Add rule for unconfined polkitd (!8) · Merge requests · pkg / rhosydd

Frederic Danis requested to merge wip/fdanis/5350 into apertis/v2020dev0 Jul 26, 2019

rhosydd test fails with:

O: Traceback (most recent call last):
O:   File \"/usr/lib/x86_64-linux-gnu/installed-tests/rhosydd-0/integration.py\", line 57, in setUp
O:     self.vehicle_manager = self._get_vehicle_manager(self.conn)
O:   File \"/usr/lib/x86_64-linux-gnu/installed-tests/rhosydd-0/integration.py\", line 80, in _get_vehicle_manager
O:     return Rhosydd.VehicleManager.new_finish(self._block_on_result())
O: gi.repository.GLib.GError: g-dbus-error-quark: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: An AppArmor policy prevents this sender from sending this message to this recipient; type=\"method_call\", sender=\":1.10\" (uid=109 pid=428 comm=\"/usr/bin/rhosydd \" label=\"/usr/bin/rhosydd (enforce)\") interface=\"org.freedesktop.PolicyKit1.Authority\" member=\"CheckAuthorization\" error name=\"(unset)\" requested_reply=\"0\" destination=\":1.13\" (uid=105 pid=462 comm=\"/usr/lib/polkit-1/polkitd --no-debug \" label=\"unconfined\") (9)

In this case, the rhosydd's apparmor profile expect that PolicyKit has an apparmor profile, setting its label to '/usr/lib/polkit-1/polkitd'. But this is not the case, and polkitd has 'unconfined' label. Adding a rule based on PolicyKit DBus path and interface to rhosydd allows the communication between rhosydd and polkitd.

Fixes: APERTIS-5350

Signed-off-by: Frédéric Danis frederic.danis@collabora.com

Admin message

Add rule for unconfined polkitd

Merge request reports