\0\0\1\1o\0\25\0\0\0/org/freedesktop/DBus\0\0\0\2\1s\0\24\0\0\0org.freedesktop.DBus\0\0\0\0\3\1s\0\20\0\0\0NameOwnerChanged\0\0\0\0\0\0\0\0\7\1s\0\24\0\0\0org.freedesktop.DBus\0\0\0\0\10\1g\0\3sss\0\0\0\0\0\0\0\0\6\0\0\0:1.120\0\0\6\0\0\0:1.120\0\0\0\0\0\0\0"..., 2048) = 189
read(3, 0x1ea93f0, 2048)                = -1 EAGAIN (Resource temporarily unavailable)
poll([{fd=5, events=POLLIN}, {fd=9, events=POLLIN}, {fd=3, events=POLLIN}], 3, 0) = 0 (Timeout)
poll([{fd=5, events=POLLIN}, {fd=9, events=POLLIN}, {fd=3, events=POLLIN}], 3, 29097^C <unfinished ...>
Process 8494 detached

One other thing of note: I don't see any of the cupspkhelper methods in the list at System->Preferences->Authorizations.
Comment 10 Marek Kašík 2009-08-17 09:45:33 EDT
> One other thing of note: I don't see any of the cupspkhelper methods in the
> list at System->Preferences->Authorizations.

You don't see it there because polkit-gnome-authorization is from PolicyKit (old style) and not from polkit (new style).
Which versions of these packages do you have?

Marek
Comment 11 Marek Kašík 2009-08-17 09:54:05 EDT
You can try 'pkaction' (polkit) to see cups-pk-helper's methods (vs. 'polkit-action' - PolicyKit).
Comment 12 Tim Waugh 2009-08-17 10:12:51 EDT
OK, pkaction shows them.

I have polkit-0.93-3.fc12.x86_64.  Is cups-pk-helper working correctly for you in rawhide?
Comment 13 Marek Kašík 2009-08-17 10:53:57 EDT
It worked for me, but now it doesn't. It shows me old authentication dialog instead of the polkit's one.
If I run /usr/libexec/cups-pk-helper-mechanism manually as root then it works.

Marek
Comment 14 Daniel Walsh 2009-08-18 09:13:17 EDT
Fixed in selinux-policy-3.6.27-2.fc12.noarch
Comment 15 Tim Waugh 2009-08-18 09:45:00 EDT
Re-opening for cups-pk-helper crash noted in comment #1.
Comment 16 Marek Kašík 2009-08-18 10:55:17 EDT
Fixed in cups-pk-helper-0.0.4-6.fc12.
Comment 17 Marek Kašík 2009-08-18 12:05:19 EDT
It still doesn't work.

Marek
Comment 18 Marek Kašík 2009-08-20 06:43:04 EDT
Hi,

I tried this (in Permissive mode):

yum erase selinux-policy-targeted
mv /etc/selinux/targeted/modules /etc/selinux/targeted/modules.old
yum install selinux-policy-targeted
turn on Enforcing mode
mark system to relabel on reboot
reboot

and it shows polkit's dialog correctly.
                                             
tested with:
cups-pk-helper-0.0.4-7
system-config-printer-1.1.10-8
selinux-policy-3.6.26-8
selinux-policy-targeted-3.6.26-8
the rawhide is an update of F11 and runs in qemu

Tim, could you confirm whether this works for you?

Thanks

Marek
Comment 19 Tim Waugh 2009-08-20 07:37:42 EDT
Bizarrely, this works. (I tried on a machine that was freshly installed from rawhide on the 12th of August...)
Comment 20 Marek Kašík 2009-08-20 09:46:30 EDT
I tried system-config-printer in fresh install of F12-alpha-RC2 now and it works without any problem (in Enforcing mode).

Marek
Comment 21 Tim Waugh 2009-08-24 06:30:29 EDT
OK, let's mark this as fixed then.

Note You need to log in before you can comment on or make changes to this bug.