Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

dbus accessDenied

Description

root@nitrogen6x:/usr/AGL/ces2017-demo# ./installAllApps.sh

Error org.freedesktop.DBus.Error.AccessDenied: Rejected send message, 1 matched rules; type="method_call", sender=":1.18" (uid=0 pid=608 comm="dbus-send --session --print-reply --dest=org.AGL.a") interface="org.AGL.afm.user" member="install" error name="(unset)" requested_reply="0" destination="org.AGL.afm.user" (uid=0 pid=504 comm="/usr/bin/afm-user-daemon --user-dbus=unix:path=/ru") privilege="http://tizen.org/privilege/internal/dbus"

Error org.freedesktop.DBus.Error.AccessDenied: Rejected send message, 1 matched rules; type="method_call", sender=":1.19" (uid=0 pid=613 comm="dbus-send --session --print-reply --dest=org.AGL.a") interface="org.AGL.afm.user" member="install" error name="(unset)" requested_reply="0" destination="org.AGL.afm.user" (uid=0 pid=504 comm="/usr/bin/afm-user-daemon --user-dbus=unix:path=/ru") privilege="http://tizen.org/privilege/internal/dbus"

Error org.freedesktop.DBus.Error.AccessDenied: Rejected send message, 1 matched rules; type="method_call", sender=":1.20" (uid=0 pid=618 comm="dbus-send --session --print-reply --dest=org.AGL.a") interface="org.AGL.afm.user" member="install" error name="(unset)" requested_reply="0" destination="org.AGL.afm.user" (uid=0 pid=504 comm="/usr/bin/afm-user-daemon --user-dbus=unix:path=/ru") privilege="http://tizen.org/privilege/internal/dbus"

Error org.freedesktop.DBus.Error.AccessDenied: Rejected send message, 1 matched rules; type="method_call", sender=":1.21" (uid=0 pid=623 comm="dbus-send --session --print-reply --dest=org.AGL.a") interface="org.AGL.afm.user" member="install" error name="(unset)" requested_reply="0" destination="org.AGL.afm.user" (uid=0 pid=504 comm="/usr/bin/afm-user-daemon --user-dbus=unix:path=/ru") privilege="http://tizen.org/privilege/internal/dbus"

Error org.freedesktop.DBus.Error.AccessDenied: Rejected send message, 1 matched rules; type="method_call", sender=":1.22" (uid=0 pid=628 comm="dbus-send --session --print-reply --dest=org.AGL.a") interface="org.AGL.afm.user" member="install" error name="(unset)" requested_reply="0" destination="org.AGL.afm.user" (uid=0 pid=504 comm="/usr/bin/afm-user-daemon --user-dbus=unix:path=/ru") privilege="http://tizen.org/privilege/internal/dbus"

Error org.freedesktop.DBus.Error.AccessDenied: Rejected send message, 1 matched rules; type="method_call", sender=":1.23" (uid=0 pid=633 comm="dbus-send --session --print-reply --dest=org.AGL.a") interface="org.AGL.afm.user" member="install" error name="(unset)" requested_reply="0" destination="org.AGL.afm.user" (uid=0 pid=504 comm="/usr/bin/afm-user-daemon --user-dbus=unix:path=/ru") privilege="http://tizen.org/privilege/internal/dbus"

Error org.freedesktop.DBus.Error.AccessDenied: Rejected send message, 1 matched rules; type="method_call", sender=":1.24" (uid=0 pid=638 comm="dbus-send --session --print-reply --dest=org.AGL.a") interface="org.AGL.afm.user" member="install" error name="(unset)" requested_reply="0" destination="org.AGL.afm.user" (uid=0 pid=504 comm="/usr/bin/afm-user-daemon --user-dbus=unix:path=/ru") privilege="http://tizen.org/privilege/internal/dbus"
root@nitrogen6x:/usr/AGL/ces2017-demo# cat /etc/dbus-1/s

session.conf session.d/ system.conf system.d/

----------------------------------------------------------------------------------------------------------------

root@nitrogen6x:/usr/AGL/ces2017-demo# cat /etc/dbus-1/system.conf

<!-- This configuration file controls the systemwide message bus.
Add a system-local.conf and edit that rather than changing this
file directly. -->

<!-- Note that there are any number of ways you can hose yourself
security-wise by screwing up this file; in particular, you
probably don't want to listen on any more addresses, add any more
auth mechanisms, run as a different user, etc. -->

<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-Bus Bus Configuration 1.0//EN"
"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>

<!-- Our well-known bus type, do not change this -->
<type>system</type>

<!-- Run as special user -->
<user>messagebus</user>

<!-- Fork into daemon mode -->
<fork/>

<!-- We use system service launching using a helper -->
<standard_system_servicedirs/>

<!-- This is a setuid helper that is used to launch system services -->
<servicehelper>/usr/lib/dbus/dbus-daemon-launch-helper</servicehelper>

<!-- Write a pid file -->
<pidfile>/var/run/messagebus.pid</pidfile>

<!-- Enable logging to syslog -->
<syslog/>

<!-- Only allow socket-credentials-based authentication -->
<auth>EXTERNAL</auth>

<!-- Only listen on a local socket. (abstract=/path/to/socket
means use abstract namespace, don't really create filesystem
file; only Linux supports this. Use path=/whatever on other
systems.) -->
<listen>unix:path=/var/run/dbus/system_bus_socket</listen>

<policy context="default">
<!-- All users can connect to system bus -->
<allow user="*"/>

<!-- Holes must be punched in service configuration files for
name ownership and sending method calls -->
<deny own="*"/>
<deny send_type="method_call"/>

<!-- By default clients require internal/dbus privilege to send and receive signaks.
This is internal privilege that is only accessible to trusted system services -->
<check send_type="signal" privilege="http://tizen.org/privilege/internal/dbus" />
<check receive_type="signal" privilege="http://tizen.org/privilege/internal/dbus" />

<!-- Reply messages (method returns, errors) are allowed
by default -->
<allow send_requested_reply="true" send_type="method_return"/>
<allow send_requested_reply="true" send_type="error"/>

<!-- All messages but signals may be received by default -->
<allow receive_type="method_call"/>
<allow receive_type="method_return"/>
<allow receive_type="error"/>

<!-- If there is a need specific bus services could be protected by Cynara as well.
However, this can lead to deadlock during the boot process when such check is made and
Cynara is not yet activated (systemd calls protected method synchronously,
dbus daemon tries to consult Cynara, Cynara waits for systemd activation).
Therefore it is advised to allow root processes to use bus services.
Currently anyone is allowed to talk to the message bus -->
<allow send_destination="org.freedesktop.DBus"/>
<allow receive_sender="org.freedesktop.DBus"/>

<!-- Disallow some specific bus services -->
<deny send_destination="org.freedesktop.DBus"
send_interface="org.freedesktop.DBus"
send_member="UpdateActivationEnvironment"/>
<deny send_destination="org.freedesktop.DBus"
send_interface="org.freedesktop.systemd1.Activator"/>
</policy>

<!-- Only systemd, which runs as root, may report activation failures. -->
<policy user="root">
<allow send_destination="org.freedesktop.DBus"
send_interface="org.freedesktop.systemd1.Activator"/>
</policy>

<!-- Config files are placed here that among other things, punch
holes in the above policy for specific services. -->
<includedir>system.d</includedir>

<!-- This is included last so local configuration can override what's
in this standard file -->
<include ignore_missing="yes">system-local.conf</include>

<include if_selinux_enabled="yes" selinux_root_relative="yes">contexts/dbus_contexts</include>

</busconfig>

Environment

BB_VERSION = "1.30.0" BUILD_SYS = "x86_64-linux" NATIVELSBSTRING = "universal" TARGET_SYS = "arm-agl-linux-gnueabi" MACHINE = "nitrogen6x" DISTRO = "poky-agl" DISTRO_VERSION = "3.0.0+snapshot-20161221" TUNE_FEATURES = "arm armv7a vfp thumb neon callconvention-hard cortexa9" TARGET_FPU = "hard" meta-fsl-arm = "HEAD:e2254e7b2ded0c2b66b1226f879b3a6d52037b2d" meta-fsl-arm-extra = "HEAD:e95f4ae61fdaf6452d6dfa9cb59dbdf9cdf73c99" meta-boundary = "HEAD:b526a39452ea69626cddae230718401616c99412" meta-valid-ivi = "krogoth:acaeec5dbb4e2df39ddb9350958b819747546b02" meta-browser = "HEAD:b251177608a8be789fe71f35e27558436ff46f50" meta-xfce meta-gnome = "HEAD:55c8a76da5dc099a7bc3838495c672140cedb78e" meta-netboot = "HEAD:1a70e5e8f48f17f604ab243dfb3ff01f7aa435f6" meta-oic = "HEAD:4d215eb63a27b5fe14216a25a760092002d13a33" meta-qt5 = "HEAD:9aa870eecf6dc7a87678393bd55b97e21033ab48" meta-agl-demo = "HEAD:611806e19ca6da042c5c3ad843c7d988f4e57783" meta-security-smack meta-security-framework = "HEAD:20bbb97f6d5400b126ae96ef446c3e60c7e16285" meta-app-framework = "HEAD:a79a0100e61acc714a1f6b28476182b7daeede74" meta-security-smack meta-security-framework = "HEAD:20bbb97f6d5400b126ae96ef446c3e60c7e16285" meta-app-framework = "HEAD:a79a0100e61acc714a1f6b28476182b7daeede74" meta-oe meta-multimedia meta-efl meta-networking meta-python = "HEAD:55c8a76da5dc099a7bc3838495c672140cedb78e" meta-ivi-common meta-agl meta-agl-bsp = "HEAD:1a70e5e8f48f17f604ab243dfb3ff01f7aa435f6" meta meta-poky meta-yocto-bsp = "HEAD:ae9b341ecfcc60e970f29cfe04306411ad26c0cf"

Activity

Show:

Nathan Illerbrun December 22, 2016 at 6:50 PM

Is not a bug.

Nathan Illerbrun December 22, 2016 at 6:48 PM
Edited

Seeing that CONFIG_DEFAULT_SECURITY_SMACK was not set, even though it was set in my config fragment, I found out that

CONFIG_DEFAULT_SECURITY_APPARMOR=y

was set elsewhere, so I added

# CONFIG_DEFAULT_SECURITY_APPARMOR=y is not set

To my config fragment. Now I get 'System' as expected.

Thanks Jose.

Jose Bollo December 22, 2016 at 6:35 PM

  1. CONFIG_DEFAULT_SECURITY_SMACK is not set

this is the cause

afm-util is a tool running using the security environment Smack+Cynara

what is your board?
how do you set up the build?
do you follow the procedure?

Nathan Illerbrun December 22, 2016 at 4:41 PM
Edited

root@nitrogen6x:/usr/bin# id -Z id: --context (-Z) works only on an SELinux/SMACK-enabled kernel ----------------------------- From build machine: $ grep -i smack ~/agl/build/tmp/work-shared/nitrogen6x/kernel-build-artifacts/.config CONFIG_SECURITY_SMACK=y # CONFIG_SECURITY_SMACK_BRINGUP is not set # CONFIG_SECURITY_SMACK_NETFILTER is not set # CONFIG_DEFAULT_SECURITY_SMACK is not set $ grep -i selinux ~/agl/build/tmp/work-shared/nitrogen6x/kernel-build-artifacts/.config CONFIG_SECURITY_SELINUX=y # CONFIG_SECURITY_SELINUX_BOOTPARAM is not set # CONFIG_SECURITY_SELINUX_DISABLE is not set CONFIG_SECURITY_SELINUX_DEVELOP=y CONFIG_SECURITY_SELINUX_AVC_STATS=y CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1 # CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX is not set # CONFIG_DEFAULT_SECURITY_SELINUX is not set

Jose Bollo December 22, 2016 at 8:00 AM

this error means that the script /usr/bin/afm-util is not authorized to contact org.AGL.afm.user by cynara

could you please try the command 'id -Z' and check ti context? It is expected to be 'System'.

Fixed

Details

Assignee

Reporter

Components

Affects versions

Priority

Created December 21, 2016 at 11:06 PM
Updated January 8, 2017 at 8:12 PM
Resolved December 22, 2016 at 6:50 PM
Configure

Flag notifications