[opensuse] Strange "PermissionDeniedByPolicy" Problem with 11.1
Hello, I recently installed a new 11.1 system using autoyast which basically worked fine. However working with KDE i noticed a strange problem when trying to supend the machine to disk. Eg if I type (not beeing root) suspend -U in a KDE-terminal window I get the message: Error org.freedesktop.Hal.Device.PermissionDeniedByPolicy: org.freedesktop.hal.power-management.hibernate no <-- (action, result) When I am logged on beeing root then everything is OK. So its after all a rights problem. Originally I tried to use kopwersave, but this tool disables to corresponding menu entrys right from the start. Another problem happens when accessing an USB stick. When I attach such a device I get a notification in KDE that there is a new device but if I try to open it using dolphin, then dolphin says: org.freedesktop.Hal.Device.PermissionDeniedByPolicy: org.freedesktop.hal.storage.mount-fixed no <- (action, result) How can I debug this bug to find out what is going wrong? Where do I find the configuration that says who is allowd to mount a device. I guess this has something to do with the autoyast installation, since I have two systems installed this way and both show these symptoms and another system installed without autoyast and there I do not have these problems. How can I gon on to find the problem? Any ideas are welcome. Thanks rainer -- Rainer Krienke, Uni Koblenz, Rechenzentrum, A22, Universitaetsstrasse 1 56070 Koblenz, http://www.uni-koblenz.de/~krienke, Tel: +49261287 1312 PGP: http://www.uni-koblenz.de/~krienke/mypgp.html,Fax: +49261287 1001312 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Rainer Krienke wrote:
Hello,
I recently installed a new 11.1 system using autoyast which basically worked fine. However working with KDE i noticed a strange problem when trying to supend the machine to disk.
Eg if I type (not beeing root) suspend -U in a KDE-terminal window I get the message:
Error org.freedesktop.Hal.Device.PermissionDeniedByPolicy: org.freedesktop.hal.power-management.hibernate no <-- (action, result)
When I am logged on beeing root then everything is OK. So its after all a rights problem. Originally I tried to use kopwersave, but this tool disables to corresponding menu entrys right from the start.
Another problem happens when accessing an USB stick. When I attach such a device I get a notification in KDE that there is a new device but if I try to open it using dolphin, then dolphin says:
org.freedesktop.Hal.Device.PermissionDeniedByPolicy: org.freedesktop.hal.storage.mount-fixed no <- (action, result)
How can I debug this bug to find out what is going wrong? Where do I find the configuration that says who is allowd to mount a device.
I guess this has something to do with the autoyast installation, since I have two systems installed this way and both show these symptoms and another system installed without autoyast and there I do not have these problems.
How can I gon on to find the problem?
Any ideas are welcome.
Thanks rainer
This looks for me like dbus permission problem. You can see /etc/dbus-1/system.d/hal.conf if you have permission to action which is shown in error message. JR -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Josef Reidinger
This looks for me like dbus permission problem. You can see /etc/dbus-1/system.d/hal.conf if you have permission to action which is shown in error message.
I saw too many of these, so I ended up giving myself permission to all policykit actions by putting: ,---- | <match user="my user name"> | <return result="yes"/> | </match> `---- in /etc/PolicyKit/PolicyKit.conf. Of course it can be more fine grained by doing something like this with action keys: ,---- | <match action="org.freedesktop.hal.storage.mount-removable"> | | <match user="my user name"> | | <return result="yes"/> | | </match> | | </match> | `---- To the people who don't know, you can see the list of actions by running polkit-action. I learned a lot about PolicyKit from this release. I miss the simplicity of resmgr and the readabilty of its config file. :-( Charles -- "All language designers are arrogant. Goes with the territory..." (By Larry Wall)
Am Donnerstag, 8. Januar 2009 09:01:06 schrieb Josef Reidinger:
Rainer Krienke wrote:
Hello,
I recently installed a new 11.1 system using autoyast which basically worked fine. However working with KDE i noticed a strange problem when trying to supend the machine to disk.
Eg if I type (not beeing root) suspend -U in a KDE-terminal window I get the message:
Error org.freedesktop.Hal.Device.PermissionDeniedByPolicy: org.freedesktop.hal.power-management.hibernate no <-- (action, result) ... This looks for me like dbus permission problem. You can see /etc/dbus-1/system.d/hal.conf if you have permission to action which is shown in error message. JR
Thanks for the answer. I took a look at this file and the versions of /etc/dbus-1/system.d/hal.conf on a 11.1 system with the problem and another system that works just fine are identically. I wouls also expect to find the action in this file that is returned as permission denied: org.freedesktop.hal.power-management.hibernate But this action is not contained in this file. I found out that on the system where everything is fine the command polkit-auth lists a lot of actios one of them is org.freedesktop.hal.power-management.hibernate. On the system where it does not work a call to polkit-auth does not return a single line. The problem is I do not yet see the difference betwenn the two system. Any idea where these policies could be defined if not in /etc/dbus-1/system.d/hal.conf ? Thanks Rainer -- Rainer Krienke, Uni Koblenz, Rechenzentrum, A22, Universitaetsstrasse 1 56070 Koblenz, http://www.uni-koblenz.de/~krienke, Tel: +49261287 1312 PGP: http://www.uni-koblenz.de/~krienke/mypgp.html,Fax: +49261287 1001312 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Rainer Krienke wrote:
Am Donnerstag, 8. Januar 2009 09:01:06 schrieb Josef Reidinger:
Rainer Krienke wrote:
Hello,
I recently installed a new 11.1 system using autoyast which basically worked fine. However working with KDE i noticed a strange problem when trying to supend the machine to disk.
Eg if I type (not beeing root) suspend -U in a KDE-terminal window I get the message:
Error org.freedesktop.Hal.Device.PermissionDeniedByPolicy: org.freedesktop.hal.power-management.hibernate no <-- (action, result) ... This looks for me like dbus permission problem. You can see /etc/dbus-1/system.d/hal.conf if you have permission to action which is shown in error message. JR
Thanks for the answer. I took a look at this file and the versions of /etc/dbus-1/system.d/hal.conf on a 11.1 system with the problem and another system that works just fine are identically. I wouls also expect to find the action in this file that is returned as permission denied: org.freedesktop.hal.power-management.hibernate But this action is not contained in this file.
I found out that on the system where everything is fine the command polkit-auth lists a lot of actios one of them is org.freedesktop.hal.power-management.hibernate. On the system where it does not work a call to polkit-auth does not return a single line.
The problem is I do not yet see the difference betwenn the two system. Any idea where these policies could be defined if not in /etc/dbus-1/system.d/hal.conf ?
Thanks Rainer
As writted by Charles, it is due to policykit. Simple howto I find at this page http://cblfs.cross-lfs.org/index.php/PolicyKit#Configuration JR -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Thu, Jan 08, 2009 at 10:44:31AM +0100, Rainer Krienke wrote:
Am Donnerstag, 8. Januar 2009 09:01:06 schrieb Josef Reidinger:
Rainer Krienke wrote:
Hello,
I recently installed a new 11.1 system using autoyast which basically worked fine. However working with KDE i noticed a strange problem when trying to supend the machine to disk.
Eg if I type (not beeing root) suspend -U in a KDE-terminal window I get the message:
Error org.freedesktop.Hal.Device.PermissionDeniedByPolicy: org.freedesktop.hal.power-management.hibernate no <-- (action, result) ... This looks for me like dbus permission problem. You can see /etc/dbus-1/system.d/hal.conf if you have permission to action which is shown in error message. JR
Thanks for the answer. I took a look at this file and the versions of /etc/dbus-1/system.d/hal.conf on a 11.1 system with the problem and another system that works just fine are identically. I wouls also expect to find the action in this file that is returned as permission denied: org.freedesktop.hal.power-management.hibernate But this action is not contained in this file.
I found out that on the system where everything is fine the command polkit-auth lists a lot of actios one of them is org.freedesktop.hal.power-management.hibernate. On the system where it does not work a call to polkit-auth does not return a single line.
The problem is I do not yet see the difference betwenn the two system. Any idea where these policies could be defined if not in /etc/dbus-1/system.d/hal.conf ?
The permission is denied by PolicyKit, not by the dbus-1 access layer. /usr/share/PolicyKit/policy/ is the place to look at, and you can modify it per user if you want. Ciao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Am Donnerstag, 8. Januar 2009 11:01:22 schrieb Marcus Meissner:
The problem is I do not yet see the difference betwenn the two system. Any idea where these policies could be defined if not in /etc/dbus-1/system.d/hal.conf ?
The permission is denied by PolicyKit, not by the dbus-1 access layer.
/usr/share/PolicyKit/policy/ is the place to look at, and you can modify it per user if you want.
In betwenn I reinstalled the polkit-default-privs package
on the system where I have problems just as a try, even if I did not modify
the files contained in the package (/etc/polkit-default-
privs.localprivs.restrictive, and privs.standard). Now when I try to hibernate
the system it still does not work and polkit-auth still returns no output but
the error message has changed:
$ powersave -U
Error org.freedesktop.Hal.Device.PermissionDeniedByPolicy:
org.freedesktop.hal.power-management.hibernate auth_admin_keep_always <--
(action, result)
Next I looked in
/usr/share/PolicyKit/policy/org.freedesktop.hal.power-management.policy
there is this entry:
<action id="org.freedesktop.hal.power-management.hibernate">
<description>Hibernate the system</description>
<message>System policy prevents hibernating the system</message>
<defaults>
Rainer Krienke
I have really no idea whats going on. The system where policykit has problems is a system with NIS running autofs running and without local (non-system) users. Could this cause any trouble (it did not however from suse8* to suse11.0, with generally identical installation) ?
Here. Just put this in /etc/PolicyKit/PolicyKit.conf, between <config version="0.1"> and </config> will solve both of you problems (just replace "your user name or uid" with the real thing): <match action="org.freedesktop.hal.storage.mount-removable"> <match user="your user name or uid"> <return result="yes"/> </match> </match> <match action="org.freedesktop.hal.storage.unmount-others"> <match user="your user name or uid"> <return result="yes"/> </match> </match> <match action="org.freedesktop.hal.power-management.hibernate "> <match user="your user name or uid"> <return result="yes"/> </match> </match> Charles -- "We all know Linux is great...it does infinite loops in 5 seconds." (Linus Torvalds about the superiority of Linux on the Amterdam Linux Symposium)
Am Donnerstag, 8. Januar 2009 11:57:10 schrieb Charles Philip Chan:
Here. Just put this in /etc/PolicyKit/PolicyKit.conf, between <config version="0.1"> and </config> will solve both of you problems (just replace "your user name or uid" with the real thing):
<match action="org.freedesktop.hal.storage.mount-removable"> <match user="your user name or uid"> <return result="yes"/> </match> </match>
Hi Charles, thank you for the policy file. I tried it, rebooted the machine and tried again to log in. Strange but nothing has changed. polkit-auth says nothing, /var/lib/PolicyKit-public is empty and neither hibernation nor access to an USB Stick does work. The problem must be a very basic PoliciKit issue, but which? Thanks Rainer -- Rainer Krienke, Uni Koblenz, Rechenzentrum, A22, Universitaetsstrasse 1 56070 Koblenz, http://www.uni-koblenz.de/~krienke, Tel: +49261287 1312 PGP: http://www.uni-koblenz.de/~krienke/mypgp.html,Fax: +49261287 1001312
Rainer Krienke
thank you for the policy file. I tried it, rebooted the machine and tried again to log in. Strange but nothing has changed. polkit-auth says nothing, /var/lib/PolicyKit-public is empty and neither hibernation nor access to an USB Stick does work. The problem must be a very basic PoliciKit issue, but which?
Strange it worked for me. I installed 11.1 on my AAO (Acer Aspire One- hard drive version), Before that I cannot hibernate- the options are grayed out in kpowersave, but now it works, I was also unable to mount/uumount any removable storage devices outside of root if I am not using any of the desktop environments on my desktop machine until I did that. There is definitely some deep Voodoo with Policykit- I miss resmgr. Charles --
Ever heard of .cshrc? That's a city in Bosnia. Right? (Discussion in comp.os.linux.misc on the intuitiveness of commands.)
On Thursday 08 January 2009, Rainer Krienke wrote:
In betwenn I reinstalled the polkit-default-privs package on the system where I have problems just as a try, even if I did not modify the files contained in the package (/etc/polkit-default- privs.localprivs.restrictive, and privs.standard). Now when I try to hibernate the system it still does not work and polkit-auth still returns no output but the error message has changed:
$ powersave -U Error org.freedesktop.Hal.Device.PermissionDeniedByPolicy: org.freedesktop.hal.power-management.hibernate auth_admin_keep_always <-- (action, result)
Check below first, solving this may be similar to the next one.
Next I looked in
/usr/share/PolicyKit/policy/org.freedesktop.hal.power-management.policy there is this entry:
<action id="org.freedesktop.hal.power-management.hibernate"> <description>Hibernate the system</description> <message>System policy prevents hibernating the system</message> <defaults>
no yes </defaults> </action>This entry however is identicylly on both system: On the system where I can say powersave -U (start hibernate) and on the system where I get the Error message.
In /usr/share/PolicyKit/policy/org.freedesktop.hal.storage.policy there is also an entry:
<action id="org.freedesktop.hal.storage.mount-removable"> <description>Mount file systems from removable drives.</description> <message>System policy prevents mounting removable media</message> <defaults>
no yes </defaults> </action>But when I try to access a USB stick via dolphin it tells me: PermissionDeniedByPolicy: org.freedesktop.hal.storage.mount-removable auth_admin_keep_always <-(action,result) and the usb stick is not displayed in dolphin. And again on both systems the org.freedesktop.hal.storage.policy file is identical on both systems.
For some reason (probably running SuSEconfig) policykit loses the permission settings for removable storage. To fix it do "polkit-action --reset-defaults org.freedesktop.hal.storage.mount-removable" as an authorized user (root). If this doesn't work, maybe you should set appropriately the setgid/setuid bits of the policykit executables and try again, an error message should direct you accordingly.
I have really no idea whats going on. The system where policykit has problems is a system with NIS running autofs running and without local (non-system) users. Could this cause any trouble (it did not however from suse8* to suse11.0, with generally identical installation) ?
In opensuse 11 the permissions for the policykit executables were incorrectly set for the secure permissions level. Check bug https://bugzilla.novell.com/show_bug.cgi?id=295341 (it's marked as WONTFIX, however 11.1 includes the fix?!)
Thanks Rainer
Hope this helps, Peter
-- Rainer Krienke, Uni Koblenz, Rechenzentrum, A22, Universitaetsstrasse 1 56070 Koblenz, http://www.uni-koblenz.de/~krienke, Tel: +49261287 1312 PGP: http://www.uni-koblenz.de/~krienke/mypgp.html,Fax: +49261287 1001312
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Am Donnerstag, 8. Januar 2009 12:08:46 schrieb auxsvr@gmail.com:
For some reason (probably running SuSEconfig) policykit loses the permission settings for removable storage. To fix it do "polkit-action --reset-defaults org.freedesktop.hal.storage.mount-removable" as an authorized user (root). If this doesn't work, maybe you should set appropriately the setgid/setuid bits of the policykit executables and try again, an error message should direct you accordingly.
Might really have something to do with SuSEConfig. In between I noticed that right after the installation everything is OK. Then I ran SuSEconfig, still everything was ok. Next I rebooted the very first time and after this reboot the problem shows up. polkit-action --reset-defaults for mount-removable action did not help either. Still plokit-auth run as a regular user logged in using KDE3 oder KDE4 shows no output and accessing an USB stick does not work.
In opensuse 11 the permissions for the policykit executables were incorrectly set for the secure permissions level. Check bug https://bugzilla.novell.com/show_bug.cgi?id=295341 (it's marked as WONTFIX, however 11.1 includes the fix?!)
To check this I compared the permissions of /usr/lib/PolicyKit/polkit-set-default-helper polkituser:root 4755 /usr/lib/PolicyKit/polkit-read-auth-helper root:polkituser 2755 /usr/lib/PolicyKit/polkit-revoke-helper root:polkituser 2755 /usr/lib/PolicyKit/polkit-explicit-grant-helper root:polkituser 2755 /usr/lib/PolicyKit/polkit-grant-helper root:polkituser 2755 /usr/lib/PolicyKit/polkit-grant-helper-pam root:polkituser 4750 with the corresponding files on the system that does not have this problem. I did not see a difference. All the files above have also entries in /etc/permissions.easy (the above is a copy so you see the permissions beeing set) and the security scheme is set to "easy local" and chkstat /etc/permissions.easy does not show any output, so there are no files having wrong" permissions. /etc/permissions.local is empty. What else could I try? Thanks Rainer -- Rainer Krienke, Uni Koblenz, Rechenzentrum, A22, Universitaetsstrasse 1 56070 Koblenz, http://www.uni-koblenz.de/~krienke, Tel: +49261287 1312 PGP: http://www.uni-koblenz.de/~krienke/mypgp.html,Fax: +49261287 1001312
Am Donnerstag, 8. Januar 2009 09:01:06 schrieb Josef Reidinger:
Rainer Krienke wrote:
Hello,
I recently installed a new 11.1 system using autoyast which basically worked fine. However working with KDE i noticed a strange problem when trying to supend the machine to disk.
Eg if I type (not beeing root) suspend -U in a KDE-terminal window I get the message:
Error org.freedesktop.Hal.Device.PermissionDeniedByPolicy: org.freedesktop.hal.power-management.hibernate no <-- (action, result)
Hello, in between I found the problem, which was caused by wrong ownership of directories like /var/cache/hald and similar. The belonged eg to a user called icecream (id 106). This wrong ownership again was caused by double entries in /etc/passwd with different usenames but identical uids. The user haldaemon also had uid 106. And finally these double uids were caused by my autoyast file that contained some group entries from the time the autoyast file had been created by cloning a running system which contained already a user with uid 106. Removing all group entries from the autoyast file fixed the whole problem. Thanks for yout help Rainer -- Rainer Krienke, Uni Koblenz, Rechenzentrum, A22, Universitaetsstrasse 1 56070 Koblenz, http://www.uni-koblenz.de/~krienke, Tel: +49261287 1312 PGP: http://www.uni-koblenz.de/~krienke/mypgp.html,Fax: +49261287 1001312
participants (5)
-
auxsvr@gmail.com -
Charles Philip Chan -
Josef Reidinger -
Marcus Meissner -
Rainer Krienke