Bug 1149216 - AUDIT-0: systemd: resolved untracked privileges in v243
AUDIT-0: systemd: resolved untracked privileges in v243
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Security
Current
Other Other
: P5 - None : Normal (vote)
: ---
Assigned To: Malte Kraus
E-mail List
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-09-03 14:34 UTC by Franck Bui
Modified: 2019-09-23 08:03 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Franck Bui 2019-09-03 14:34:02 UTC
Upcoming systemd 243 has a number of new privileges that need whitelisting please:

> E: polkit-untracked-privilege (Badness: 10000) org.freedesktop.resolve1.revert (auth_admin:auth_admin:auth_admin_keep)
> E: polkit-untracked-privilege (Badness: 10000) org.freedesktop.resolve1.set-default-route (auth_admin:auth_admin:auth_admin_keep)
> E: polkit-untracked-privilege (Badness: 10000) org.freedesktop.resolve1.set-dns-over-tls (auth_admin:auth_admin:auth_admin_keep)
> E: polkit-untracked-privilege (Badness: 10000) org.freedesktop.resolve1.set-dns-servers (auth_admin:auth_admin:auth_admin_keep)
> E: polkit-untracked-privilege (Badness: 10000) org.freedesktop.resolve1.set-dnssec (auth_admin:auth_admin:auth_admin_keep)
> E: polkit-untracked-privilege (Badness: 10000) org.freedesktop.resolve1.set-dnssec-negative-trust-anchors (auth_admin:auth_admin:auth_admin_keep)
> E: polkit-untracked-privilege (Badness: 10000) org.freedesktop.resolve1.set-domains (auth_admin:auth_admin:auth_admin_keep)
> E: polkit-untracked-privilege (Badness: 10000) org.freedesktop.resolve1.set-llmnr (auth_admin:auth_admin:auth_admin_keep)
> E: polkit-untracked-privilege (Badness: 10000) org.freedesktop.resolve1.set-mdns (auth_admin:auth_admin:auth_admin_keep)

See https://github.com/systemd/systemd/commit/52aaef0f5dc81b9a08d720f551eac53ac88aa596 for details.
Comment 1 Malte Kraus 2019-09-03 14:47:48 UTC
In bsc#1146300, we've already whitelisted most of those (it's still stuck in OBS though). There, 'org.freedesktop.network1.revert-dns' was requested instead of 'org.freedesktop.resolve1.revert' however.

Which one of these is the correct one?
Comment 2 Franck Bui 2019-09-03 15:34:05 UTC
(In reply to Malte Kraus from comment #1)
> In bsc#1146300, we've already whitelisted most of those (it's still stuck in
> OBS though). There, 'org.freedesktop.network1.revert-dns' was requested
> instead of 'org.freedesktop.resolve1.revert' however.
> 
> Which one of these is the correct one?

Both.

This report is relevant to systemd-resolved whereas bsc#1146300 is for systemd-networkd.

Both services provide a subset of functions which are similar.
Comment 3 Malte Kraus 2019-09-03 15:51:41 UTC
Ah, sorry. I skipped over everything except the last word in these annoyingly long freedesktop names and missed the important difference in the middle.

We'll schedule a review then.
Comment 4 Franck Bui 2019-09-04 07:16:23 UTC
No problem.

Do you have a rough idea about when this will be scheduled ?

I'm asking because v243 is waiting for this whitelisting before being submitted to Factory and hence start passing the openqa testsuite.
Comment 5 Malte Kraus 2019-09-04 09:57:53 UTC
Starting now, I expect to finish this week unless it turns out a lot more than I expect now.
Comment 6 Franck Bui 2019-09-04 13:13:24 UTC
Perfect, thanks Malte.
Comment 7 Malte Kraus 2019-09-05 16:17:18 UTC
Looks all fine to me.

I've added a whitelisting and submitted to OBS: https://build.opensuse.org/request/show/728566
Comment 8 Franck Bui 2019-09-06 06:10:27 UTC
That was quick, thanks Malte.