You are not logged in.
I'm trying to follow this example of using Polkit actions.
/etc/polkit-1/rules.d/00-log-access.rules
polkit.addRule(function(action, subject) {
polkit.log("action=" + action);
polkit.log("subject=" + subject);
});
I am unable to find the logs that should be produced, I've checked /var/log and journalctl -xab
I wanted to implement this by creating my own systemd slice.
I tried to run as non-root:
systemd-run --no-ask-password --slice "relax.slice" --scope --send-sighup -G -- echo hello
I could have made a Polkit rule that would always grant permission on org.freedesktop.systemd1.manage-units for myself, but I want to know the name of the unit systemd-run sends to polkit for more granular security. With --no-ask-password journalctl -xab doesn't produce logs from it, but without that flag, there's some activity about polkit (most likely the password requester in the terminal), but it doesn't really follow the logs.
If anyone could help me find out where polkit stores its logs, that would be great!
Last edited by ljyip (2022-07-27 16:05:47)
Offline
Did you restart the polkit daemon after adding that rule?
Check
sudo journalctl -b SYSLOG_FACILITY=10
Offline
There was nothing new for that command. There's this log message that was always present when I checked them for each time I tested it. But not actual log messages from polkit.log inside polkit rules
Jul 26 21:31:53 ## polkitd[6994]: Operator of unix-process:7493:49354 FAILED to authenticate to gain authorization for action org.freedesktop.systemd1.manage-units for system-bus-name::1.77 [<unknown>] (owned by unix-user:##)
Edit: I did restart the polkit systemctl restart polkit, doesn't seem to do much as it restarts itself after editing a rule I think.
Last edited by ljyip (2022-07-27 04:35:58)
Offline
/usr/lib/systemd/system/polkit.service runs "ExecStart=/usr/lib/polkit-1/polkitd --no-debug", try to overwrite that.
Otherwise check /var/log/secure
Does
pkexec -u root bash -i
produce any relevant logs (they'll still com from polkit)
Offline
Removing --no-debug worked, I was able to see the log messages (journalctl -xab)
journalctl -b SYSLOG_FACILITY=10 didn't though, at least I solved it.
Thanks!
Last edited by ljyip (2022-07-27 16:05:34)
Offline