I installed the NetworkManager-openconnect package on Fedora 15, configured a VPN and tried to connect to it. It failed, and although the error message I got from NetworkManager was next to useless, I found this in /var/log/messages: Jul 21 23:11:51 shinybook dbus: [system] Rejected send message, 1 matched rules; type="method_call", sender=":1.3" (uid=0 pid=829 comm="/usr/sbin/NetworkManager --no-daemon ") interface="org.freedesktop.NetworkManager.VPN.Plugin" member="Ne edSecrets" error name="(unset)" requested_reply=0 destination="org.freedesktop.N etworkManager.openconnect" (uid=0 pid=4204 comm="/usr/libexec/nm-openconnect-ser vice ")) Jul 21 23:11:51 shinybook NetworkManager[829]: <error> [1311315111.508900] [nm-v pn-connection.c:823] plugin_need_secrets_cb(): (591b235e-691f-4f94-8f99-fc38ee9f 1231/Intel AnyConnect VPN) plugin NeedSecrets request #1 failed: dbus-glib-error -quark Rejected send message, 1 matched rules; type="method_call", sender=":1.3" (uid=0 pid=829 comm="/usr/sbin/NetworkManager --no-daemon ") interface="org.fre edesktop.NetworkManager.VPN.Plugin" member="NeedSecrets" error name="(unset)" re quested_reply=0 destination="org.freedesktop.NetworkManager.openconnect" (uid=0 pid=4204 comm="/usr/libexec/nm-openconnect-service ")) I sent the (system) dbus dæmon a SIGHUP and it told me it was reloading its config, but it didn't seem to notice the newly-installed /etc/dbus-1/system.d/nm-openconnect-service.conf file. So I killed it, and *that* worked. After I'd restarted my X session, *then* I could connect to the VPN. Somewhat suboptimal...
This was reported to me by a clueful user who told me that restarting NetworkManager didn't help. And I'm fairly sure that when I restarted NetworkManager during my *initial* testing tonight, he was right. But *now*, I can remove the n-m-openconnect package, reboot, then reinstall it and all I have to do is restart NetworkManager to make things work. Dan?
What appears to be happening here is that newly written rules (from the VPN plugin) are not loaded into NM's bus policy. The attached logs are the result of rebuilding dbus-daemon with verbose mode and adding a bunch of logging to teh rules processing. You'll note in the "good" log that there's a rule: 1201: [policy.c(895):dump_rule] (0x12091a8) SEND ALLOW T:invalid path:'(none)' intf:'(none)' memb:'(none)' err:'(none)' dest:'org.freedesktop.NetworkManager.vpnc' eavs:0 rrep:1 log:0 1201: [policy.c(1116):bus_client_policy_check_can_send] (policy) used rule, allow now = 1 but this rule is not present in the "bad" log. The only difference between the good and bad logs is that after the bad log, and before the good log, the NetworkManager service was restarted. Thus the theory that the new rules were only loaded into NM's bus policy when NM was restarted, not when the new rules were written to disk.
Created attachment 50386 [details] Log of policy denial
Created attachment 50387 [details] Log of policy allow (good)
dbus-daemon is meant to re-read policy files when they change (it uses Linux inotify, Linux dnotify or FreeBSD kqueue where supported), but perhaps it only re-reads pre-existing files, and doesn't re-scan the directory itself?
Our hypothesis was the the files *are* reloaded, but the changed rules only apply to *new* clients. The existing clients which were running before the change, are still operating under the old rules. Hence having to restart NM before the new rules apply to it.
Crap - looks to me you guys are right, the bus does cache the policy per client =( It looks like this is done partly to optimize the rules per-client. We may be able to call bus_policy_create_client_policy() after reloading for each connection. (With suitable changes to unref the existing policy).
Created attachment 90561 [details] [review] [PATCH] Reload policy rules for completed connections The message bus which can monitor its conf dirs for changes and reload confs immediately if dir monitor enabled, for example, inotify in Linux, kqueue in *BSD. However, it doesn't apply policy rules change for completed connections, so to apply policy rules change, the client connection has to disconnect first and then re-connect to message bus. For imcomplete connections, it always has the latest review of policy rules.
Created attachment 90562 [details] [review] [debug patch] bus_client_policy_print() added to print policy rules of connection This patch is on my debug-dev branch, I'm not sure you'd like to apply it to master branch, it's only useful for debugging.
Comment on attachment 90561 [details] [review] [PATCH] Reload policy rules for completed connections Review of attachment 90561 [details] [review]: ----------------------------------------------------------------- Makes sense.
(In reply to comment #9) > This patch is on my debug-dev branch, I'm not sure you'd like to apply it to > master branch, it's only useful for debugging. I'm not going to add unused functions, no. I wouldn't mind adding it if it was called from an appropriate place (just after setting d->policy, perhaps), used _dbus_verbose instead of _dbus_warn, and was empty (a no-op) unless defined(DBUS_ENABLE_VERBOSE) (or whatever that mode is really called, if that's not it).
Fixed in git for 1.7.10, thanks
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.