[Bug 939191] New: AUDIT-0 New untracked dbus service: New package iio-sensor-proxy
http://bugzilla.opensuse.org/show_bug.cgi?id=939191 Bug ID: 939191 Summary: AUDIT-0 New untracked dbus service: New package iio-sensor-proxy Classification: openSUSE Product: openSUSE Factory Version: 201505* Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: zaitor@opensuse.org QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Hi Sec people New package with review needed: iio-sensor-proxy Lives in GNOME:Next for now (with rpmlintrc). [ 83s] RPMLINT report: [ 83s] =============== [ 85s] (none): E: badness 10000 exceeds threshold 1000, aborting. [ 85s] iio-sensor-proxy.x86_64: E: suse-dbus-unauthorized-service (Badness: 10000) /etc/dbus-1/system.d/net.hadess.SensorProxy.conf [ 85s] The package installs a DBUS system service file. If the package is intended [ 85s] for inclusion in any SUSE product please open a bug report to request review [ 85s] of the service by the security team. [ 85s] [ 85s] iio-sensor-proxy.x86_64: W: non-conffile-in-etc /etc/dbus-1/system.d/net.hadess.SensorProxy.conf [ 85s] A non-executable file in your package is being installed in /etc, but is not a [ 85s] configuration file. All non-executable files in /etc should be configuration [ 85s] files. Mark the file as %config in the spec file. [ 85s] [ 85s] iio-sensor-proxy.x86_64: W: no-manual-page-for-binary monitor-sensor [ 85s] iio-sensor-proxy.x86_64: W: no-manual-page-for-binary iio-sensor-proxy [ 85s] Each executable in standard binary directories should have a man page. [ 85s] [ 85s] iio-sensor-proxy.x86_64: W: dbus-policy-allow-without-destination /etc/dbus-1/system.d/net.hadess.SensorProxy.conf: <allow send_interface="net.hadess.SensorProxy"/> [ 85s] 'allow' directives must always specify a 'send_destination' [ 85s] [ 85s] 2 packages and 0 specfiles checked; 1 errors, 4 warnings. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=939191
http://bugzilla.opensuse.org/show_bug.cgi?id=939191#c2
Bjørn Lie
From http://www.hadess.net/2015/05/iio-sensor-proxy-10-is-out.html
Modern (and some less modern) laptops and tablets have a lot of builtin sensors: accelerometer for screen positioning, ambient light sensors to adjust the screen brightness, compass for navigation, proximity sensors to turn off the screen when next to your ear, etc. Enabling We've supported accelerometers in GNOME/Linux for a number of years, following work on the WeTab. The accelerometer appeared as an input device, and sent kernel events when the orientation of the screen changed. Recent devices, especially Windows 8 compatible devices, instead export a HID device, which, under Linux, is handled through the IIO subsystem. So the first version of iio-sensor-proxy took readings from the IIO sub-system and emulated the WeTab's accelerometer: a few too many levels of indirection. The 1.0 version of the daemon implements a D-Bus interface, which means we can support more than accelerometers. The D-Bus API, this time, is modelled after the Android and iOS APIs. ==================== Note that this package is replacing functionality that is beeing dropped from systemd v222 (it was dropped from systemd because of this package replacing it). -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=939191
http://bugzilla.opensuse.org/show_bug.cgi?id=939191#c3
--- Comment #3 from Bjørn Lie
http://bugzilla.opensuse.org/show_bug.cgi?id=939191
http://bugzilla.opensuse.org/show_bug.cgi?id=939191#c5
--- Comment #5 from Bjørn Lie
http://bugzilla.opensuse.org/show_bug.cgi?id=939191
http://bugzilla.opensuse.org/show_bug.cgi?id=939191#c7
Atri Bhattacharya
http://bugzilla.opensuse.org/show_bug.cgi?id=939191
http://bugzilla.opensuse.org/show_bug.cgi?id=939191#c8
--- Comment #8 from Atri Bhattacharya
The question is whether its really needed to run that service as root, not who is allowed to access it.
We try to avoid to run dbus services as root. If necessary, upstream has to add patches to run it as a dedicated user.
Hi Sebastien, In light of c7, could you please comment on what should be done to get this package the necessary security clearance for factory? Thanks. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=939191
http://bugzilla.opensuse.org/show_bug.cgi?id=939191#c9
--- Comment #9 from Atri Bhattacharya
http://bugzilla.opensuse.org/show_bug.cgi?id=939191
http://bugzilla.opensuse.org/show_bug.cgi?id=939191#c11
--- Comment #11 from Atri Bhattacharya
So this will only be handled in January, sorry :/
Hi Sebastian! This is a polite reminder to take a re-look at this when you have the time. -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com