auth.log - Rejected send message, 2 matched rules; type="method_call"

miky76 · 2012-06-09 20:38:47

Hi,
i'm checking the /var/log/auth.log and I found out that there is this error message

Jun  9 20:19:56 localhost polkitd(authority=local): Registered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session2 (system bus name :1.23 [/usr/bin/gnome-shell], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Jun  9 20:19:57 localhost dbus[513]: [system] Rejected send message, 2 matched rules; type="method_call", sender=":1.23" (uid=1000 pid=861 comm="/usr/bin/gnome-shell ") interface="org.freedesktop.DBus.Properties" member="GetAll" error name="(unset)" requested_reply="0" destination=":1.1" (uid=0 pid=654 comm="/usr/sbin/console-kit-daemon --no-daemon ")
Jun  9 20:19:57 localhost dbus[513]: [system] Rejected send message, 2 matched rules; type="method_call", sender=":1.23" (uid=1000 pid=861 comm="/usr/bin/gnome-shell ") interface="org.freedesktop.DBus.Properties" member="GetAll" error name="(unset)" requested_reply="0" destination=":1.1" (uid=0 pid=654 comm="/usr/sbin/console-kit-daemon --no-daemon ")
Jun  9 20:19:57 localhost dbus[513]: [system] Rejected send message, 2 matched rules; type="method_call", sender=":1.23" (uid=1000 pid=861 comm="/usr/bin/gnome-shell ") interface="org.freedesktop.DBus.Properties" member="GetAll" error name="(unset)" requested_reply="0" destination=":1.1" (uid=0 pid=654 comm="/usr/sbin/console-kit-daemon --no-daemon ")

if think the problem is in /etc/dbus-1/system.conf

 <deny send_type="method_call"/>

I'm tempted to change this to allow, but I won't as long as I don't understand why this deny-rule is implemented.

Last edited by miky76 (2012-06-09 20:41:06)

ataraxia · 2012-06-09 21:23:03

That deny rule is the default. Things in /etc/dbus-1/system.d override it. There's a ConsoleKit.conf file in there that describes what interaction ConsoleKit actually allows.

That said, ConsoleKit.conf also denies this access:

<deny send_destination="org.freedesktop.ConsoleKit"
          send_interface="org.freedesktop.DBus.Properties" />

I don't know why this is denied - most likely it's to prevent private data from being stolen from console-kit-daemon in this way. I don't see any such private data stored in properties on ConsoleKit, though:

$ dbus-send --print-reply --system --dest=org.freedesktop.ConsoleKit /org/freedesktop/ConsoleKit/Session1 org.freedesktop.DBus.Introspectable.Introspect
method return sender=:1.5 -> dest=:1.14 reply_serial=2
   string "<!DOCTYPE node PUBLIC "-//freedesktop//DTD D-BUS Object Introspection 1.0//EN"
"http://www.freedesktop.org/standards/dbus/1.0/introspect.dtd">
<node>
  <interface name="org.freedesktop.DBus.Introspectable">
    <method name="Introspect">
      <arg name="data" direction="out" type="s"/>
    </method>
  </interface>
  <interface name="org.freedesktop.DBus.Properties">
    <method name="Get">
      <arg name="interface" direction="in" type="s"/>
      <arg name="propname" direction="in" type="s"/>
      <arg name="value" direction="out" type="v"/>
    </method>
    <method name="Set">
      <arg name="interface" direction="in" type="s"/>
      <arg name="propname" direction="in" type="s"/>
      <arg name="value" direction="in" type="v"/>
    </method>
    <method name="GetAll">
      <arg name="interface" direction="in" type="s"/>
      <arg name="props" direction="out" type="a{sv}"/>
    </method>
  </interface>
  <interface name="org.freedesktop.ConsoleKit.Session">
    <method name="SetIdleHint">
      <arg name="idle_hint" type="b" direction="in"/>
    </method>
    <method name="GetIdleSinceHint">
      <arg name="iso8601_datetime" type="s" direction="out"/>
    </method>
    <method name="GetIdleHint">
      <arg name="idle_hint" type="b" direction="out"/>
    </method>
    <method name="Unlock">
    </method>
    <method name="Lock">
    </method>
    <method name="Activate">
    </method>
    <method name="GetCreationTime">
      <arg name="iso8601_datetime" type="s" direction="out"/>
    </method>
    <method name="IsLocal">
      <arg name="local" type="b" direction="out"/>
    </method>
    <method name="IsActive">
      <arg name="active" type="b" direction="out"/>
    </method>
    <method name="GetLoginSessionId">
      <arg name="login_session_id" type="s" direction="out"/>
    </method>
    <method name="GetRemoteHostName">
      <arg name="remote_host_name" type="s" direction="out"/>
    </method>
    <method name="GetDisplayDevice">
      <arg name="display_device" type="s" direction="out"/>
    </method>
    <method name="GetX11DisplayDevice">
      <arg name="x11_display_device" type="s" direction="out"/>
    </method>
    <method name="GetX11Display">
      <arg name="display" type="s" direction="out"/>
    </method>
    <method name="GetUnixUser">
      <arg name="uid" type="u" direction="out"/>
    </method>
    <method name="GetUser">
      <arg name="uid" type="u" direction="out"/>
    </method>
    <method name="GetSessionType">
      <arg name="type" type="s" direction="out"/>
    </method>
    <method name="GetSeatId">
      <arg name="sid" type="o" direction="out"/>
    </method>
    <method name="GetId">
      <arg name="ssid" type="o" direction="out"/>
    </method>
    <signal name="Unlock">
    </signal>
    <signal name="Lock">
    </signal>
    <signal name="IdleHintChanged">
      <arg type="b"/>
    </signal>
    <signal name="ActiveChanged">
      <arg type="b"/>
    </signal>
    <property name="idle-hint" type="b" access="readwrite"/>
    <property name="is-local" type="b" access="readwrite"/>
    <property name="active" type="b" access="readwrite"/>
    <property name="x11-display-device" type="s" access="readwrite"/>
    <property name="x11-display" type="s" access="readwrite"/>
    <property name="display-device" type="s" access="readwrite"/>
    <property name="remote-host-name" type="s" access="readwrite"/>
    <property name="session-type" type="s" access="readwrite"/>
    <property name="user" type="u" access="readwrite"/>
    <property name="unix-user" type="u" access="readwrite"/>
  </interface>
</node>
"

Note those properties at the end of that list, which are the same things you can learn by running ck-list-session.

If you want to change the deny to allow, you may as well do it in the ConsoleKit.conf line, so it's specific to this usage, rather than allowing any method call in the world called through dbus.

FWIW, I can reproduce this same error, trying to do it "by hand", though I don't use GNOME, as you do:

$ dbus-send --print-reply --system --type=method_call --dest=org.freedesktop.ConsoleKit /org/freedesktop/ConsoleKit/Session1 org.freedesktop.DBus.Properties.GetAll string:org.freedesktop.ConsoleKit.Session
Error org.freedesktop.DBus.Error.AccessDenied: Rejected send message, 2 matched rules; type="method_call", sender=":1.17" (uid=1000 pid=13892 comm="dbus-send --print-reply --system --type=method_cal") interface="org.freedesktop.DBus.Properties" member="GetAll" error name="(unset)" requested_reply="0" destination="org.freedesktop.ConsoleKit" (uid=0 pid=751 comm="/usr/sbin/console-kit-daemon --no-daemon ")

miky76 · 2012-06-12 13:45:23

I'm not sure I understood.

shall I deny it in the ConsolKit.conf only? or even in the other conf file?

Arch Linux

#1 2012-06-09 20:38:47

auth.log - Rejected send message, 2 matched rules; type="method_call"

#2 2012-06-09 21:23:03

Re: auth.log - Rejected send message, 2 matched rules; type="method_call"

#3 2012-06-12 13:45:23

Re: auth.log - Rejected send message, 2 matched rules; type="method_call"

Board footer