Bug 618543 - the dialogue "System policy prevents write access to" is missing information
the dialogue "System policy prevents write access to" is missing information
Status: CLOSED WONTFIX
Product: Fedora
Classification: Fedora
Component: PolicyKit-kde (Show other bugs)
13
All Linux
low Severity medium
: ---
: ---
Assigned To: Orphan Owner
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-07-27 04:40 EDT by Karel Volný
Modified: 2011-06-29 08:55 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-06-29 08:55:30 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Karel Volný 2010-07-27 04:40:56 EDT
Description of problem:
I got some security alert about mislabeled file. After clicking "Restore Context", a dialogue asking for password appeared ...

It says:

System policy prevents write access to SETroubleshoot

An application is attempting to perform an action that requires privileges.
Authentication is required to perform this action.

Password: ...


Oh well, what privileges are required? Which password I'm supposed to enter, the root password? - But I don't think that root is needed for this particular action ...

So that I've clicked Details to get some details ... Now I see three additional lines:

Application:
Action:      SELinux write access
Vendor:      Red Hat Inc.

Oh, nice ... still no information what privileges, which password is asked for. And my question is still unanswered, what exact action is going to be performed, to see if it really needs root. The text "SELinux write access" looks like a hyperlink, but clicking it does nothing. (Clicking Red Hat Inc. opens Red Hat homepage in Konqueror.)

And why the "Application" item is empty? - I'd expect something like "/usr/bin/sealert" or maybe "/usr/bin/chcon" ...


Version-Release number of selected component (if applicable):
polkit-kde-0.95.1-4.fc13.x86_64

How reproducible:
always

Steps to Reproduce:
1. mislabel some file in your home, let setroubleshoot notice
2. open the sealert window
3. click Restore Context
  
Actual results:
you get some slack phishing attempt for your passwords, see the description above

Expected results:
a dialogue clearly explaining WHAT is asked and WHY
including which exact command (action) caused the need for authentication

Additional info:
Comment 1 Jaroslav Reznik 2010-07-27 07:21:05 EDT
(In reply to comment #0)
> Description of problem:
> I got some security alert about mislabeled file. After clicking "Restore
> Context", a dialogue asking for password appeared ...
> 
> It says:
> 
> System policy prevents write access to SETroubleshoot
> 
> An application is attempting to perform an action that requires privileges.
> Authentication is required to perform this action.
> 
> Password: ...
> 
> 
> Oh well, what privileges are required? Which password I'm supposed to enter,
> the root password? - 

This is indeed bug - there should be "Password for root" if root password is required.

>But I don't think that root is needed for this particular
> action ...

This is not a polkit-kde bug - it's set in setroubleshoot policy file 
/usr/share/polkit-1/actions/org.fedoraproject.setroubleshootfixit.policy - auth_admin is required.


> So that I've clicked Details to get some details ... Now I see three additional
> lines:
> 
> Application:
> Action:      SELinux write access
> Vendor:      Red Hat Inc.

Application should be set.

> Oh, nice ... still no information what privileges, which password is asked for.
> And my question is still unanswered, what exact action is going to be
> performed, to see if it really needs root. The text "SELinux write access"
> looks like a hyperlink, but clicking it does nothing. (Clicking Red Hat Inc.
> opens Red Hat homepage in Konqueror.)

This is again not a polkit-kde problem - it just displays what the application provides.

> And why the "Application" item is empty? - I'd expect something like
> "/usr/bin/sealert" or maybe "/usr/bin/chcon" ...
> 
> 
> Version-Release number of selected component (if applicable):
> polkit-kde-0.95.1-4.fc13.x86_64
> 
> How reproducible:
> always
> 
> Steps to Reproduce:
> 1. mislabel some file in your home, let setroubleshoot notice
> 2. open the sealert window
> 3. click Restore Context
> 
> Actual results:
> you get some slack phishing attempt for your passwords, see the description
> above
> 
> Expected results:
> a dialogue clearly explaining WHAT is asked and WHY
> including which exact command (action) caused the need for authentication
>
> Additional info:
Comment 2 Radek Novacek 2010-07-28 04:26:02 EDT
(In reply to comment #1)
> Application should be set.
Actually that is again bug in polkit. It should send application name to the authentication client (dialog) but it doesn't. Polkit-kde doesn't have any link to the application - it depends only on information that polkit provides.
Comment 3 Fedora Update System 2010-08-04 06:39:33 EDT
polkit-kde-0.95.1-6.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/polkit-kde-0.95.1-6.fc13
Comment 4 Fedora Update System 2010-08-04 06:39:39 EDT
polkit-kde-0.95.1-6.fc14 has been submitted as an update for Fedora 14.
http://admin.fedoraproject.org/updates/polkit-kde-0.95.1-6.fc14
Comment 5 Fedora Update System 2010-08-04 06:39:49 EDT
polkit-kde-0.95.1-6.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/polkit-kde-0.95.1-6.fc12
Comment 6 Radek Novacek 2010-08-06 04:04:03 EDT
The above mention update to version polkit-kde-0.95.1-6 fixes showing "Password for root" if root is authenticating.
Comment 7 Fedora Update System 2010-08-13 17:17:01 EDT
polkit-kde-0.95.1-6.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2010-08-13 17:29:15 EDT
polkit-kde-0.95.1-6.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2010-08-18 21:13:09 EDT
polkit-kde-0.95.1-6.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Karel Volný 2010-08-24 07:44:44 EDT
(In reply to comment #6)
> The above mention update to version polkit-kde-0.95.1-6 fixes showing "Password
> for root" if root is authenticating.

I can confirm ... but what about the remaining issues?

(In reply to comment #2)
> (In reply to comment #1)
> > Application should be set.
> Actually that is again bug in polkit. It should send application name to the
> authentication client (dialog) but it doesn't. Polkit-kde doesn't have any link
> to the application - it depends only on information that polkit provides.

is that a *known* bug? - what is the bz number then?

(In reply to comment #1)
> (In reply to comment #0)
...
> >But I don't think that root is needed for this particular
> > action ...
> 
> This is not a polkit-kde bug - it's set in setroubleshoot policy file 
> /usr/share/polkit-1/actions/org.fedoraproject.setroubleshootfixit.policy -
> auth_admin is required.

so, another bug/RFE should be filed ... to be honest, I'm not sure what is this all about - I have a suspicion that for running restorecon without root privileges, polkit doesn't need to be involved at all?
Comment 11 Bug Zapper 2011-06-01 08:45:20 EDT
This message is a reminder that Fedora 13 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 13.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '13'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 13's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 13 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 12 Bug Zapper 2011-06-29 08:55:30 EDT
Fedora 13 changed to end-of-life (EOL) status on 2011-06-25. Fedora 13 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.