Bug 872797 - lightdm: provide polkit .rules for actions
Summary: lightdm: provide polkit .rules for actions
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: lightdm
Version: 18
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Rex Dieter
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 857254 (view as bug list)
Depends On:
Blocks: 857254
TreeView+ depends on / blocked
 
Reported: 2012-11-03 08:57 UTC by Tim Lauridsen
Modified: 2013-01-23 02:01 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-12-20 15:20:06 UTC
Type: Bug


Attachments (Terms of Use)
polkit .rules file for lightdm power action (538 bytes, text/plain)
2012-11-03 09:03 UTC, Tim Lauridsen
no flags Details
patch to switch to using logind, insted of ConsoleKit (2.75 KB, patch)
2012-11-04 08:44 UTC, Tim Lauridsen
no flags Details | Diff
WIP login1 PowerOff/Reboot support (6.72 KB, patch)
2012-11-05 18:49 UTC, Rex Dieter
no flags Details | Diff
WIP login1 PowerOff/Reboot support (6.71 KB, patch)
2012-11-05 18:57 UTC, Rex Dieter
no flags Details | Diff
updated polkit .rules file (676 bytes, application/octet-stream)
2012-11-06 08:33 UTC, Tim Lauridsen
no flags Details
secure.log output from lightdm-1.4.0-3 (2.27 KB, text/plain)
2012-11-07 13:32 UTC, Tim Lauridsen
no flags Details

Description Tim Lauridsen 2012-11-03 08:57:03 UTC
Description of problem:

No actions under the power menu in the lightdm-gtk greater

Version-Release number of selected component (if applicable):
lightdm-gtk-1.3.1-1.fc18.x86_64

How reproducible:
everytime

Steps to Reproduce:
1. boot into a Xfce livecd or an Xfce installation
2. click on the power icon in the upper rigth corner
3.
  
Actual results:

No actions

Expected results:

some actions (restart, shutdown, etc)

Additional info:

Comment 1 Tim Lauridsen 2012-11-03 09:02:14 UTC
After doing some research, I found out that actions is controlled by
polkit autherization for

org.freedesktop.consolekit.system.restart
org.freedesktop.consolekit.system.stop
org.freedesktop.upower.suspend
org.freedesktop.upower.hibernate

so I have made a polkit .rules file and put it into /etc/polkit-1/rules.d/

and now the power action appears in the power menu.

Comment 2 Tim Lauridsen 2012-11-03 09:03:07 UTC
Created attachment 637444 [details]
polkit .rules file for lightdm power action

Comment 3 Tim Lauridsen 2012-11-03 09:04:23 UTC
Maybe it would be a good idea to put into the lightdm-gtk package :)

Comment 4 Rex Dieter 2012-11-03 11:33:32 UTC
Excellent detective work!

I'd been stumped on this for awhile (bug #857254), thanks.

Comment 5 Kevin Kofler 2012-11-04 02:09:23 UTC
Good, now can we please make it use the systemd-logind interfaces instead of the obsolete ConsoleKit ones for shutdown/restart? Changing that in the code should be fairly straightforward. Does LightDM use other ConsoleKit interfaces (e.g. for user switching) or just those 2?

Comment 6 Kevin Kofler 2012-11-04 02:13:15 UTC
Oh, and the .rules file probably should be in the core lightdm package, not in lightdm-gtk.

Comment 7 Tim Lauridsen 2012-11-04 08:44:30 UTC
Created attachment 637917 [details]
patch to switch to using logind, insted of ConsoleKit

I have made a initial patch to use logind DBUS interface for reboot/shutdown
instead of the ConsoleKit one.

My C is rusty, so there might be some errors :)

the main difference is that (Besides the method names)

org.freedesktop.login1 CanRestart & CanPowerOff return a "yes" or "no" string, not a boolean like the ConsoleKit one.

I have tried to make some handling for that, but it need to be reviewed, by someone with better C skills than me :)

Comment 8 Kevin Kofler 2012-11-04 15:12:35 UTC
No, that won't work as is, the Restart and PowerOff commands take an additional boolean argument which says whether interactive prompts through PolicyKit are to be allowed.

Also note that CanRestart and CanPowerOff can return 3 values: "yes", "no" or "challenge". (That's why it's not a boolean.) "challenge" means the user will be prompted through PolicyKit. So you may also want to treat "challenge" as "yes" for the purpose of showing menu entries. Though then again, LightDM probably doesn't have a PolicyKit authentication agent running in its session, and settings should be such that no challenge is needed, so I guess treating "challenge" the same as "no" is probably the right thing to do here (and thus you'll also want to set the "interactive" argument to false in the Restart and PowerOff commands).

Comment 9 Rex Dieter 2012-11-05 13:55:05 UTC
Thanks Tim, I'll try to take it from here.

1.  Incorporate polkit.rules asap

2.  Adapt your patch to make it upstreamable.  Instead of replacing consolekit dbus queries, add logind query first, and fallback to consolekit on failure.

Comment 10 Fedora Update System 2012-11-05 15:51:30 UTC
lightdm-1.4.0-2.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/lightdm-1.4.0-2.fc18

Comment 11 Rex Dieter 2012-11-05 18:49:37 UTC
Created attachment 638822 [details]
WIP login1 PowerOff/Reboot support

what I have so far, only partially works:
-gobject: Can* seems to return true (the buttons are shown), but PowerOff, Reboot does nothing
-qt: Can* seems to return false (Shutdown/restart buttons are grey'd out)

:(

Comment 12 Rex Dieter 2012-11-05 18:50:48 UTC
heh, I can see an error in -gobject now (/org/freedesktop/login1/Manager is incorrect).  retesting with /org/freedesktop/login1

Comment 13 Rex Dieter 2012-11-05 18:57:43 UTC
Created attachment 638836 [details]
WIP login1 PowerOff/Reboot support

(no change. :( )

status:
-gobject: Can* seems to return true (the buttons are shown), but PowerOff, Reboot does nothing
-qt: Can* seems to return false (Shutdown/restart buttons are grey'd out)

Comment 14 Rex Dieter 2012-11-05 19:28:47 UTC
OK, that patch seems to work for -gobject, *provided* you have the right polkit rules.  I need to figure out why/how the dbus methods

org.freedesktop.login1.Manager.Reboot
org.freedesktop.login1.Manager.PowerOff

end up mapping to polkit actions:
org.freedesktop.login1.reboot-multiple-sessions
org.freedesktop.login1.power-off-multiple-sessions

I guess these were described on
http://www.freedesktop.org/wiki/Software/systemd/logind

thank heavens tim's sample .rules file logged the actions (to /var/log/secure)


Now to go test -qt bindings too (I suspect we still have some sort of code failure going on there, polkit isn't logging anything when using using lightdm-kde)

Comment 15 Fedora Update System 2012-11-05 22:45:49 UTC
Package lightdm-1.4.0-2.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing lightdm-1.4.0-2.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-17634/lightdm-1.4.0-2.fc18
then log in and leave karma (feedback).

Comment 16 Tim Lauridsen 2012-11-06 08:33:03 UTC
Created attachment 639188 [details]
updated polkit .rules file

This .rules file will also give the lightdm user permission to all
org.freedesktop.login1.* actions

Comment 17 Tim Lauridsen 2012-11-06 08:45:47 UTC
(In reply to comment #14)
> OK, that patch seems to work for -gobject, *provided* you have the right
> polkit rules.  I need to figure out why/how the dbus methods
> 
> org.freedesktop.login1.Manager.Reboot
> org.freedesktop.login1.Manager.PowerOff
> 
> end up mapping to polkit actions:
> org.freedesktop.login1.reboot-multiple-sessions
> org.freedesktop.login1.power-off-multiple-sessions
> 
> I guess these were described on
> http://www.freedesktop.org/wiki/Software/systemd/logind
> 

Looking in the logind polkit policy
/usr/share/polkit-1/actions/org.freedesktop.login1.policy

I seams like there is 3 actions for reboot (same for power off)

<action id="org.freedesktop.login1.reboot">
    <description>Reboot the system</description>
</action>

<action id="org.freedesktop.login1.reboot-multiple-sessions">
    <description>Reboot the system while other users are logged in</description>
</action>

<action id="org.freedesktop.login1.reboot-ignore-inhibit">
    <description>Reboot the system while an application asked to inhibit it</description>
</action>

But it don't say anything about why logind think there is multiple sessions and ask for the org.freedesktop.login1.reboot-multiple-sessions permission.

The updated rules file, will allow it and make it work and it should be safe if we are not doing user switching, don't even know if lightdm is supporting that

Comment 18 Rex Dieter 2012-11-06 12:34:14 UTC
Thanks, ahead of you  :)
http://pkgs.fedoraproject.org/cgit/lightdm.git/tree/lightdm.rules

lightdm-1.4.0-3 has my initial attempt at including native org.freedesktop.login1 support, if you want to pull/test from koji (i wanted to get -2 out and in stable updates first before submitting it)

Comment 19 Rex Dieter 2012-11-06 12:35:39 UTC
Oh, and here's the patch currently used,
http://pkgs.fedoraproject.org/cgit/lightdm.git/tree/lightdm-1.4.0-systemd_login1_power.patch

Comment 20 Tim Lauridsen 2012-11-07 13:32:22 UTC
Created attachment 640074 [details]
secure.log output from lightdm-1.4.0-3

Look like something is not working as expected.
Installed lightdm from koji, it looks like both logind & consolekit is called

Comment 21 Rex Dieter 2012-11-07 14:03:01 UTC
Rats, I didn't see that in my own testing, so I must have messed something up.

The patch as implemented tries to call the logind methods, and if the dbus reply is "invalid" (ie, only supposed to happen if logind isn't present or running), fallback to consolekit.

Comment 22 Tim Lauridsen 2012-11-07 14:19:52 UTC
Just to rule out issues with the logind on my test system.

# gdbus call --system --dest org.freedesktop.login1 --object-path /org/freedesktop/login1 --method org.freedesktop.login1.Manager.CanPowerOff

Returns:
('yes',)

Comment 23 Rex Dieter 2012-11-08 15:12:59 UTC
i'm unable to reproduce the problem. :-/

For fun you could try:
1.  comment-out the consolekit related items from lightdm.rules
2.  rpm -e --nodeps ConsoleKit

To see if either of these makes shutdown/restart not work anymore (highlighting the fact that logind isn't being used properly)

Comment 24 Tim Lauridsen 2012-11-09 05:49:13 UTC
I have tried on my main system, same issue

$ rpm -qa lightdm\*
lightdm-1.4.0-3.fc18.x86_64
lightdm-gobject-1.4.0-3.fc18.x86_64
lightdm-gtk-1.3.1-1.fc18.x86_64

if I comment out the consolekit part of the lightdm.rules, then restart/shutdown disappears from the power menu.

Comment 25 Tim Lauridsen 2012-11-09 05:49:54 UTC
$ gdbus call --system --dest org.freedesktop.login1 --object-path /org/freedesktop/login1 --method org.freedesktop.login1.Manager.CanPowerOff

('yes',)

Comment 26 Tim Lauridsen 2012-11-09 05:51:17 UTC
Both systems are fully updated system installed from a Xfce livecd.

Comment 27 Tim Lauridsen 2012-11-09 05:54:25 UTC

$ sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28

Comment 28 Rex Dieter 2012-11-09 13:49:41 UTC
Mind setting selinux in permissive, and retesting?  

My box happens to have selinux disabled at the moment (it's stuck in disabled mode no matter what I try, may have to re-install... but that's another story... :-/ )

Comment 29 Tim Lauridsen 2012-11-09 16:51:20 UTC
$ sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          permissive
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28

$ sudo cat /var/log/secure | grep action=
Nov  9 18:42:11 None polkitd[609]: /usr/share/polkit-1/rules.d/lightdm.rules:3: action=[Action id='org.freedesktop.upower.suspend']
Nov  9 18:42:11 None polkitd[609]: /usr/share/polkit-1/rules.d/lightdm.rules:3: action=[Action id='org.freedesktop.upower.hibernate']
Nov  9 18:42:11 None polkitd[609]: /usr/share/polkit-1/rules.d/lightdm.rules:3: action=[Action id='org.freedesktop.login1.reboot']
Nov  9 18:42:11 None polkitd[609]: /usr/share/polkit-1/rules.d/lightdm.rules:3: action=[Action id='org.freedesktop.consolekit.system.restart']
Nov  9 18:42:11 None polkitd[609]: /usr/share/polkit-1/rules.d/lightdm.rules:3: action=[Action id='org.freedesktop.login1.power-off']
Nov  9 18:42:11 None polkitd[609]: /usr/share/polkit-1/rules.d/lightdm.rules:3: action=[Action id='org.freedesktop.consolekit.system.stop']

Look like it does change any thing :(

Comment 30 Dan Mashal 2012-11-11 03:13:54 UTC
*** Bug 857254 has been marked as a duplicate of this bug. ***

Comment 31 Fedora Update System 2012-12-20 15:20:09 UTC
lightdm-1.4.0-2.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 32 Fedora Update System 2013-01-11 05:18:41 UTC
lightdm-1.4.0-5.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/lightdm-1.4.0-5.fc18

Comment 33 Fedora Update System 2013-01-23 02:01:49 UTC
lightdm-1.4.0-5.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.