Bug 39463 - Changes in /etc/dbus-1 not picked up for existing clients
Summary: Changes in /etc/dbus-1 not picked up for existing clients
Status: RESOLVED FIXED
Alias: None
Product: dbus
Classification: Unclassified
Component: core (show other bugs)
Version: 1.4.x
Hardware: Other All
: medium normal
Assignee: Havoc Pennington
QA Contact: John (J5) Palmieri
URL:
Whiteboard: review?
Keywords: patch
Depends on:
Blocks:
 
Reported: 2011-07-21 23:20 UTC by David Woodhouse
Modified: 2014-01-06 16:31 UTC (History)
3 users (show)

See Also:
i915 platform:
i915 features:


Attachments
Log of policy denial (77.88 KB, text/plain)
2011-08-19 15:19 UTC, Dan Williams
Details
Log of policy allow (good) (111.59 KB, text/plain)
2011-08-19 15:20 UTC, Dan Williams
Details
[PATCH] Reload policy rules for completed connections (3.89 KB, patch)
2013-12-10 09:20 UTC, Chengwei Yang
Details | Splinter Review
[debug patch] bus_client_policy_print() added to print policy rules of connection (3.18 KB, patch)
2013-12-10 09:23 UTC, Chengwei Yang
Details | Splinter Review

Description David Woodhouse 2011-07-21 23:20:47 UTC
I installed the NetworkManager-openconnect package on Fedora 15, configured a VPN and tried to connect to it. It failed, and although the error message I got from NetworkManager was next to useless, I found this in /var/log/messages:

Jul 21 23:11:51 shinybook dbus: [system] Rejected send message, 1 matched rules;
 type="method_call", sender=":1.3" (uid=0 pid=829 comm="/usr/sbin/NetworkManager
 --no-daemon ") interface="org.freedesktop.NetworkManager.VPN.Plugin" member="Ne
edSecrets" error name="(unset)" requested_reply=0 destination="org.freedesktop.N
etworkManager.openconnect" (uid=0 pid=4204 comm="/usr/libexec/nm-openconnect-ser
vice "))
Jul 21 23:11:51 shinybook NetworkManager[829]: <error> [1311315111.508900] [nm-v
pn-connection.c:823] plugin_need_secrets_cb(): (591b235e-691f-4f94-8f99-fc38ee9f
1231/Intel AnyConnect VPN) plugin NeedSecrets request #1 failed: dbus-glib-error
-quark Rejected send message, 1 matched rules; type="method_call", sender=":1.3"
 (uid=0 pid=829 comm="/usr/sbin/NetworkManager --no-daemon ") interface="org.fre
edesktop.NetworkManager.VPN.Plugin" member="NeedSecrets" error name="(unset)" re
quested_reply=0 destination="org.freedesktop.NetworkManager.openconnect" (uid=0 
pid=4204 comm="/usr/libexec/nm-openconnect-service "))


I sent the (system) dbus dæmon a SIGHUP and it told me it was reloading its config, but it didn't seem to notice the newly-installed /etc/dbus-1/system.d/nm-openconnect-service.conf file. So I killed it, and *that* worked. After I'd restarted my X session, *then* I could connect to the VPN.

Somewhat suboptimal...
Comment 1 David Woodhouse 2011-07-22 00:23:12 UTC
This was reported to me by a clueful user who told me that restarting NetworkManager didn't help. And I'm fairly sure that when I restarted NetworkManager during my *initial* testing tonight, he was right.

But *now*, I can remove the n-m-openconnect package, reboot, then reinstall it and all I have to do is restart NetworkManager to make things work.

Dan?
Comment 2 Dan Williams 2011-08-19 15:15:47 UTC
What appears to be happening here is that newly written rules (from the VPN plugin) are not loaded into NM's bus policy.  The attached logs are the result of rebuilding dbus-daemon with verbose mode and adding a bunch of logging to teh rules processing.  You'll note in the "good" log that there's a rule:

1201: [policy.c(895):dump_rule] (0x12091a8) SEND ALLOW T:invalid path:'(none)' intf:'(none)' memb:'(none)' err:'(none)' dest:'org.freedesktop.NetworkManager.vpnc' eavs:0 rrep:1 log:0
1201: [policy.c(1116):bus_client_policy_check_can_send]   (policy) used rule, allow now = 1

but this rule is not present in the "bad" log.  The only difference between the good and bad logs is that after the bad log, and before the good log, the NetworkManager service was restarted.  Thus the theory that the new rules were only loaded into NM's bus policy when NM was restarted, not when the new rules were written to disk.
Comment 3 Dan Williams 2011-08-19 15:19:35 UTC
Created attachment 50386 [details]
Log of policy denial
Comment 4 Dan Williams 2011-08-19 15:20:00 UTC
Created attachment 50387 [details]
Log of policy allow (good)
Comment 5 Simon McVittie 2011-08-23 01:52:31 UTC
dbus-daemon is meant to re-read policy files when they change (it uses Linux inotify, Linux dnotify or FreeBSD kqueue where supported), but perhaps it only re-reads pre-existing files, and doesn't re-scan the directory itself?
Comment 6 David Woodhouse 2011-08-23 02:49:38 UTC
Our hypothesis was the the files *are* reloaded, but the changed rules only apply to *new* clients. The existing clients which were running before the change, are still operating under the old rules. Hence having to restart NM before the new rules apply to it.
Comment 7 Colin Walters 2011-08-23 07:59:56 UTC
Crap - looks to me you guys are right, the bus does cache the policy per client =(

It looks like this is done partly to optimize the rules per-client.

We may be able to call bus_policy_create_client_policy() after reloading for each connection.  (With suitable changes to unref the existing policy).
Comment 8 Chengwei Yang 2013-12-10 09:20:16 UTC
Created attachment 90561 [details] [review]
[PATCH] Reload policy rules for completed connections

The message bus which can monitor its conf dirs for changes and reload
confs immediately if dir monitor enabled, for example, inotify in Linux,
kqueue in *BSD.

However, it doesn't apply policy rules change for completed connections,
so to apply policy rules change, the client connection has to disconnect
first and then re-connect to message bus.

For imcomplete connections, it always has the latest review of policy
rules.
Comment 9 Chengwei Yang 2013-12-10 09:23:09 UTC
Created attachment 90562 [details] [review]
[debug patch] bus_client_policy_print() added to print policy rules of connection

This patch is on my debug-dev branch, I'm not sure you'd like to apply it to master branch, it's only useful for debugging.
Comment 10 Simon McVittie 2014-01-06 15:21:29 UTC
Comment on attachment 90561 [details] [review]
[PATCH] Reload policy rules for completed connections

Review of attachment 90561 [details] [review]:
-----------------------------------------------------------------

Makes sense.
Comment 11 Simon McVittie 2014-01-06 15:23:40 UTC
(In reply to comment #9)
> This patch is on my debug-dev branch, I'm not sure you'd like to apply it to
> master branch, it's only useful for debugging.

I'm not going to add unused functions, no.

I wouldn't mind adding it if it was called from an appropriate place (just after setting d->policy, perhaps), used _dbus_verbose instead of _dbus_warn, and was empty (a no-op) unless defined(DBUS_ENABLE_VERBOSE) (or whatever that mode is really called, if that's not it).
Comment 12 Simon McVittie 2014-01-06 16:31:36 UTC
Fixed in git for 1.7.10, thanks


Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.