[Bug 1218327] New: AUDIT-0: dnf5: Audit dnf5daemon D-Bus files for whitelist
https://bugzilla.suse.com/show_bug.cgi?id=1218327 Bug ID: 1218327 Summary: AUDIT-0: dnf5: Audit dnf5daemon D-Bus files for whitelist Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: ngompa13@gmail.com QA Contact: security-team@suse.de Target Milestone: --- Found By: --- Blocker: --- For my package found in OBS in system:packagemanager:dnf/dnf5 I would like a whitelisting for the following rpmlint errors: [ 520s] dnf5daemon-server.x86_64: E: dbus-file-unauthorized (Badness: 10000) /etc/dbus-1/system.d/org.rpm.dnf.v0.conf (sha256 file digest default filter:4dd26c049d6240e6640106bb8805ec958e03d9ad79eb2823152b9a92156554a9 shell filter:4dd26c049d6240e6640106bb8805ec958e03d9ad79eb2823152b9a92156554a9 xml filter:bd2c589d0cb083d7b8a7696b98e0a344b2501ecd2d91a7fe447028cb47f75210) [ 520s] dnf5daemon-server.x86_64: E: dbus-file-unauthorized (Badness: 10000) /usr/share/dbus-1/system-services/org.rpm.dnf.v0.service (sha256 file digest default filter:8dff187bd14e516fd976731fb4ab3996bb92b36dfa944733655641a6aec215e1 shell filter:8dff187bd14e516fd976731fb4ab3996bb92b36dfa944733655641a6aec215e1 xml filter:<failed-to-calculate>) [ 520s] Packaging D-Bus services requires a review and whitelisting by the SUSE [ 520s] security team. If the package is intended for inclusion in any SUSE product [ 520s] please open a bug report to request review of the package by the security [ 520s] team. Please refer to [ 520s] https://en.opensuse.org/openSUSE:Package_security_guidelines#audit_bugs for [ 520s] more information. This blocks my submit request: https://build.opensuse.org/request/show/1134536 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1218327 Neal Gompa <ngompa13@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |daniel.mach@suse.com -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1218327 https://bugzilla.suse.com/show_bug.cgi?id=1218327#c25 --- Comment #25 from Neal Gompa <ngompa13@gmail.com> --- It looks like everything is included in dnf5-5.1.14, so I'm rebasing to that now. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1218327 https://bugzilla.suse.com/show_bug.cgi?id=1218327#c26 --- Comment #26 from Neal Gompa <ngompa13@gmail.com> --- Rebased and submission made: https://build.opensuse.org/request/show/1156444 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1218327 https://bugzilla.suse.com/show_bug.cgi?id=1218327#c37 --- Comment #37 from Neal Gompa <ngompa13@gmail.com> --- I've made a new submission with the latest dnf5 version: https://build.opensuse.org/request/show/1165011 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1218327 https://bugzilla.suse.com/show_bug.cgi?id=1218327#c39 --- Comment #39 from Neal Gompa <ngompa13@gmail.com> --- That's taken care of now in the latest SR: https://build.opensuse.org/request/show/1165750 I've also submitted a pull request upstream: https://github.com/rpm-software-management/dnf5/pull/1384 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1218327 https://bugzilla.suse.com/show_bug.cgi?id=1218327#c40 --- Comment #40 from OBSbugzilla Bot <bwiedemann+obsbugzillabot@suse.com> --- This is an autogenerated message for OBS integration: This bug (1218327) was mentioned in https://build.opensuse.org/request/show/1166154 Factory / rpmlint -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1218327 https://bugzilla.suse.com/show_bug.cgi?id=1218327#c41 --- Comment #41 from OBSbugzilla Bot <bwiedemann+obsbugzillabot@suse.com> --- This is an autogenerated message for OBS integration: This bug (1218327) was mentioned in https://build.opensuse.org/request/show/1168340 Factory / rpmlint -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1218327 https://bugzilla.suse.com/show_bug.cgi?id=1218327#c43 --- Comment #43 from Neal Gompa <ngompa13@gmail.com> --- I still have this error in my submission: [ 439s] dnf5daemon-server.x86_64: E: polkit-untracked-privilege (Badness: 10000) org.rpm.dnf.v0.rpm.Repo.conf_write (auth_admin:auth_admin:auth_admin_keep) [ 439s] dnf5daemon-server.x86_64: E: polkit-untracked-privilege (Badness: 10000) org.rpm.dnf.v0.rpm.execute_transaction (auth_admin:auth_admin:auth_admin_keep) [ 439s] dnf5daemon-server.x86_64: E: polkit-untracked-privilege (Badness: 10000) org.rpm.dnf.v0.rpm.Repo.confirm_key (auth_admin:auth_admin:auth_admin) [ 439s] dnf5daemon-server.x86_64: E: polkit-untracked-privilege (Badness: 10000) org.rpm.dnf.v0.base.Config.override (auth_admin:auth_admin:auth_admin) [ 439s] The polkit action is not listed in the polkit-default-privs profiles which [ 439s] makes it harder for admins to find. Furthermore improper polkit authorization [ 439s] checks can easily introduce security issues. If the package is intended for [ 439s] inclusion in any SUSE product please open a bug report to request review of [ 439s] the package by the security team. Please refer to [ 439s] https://en.opensuse.org/openSUSE:Package_security_guidelines#audit_bugs for [ 439s] more information. -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com