http://bugzilla.suse.com/show_bug.cgi?id=971580 Marcus Meissner changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|polkit-default-privs.standa |AUDIT-0: |rd is too restrictive for |polkit-default-privs.standa |FirewallD |rd is too restrictive for | |FirewallD -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=971580 http://bugzilla.suse.com/show_bug.cgi?id=971580#c2 Sebastian Krahmer changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |krahmer@suse.com --- Comment #2 from Sebastian Krahmer --- This was by intention. Accessing firewall rules may not be something for the average user. Whats wrong with entering admin credentials when doing so? Which rules in particular you want to have relaxed for .standard? -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=971580 http://bugzilla.suse.com/show_bug.cgi?id=971580#c3 Markos Chandras changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(mchandras@suse.co | |m) | --- Comment #3 from Markos Chandras --- (In reply to Sebastian Krahmer from comment #2)

This was by intention. Accessing firewall rules may not be something for the average user. Whats wrong with entering admin credentials when doing so? Which rules in particular you want to have relaxed for .standard?

Hi Sebastian, If you compare the 'desktop' and 'server' polkit files as provided by the firewalld package you will see that they only differ in the *.info actions (eg org.fedoraproject.FirewallD1.policies.info). The desktop file is far more relaxed in allowing users to obtain the current configuration without authentication. Altering the configuration needs authentication of course. I can provide the diff between these two files if needed. This will affect desktop users using NetworkManager in the future (currently firewalld is disabled in our NM builds) because it means that whenever you edit or query a network connection for your user session you will have to gain extra privileges in order for NM to talk to firewalld via dbus obtain the zone for the network interface. I think this is not very user friendly for desktop environments. For what is worth, Fedora (I am mentioning Fedora because it's been using firewalld as default for a while) also uses the desktop polkit file in the workstation builds so querying the firewall as a user is allowed there. My understanding is that the restrictive file targets secure environments (servers, secured workstations etc) and the standard one targets home-based environments so the current behavior is probably not very user friendly for regular users. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=971580 http://bugzilla.suse.com/show_bug.cgi?id=971580#c6 --- Comment #6 from Sebastian Krahmer --- Please find https://github.com/openSUSE/polkit-default-privs/commit/e1d4152682fd89d23407... That should work? New polkit-default-privs packages should not be necessary by now? -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=971580 http://bugzilla.suse.com/show_bug.cgi?id=971580#c8 Sebastian Krahmer changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #8 from Sebastian Krahmer --- closing as resolved -- You are receiving this mail because: You are on the CC list for the bug.