You are not logged in.

#1 2022-07-26 02:47:55

ljyip
Member
Registered: 2022-07-26
Posts: 16

[SOLVED] How to debug a polkit rule

I'm trying to follow this example of using Polkit actions.
/etc/polkit-1/rules.d/00-log-access.rules

polkit.addRule(function(action, subject) {
    polkit.log("action=" + action);
    polkit.log("subject=" + subject);
});

I am unable to find the logs that should be produced, I've checked /var/log and journalctl -xab

Context

I wanted to implement this by creating my own systemd slice.
I tried to run as non-root:

systemd-run --no-ask-password --slice "relax.slice" --scope --send-sighup -G -- echo hello 

I could have made a Polkit rule that would always grant permission on org.freedesktop.systemd1.manage-units for myself, but I want to know the name of the unit systemd-run sends to polkit for more granular security. With --no-ask-password journalctl -xab doesn't produce logs from it, but without that flag, there's some activity about polkit (most likely the password requester in the terminal), but it doesn't really follow the logs.

If anyone could help me find out where polkit stores its logs, that would be great!

Last edited by ljyip (2022-07-27 16:05:47)

Offline

#2 2022-07-26 06:53:11

seth
Member
Registered: 2012-09-03
Posts: 49,951

Re: [SOLVED] How to debug a polkit rule

Did you restart the polkit daemon after adding that rule?
Check

sudo journalctl -b SYSLOG_FACILITY=10

Offline

#3 2022-07-27 04:35:17

ljyip
Member
Registered: 2022-07-26
Posts: 16

Re: [SOLVED] How to debug a polkit rule

There was nothing new for that command. There's this log message that was always present when I checked them for each time I tested it. But not actual log messages from polkit.log inside polkit rules

Jul 26 21:31:53 ## polkitd[6994]: Operator of unix-process:7493:49354 FAILED to authenticate to gain authorization for action org.freedesktop.systemd1.manage-units for system-bus-name::1.77 [<unknown>] (owned by unix-user:##)

Edit: I did restart the polkit systemctl restart polkit, doesn't seem to do much as it restarts itself after editing a rule I think.

Last edited by ljyip (2022-07-27 04:35:58)

Offline

#4 2022-07-27 06:40:31

seth
Member
Registered: 2012-09-03
Posts: 49,951

Re: [SOLVED] How to debug a polkit rule

/usr/lib/systemd/system/polkit.service runs "ExecStart=/usr/lib/polkit-1/polkitd --no-debug", try to overwrite that.
Otherwise check /var/log/secure

Does

pkexec -u root bash -i

produce any relevant logs (they'll still com from polkit)

Offline

#5 2022-07-27 16:05:21

ljyip
Member
Registered: 2022-07-26
Posts: 16

Re: [SOLVED] How to debug a polkit rule

Removing --no-debug worked, I was able to see the log messages (journalctl -xab)

journalctl -b SYSLOG_FACILITY=10 didn't though, at least I solved it.

Thanks!

Last edited by ljyip (2022-07-27 16:05:34)

Offline

Board footer

Powered by FluxBB