609799 – system-config-firewall shows polkit error

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 609799 - system-config-firewall shows polkit error

Summary: system-config-firewall shows polkit error

Keywords:
Status:	CLOSED CANTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	polkit
Sub Component:
Version:	6.0
Hardware:	All
OS:	Linux
Priority:	low
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	David Zeuthen
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2010-07-01 07:00 UTC by Miroslav Vadkerti
Modified:	2013-03-06 04:03 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2010-07-12 19:38:54 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
system-config-firewall polkit error (107.88 KB, image/png) 2010-07-01 07:04 UTC, Miroslav Vadkerti	no flags	Details
View All

Description Miroslav Vadkerti 2010-07-01 07:00:23 UTC

Description of problem:
After running system-config-firewall as a non-root user an polkit error appears. See attached screenshot. 

Version-Release number of selected component (if applicable):
system-config-firewall-1.2.25-1.el6.noarch

How reproducible:
In my installation 100%

Steps to Reproduce:
1. Run system-config-fireall as user
  
Actual results:
Error

Expected results:
No error -> ask for root password

Additional info:

Comment 1 Miroslav Vadkerti 2010-07-01 07:01:14 UTC

Polkit version:
polkit-0.96-1.el6.x86_64

Comment 2 Miroslav Vadkerti 2010-07-01 07:04:45 UTC

Created attachment 428188 [details]
system-config-firewall polkit error

Comment 3 Thomas Woerner 2010-07-01 09:42:02 UTC

Please check if there are SELinux errors or DBUS errors and add the output of "rpm -V system-config-firewall"

Comment 4 Miroslav Vadkerti 2010-07-01 19:31:12 UTC

State: Thomas is investigating this issue.

Note to appearance of the bug: 
This bug was observed only when s-c-firewall is launched via ssh -X or in a vnc session. Running it locally on a machine works well.

Comment 5 Thomas Woerner 2010-07-05 10:25:25 UTC

This seems to be a polkit problem.

David, what do you think?

Comment 6 David Zeuthen 2010-07-07 14:51:01 UTC

Why do you think it's a polkit problem? All I see is a long error name. I don't think that's enough to reassign bugs, sorry :-)

Btw, 'ssh -X' or 'vnc session' does not count toward active or local sessions (and are not even in the ConsoleKit database) so I doubt polkit would answer in the affirmative when checking any authorization. In fact, it would default to the value of the <allow_any> element inside the <defaults> element. And this is clearly set to 'no':

  $ pkaction --action-id org.fedoraproject.config.firewall.auth --verbose
  org.fedoraproject.config.firewall.auth:
    description:       Firewall authorization
    message:           Authentication is required to read and modify firewall settings
    vendor:            System Config Firewall
    vendor_url:        http://fedorahosted.org/system-config-firewall
    icon:              
    implicit any:      no
    implicit inactive: no
    implicit active:   auth_admin_keep

so what we're seeing here is just things working correctly.

Comment 7 Thomas Woerner 2010-07-08 13:41:32 UTC

Setting allow_any to auth_admin is not sufficient. Additionally allow_inactive has to be set to auth_admin. And then this will only allow access to the firewall mechanism via VNC and not to other dbus interfaces like for example NetworkManger (used to gather network information). In nearly all projects allow_any and allow_inactive are set to no. Even the PolicyKit Library Reference Manual proposes to do so (see examples). There is word on the impact of using no.

It is also not solving the ssh problem. SSH -X with allow_any: auth_admin, allow_inactive: auth_admin:

$ pkcheck --allow-user-interaction --process $$ --action-id org.fedoraproject.config.firewall.auth 
Authorization requires authentication but no agent is available.

BTW: Why are vnc and ssh not in the ConsoleKit database? These are valid use cases.

This is a generic problem in polkit in my opinion. Nothing system-config-firewall can solve.

Reassigning to polkit.

Comment 8 Miroslav Vadkerti 2010-07-10 18:31:13 UTC

any update on this?

Comment 9 David Zeuthen 2010-07-12 19:38:54 UTC

(In reply to comment #7)
> Setting allow_any to auth_admin is not sufficient. Additionally allow_inactive
> has to be set to auth_admin. And then this will only allow access to the
> firewall mechanism via VNC and not to other dbus interfaces like for example
> NetworkManger (used to gather network information). In nearly all projects
> allow_any and allow_inactive are set to no. Even the PolicyKit Library
> Reference Manual proposes to do so (see examples). There is word on the impact
> of using no.
> 
> It is also not solving the ssh problem. SSH -X with allow_any: auth_admin,
> allow_inactive: auth_admin:
> 
> $ pkcheck --allow-user-interaction --process $$ --action-id
> org.fedoraproject.config.firewall.auth 
> Authorization requires authentication but no agent is available.
> 
> BTW: Why are vnc and ssh not in the ConsoleKit database? These are valid use
> cases.

Because of how ConsoleKit works - basically, currently, login managers will have to integrate with ConsoleKit so seat and session objects are properly created, maintained and destroyed. To my knowledge that never happened.

> This is a generic problem in polkit in my opinion. Nothing
> system-config-firewall can solve.
> 
> Reassigning to polkit.    

Please understand that polkit is simply just a user of ConsoleKit and there is nothing we can do to make the required ConsoleKit objects appear. You need to open bugs against each login program asking for ConsoleKit integration for this to work. It is useless to just have this bug open against polkit for this purpose so I'm closing it.

Comment 10 Miroslav Vadkerti 2010-07-12 20:37:05 UTC

Reported for openssh:
Bug 613796  - openssh: Add support for registering ConsoleKit sessions on login

Looks like vnc bug on this for fedora was already closed as won't fix. I'm not sure if we will be able to pull this in:
https://bugzilla.redhat.com/show_bug.cgi?id=476402

Comment 11 Miroslav Vadkerti 2010-07-13 07:37:26 UTC

This is already reported for EL6:
Bug 528511 - Can't install software via VNC

Comment 12 Steve Grubb 2010-11-22 21:00:49 UTC

I wanted to point something out, there is a session object inside the kernel that is set correctly on gdm and ssh logins. We do that by using a pam module. Could a pam module be written that sets things up so that ssh and consolekit get along?

Comment 13 David Zeuthen 2010-11-24 15:31:37 UTC

(In reply to comment #12)
> I wanted to point something out, there is a session object inside the kernel
> that is set correctly on gdm and ssh logins. We do that by using a pam module.
> Could a pam module be written that sets things up so that ssh and consolekit
> get along?

FWIW, the long term plan is to make systemd's PAM module do this and also make systemd track things like VT switches on graphical logins (and a couple of other things). Then we can make polkit get this information from systemd instead of ConsoleKit and then we can retire ConsoleKit altogether.

Note You need to log in before you can comment on or make changes to this bug.