Description of problem: When opening firewall-config, I'm prompted for authentication twice in a row. (Moreover, the prompts aren't phrased very well.) First: "System policy prevents to use the firewall policies interface" (should be: "System policy prevents using the...") Second: "System policy prevents to change the firewall configuration" (should be: "System policy prevents changing the...") polkit allows one rule to imply another, to avoid these kinds of double-prompts. If access to the user interface really needs to be a separate rule (which seems doubtful?), it ought to imply the ability to change the configuration. Version-Release number of selected component (if applicable): firewall-config 0.3.4-1.fc19 How reproducible: Always
Me too...
*** Bug 1008683 has been marked as a duplicate of this bug. ***
firewalld-0.3.5-1.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/firewalld-0.3.5-1.fc20
firewalld-0.3.5-1.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/firewalld-0.3.5-1.fc19
Package firewalld-0.3.5-1.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing firewalld-0.3.5-1.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-17984/firewalld-0.3.5-1.fc20 then log in and leave karma (feedback).
firewalld-0.3.5-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
firewalld-0.3.5-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
I am using fc19. When I try to open firewall config, it asks me to authencate but it always says " Sorry, that doesn't work. please try agian." even after repeatedly input the correct password. I still can not configure firewall.
(In reply to s_mao3 from comment #8) > even after repeatedly input the correct password. That seems like some polkit problem. Mitr (polkit maintainer), any idea how to debug this ? > I still can not configure firewall. As a work-around you can run firewall-config as superuser (root).
(In reply to Jiri Popelka from comment #9) > (In reply to s_mao3 from comment #8) > > even after repeatedly input the correct password. > > That seems like some polkit problem. > > Mitr (polkit maintainer), any idea how to debug this ? A copy of all log entries from /var/log/{messages,secure} from that timeframe (+- 5 minutes) would be a start.
(In reply to Michael Catanzaro from comment #0) > polkit allows one rule to imply another, to avoid these kinds of > double-prompts. Anybody any pointers to examples, doc, etc. ? Or any ideas how this could be achieved ? I couldn't find anything like that. We previously "fixed" [1] this bug by using only one polkit action. But now I'm tempted to add another polkit action, but this "double-prompt" problem has prevented me from doing it. [1] https://git.fedorahosted.org/cgit/firewalld.git/commit/?id=532704bf6800e6914d279c594e97ef6632d730f4
A couple of examples: org.freedesktop.timedate1.set-time implies both org.freedesktop.timedate1.set-timezone and org.freedesktop.timedate1.set-ntp, since if you have the power to change the system time, you should also be able to perform those other time-related tasks without a separate password prompt. (But not vice-versa.) [1] org.freedesktop.packagekit.package-install-untrusted implies org.freedesktop.packagekit.package-install, since a user who is trusted to install untrusted packages is surely also trusted to install packages signed by the distribution (but not vice-versa). (Ignore the comments in this example -- some look outdated.) [2] [1] http://cgit.freedesktop.org/systemd/systemd/tree/src/timedate/org.freedesktop.timedate1.policy.in [2] https://gitorious.org/packagekit/packagekit/source/a0cb4a0215e3af4998f24537a5704f0ac7620fe7:policy/org.freedesktop.packagekit.policy.in
(In reply to Michael Catanzaro from comment #12) > A couple of examples: That's exactly it. Thank you !
Created attachment 889762 [details] org.freedesktop.policykit.imply annotation Thomas, we have 2 choices how to properly solve this bug: 1) Use policykit.imply annotation per attached patch 2) I reallized that PK_ACTION_DIRECT and PK_ACTION_POLICIES are used only for 'runtime' changes. For 'permanent' changes PK_ACTION_CONFIG is used anyway. So the other possibility is to explicitly use PK_ACTION_CONFIG instead of PK_ACTION_DIRECT/PK_ACTION_POLICIES - which is what we've been already doing since your work-around [1] - but this time I'd explicitly throw out PK_ACTION_DIRECT/PK_ACTION_POLICIES, because I don't see a reason for having them for runtime changes only. I prefer the second one. [1] https://git.fedorahosted.org/cgit/firewalld.git/commit/?id=532704bf6800e6914d279c594e97ef6632d730f4
(In reply to Jiri Popelka from comment #14) > 1) Use policykit.imply annotation per attached patch https://git.fedorahosted.org/cgit/firewalld.git/commit/?id=fa1375fb203c0254c38ac3fd20f64f254fa2b9f2
We might also use GtkLockButton [1]. https://developer.gnome.org/gtk3/stable/GtkLockButton.html https://git.fedorahosted.org/cgit/system-config-printer.git/commit/?id=5613f6ba12d30751b6634a18a3ddf6792f20cbc1 https://git.fedorahosted.org/cgit/system-config-printer.git/commit/?id=7d97cd2252572ea666a58a75747cc3a81278e636