Join Log in
Score:1
avatar Ubuntu

Debug PolicyKit Rules?

mx flag
wadeh

I'm running into what seems to be a simple problem that is driving me crazy.

I've done a clean install of Kubuntu 20.04. Everything is working fine locally on the machine, but my primary use case is running via remote desktop with xrdp. I've done this many times before, and on many machines.

In this case, I am getting the very common popup for org.freedesktop.packagekit.system-sources-refresh, but only running over RDP.

The first thing that I did was to create a 46-allow-update-repo.pkla file in /etc/polkit-1/localauthority/50-local.d with the following contents:

[Allow Package Management all Users]
Identity=unix-user:*
Action=org.freedesktop.packagekit.system-sources-refresh
ResultAny=yes
ResultInactive=yes
ResultActive=yes

That had no effect on the behavior.

As a brute force attempt to get around the problem, I created a custom rule in /etc/polkit-1/rules.d/49-allow-rdp-system-refresh.rules with the following content. Note that this was just for troubleshooting; I don't want to run the system this way:

polkit.addRule(function(action, subject) {
    {
        polkit.log("action=" + action);
        polkit.log("subject=" + subject);

        return polkit.Result.YES;
    }
});

That also had no effect. I also checked the /var/log/auth.log file and did not see the log lines from the rule above. What I do see in the log file, that appears to be associated with this problem, are the following lines:

Jan 13 17:11:24 ***** PackageKit: uid 1000 is trying to obtain org.freedesktop.packagekit.system-sources-refresh auth (only_trusted:0)
Jan 13 17:11:24 ***** polkitd(authority=local): Operator of unix-session:c1 FAILED to authenticate to gain authorization for action org.freedesktop.packagekit.system-sources-refresh for system-bus-name::1.77 [/usr/lib/x86_64-linux-gnu/libexec/DiscoverNotifier] (owned by unix-user:wadeh)
Jan 13 17:11:24 ***** PackageKit: uid 1000 failed to obtain auth

When I run locally, and not over RDP, the log looks like this:

Jan 13 17:13:07 ***** PackageKit: uid 1000 is trying to obtain org.freedesktop.packagekit.system-sources-refresh auth (only_trusted:0)
Jan 13 17:13:07 ***** PackageKit: uid 1000 obtained auth for org.freedesktop.packagekit.system-sources-refresh

At this point, I am at a bit of a loss. It's as if polkit is not seeing my changes. Note that I reboot the system after each change to one of the files, just to ensure that everything starts up with the changes.

I installed everything clean today, with an ISO that I downloaded from the LTS branch yesterday. The version numbers are as follows:

KDE Plasma Version: 5.18.5 KDE Frameworks Version: 5.68.0 Qt Version: 5.12.8 Kernel Version: 5.11.0-46-generic OS Type: 64 bit

The XRDP version is 0.9.12

60
0 + 0
petep avatar
in flag
petep
I found an answer that seems to mitigate the problem. The fix is to stop gnome-software from autostart. If you follow the steps in the first answer to this question, you can achieve this. "https://askubuntu.com/questions/959353/disable-gnome-software-from-loading-at-startup"
0
Reply
muru avatar
us flag
muru
No version of Ubuntu supports the JavaScript Polkit rules, iirc. So that file wouldn't have worked.
1
Reply
mx flag
wadeh
So if the JavaScript rules don't work, how would you troubleshoot something like this? I should also mention that I created a similar pkla file for a NetworkManager popup, and that worked fine and gave the expected result. Any attempt I've made to avoid the refresh popup still fails. The frustrating part is that it seems like a black box. I am guessing that something simple is wrong, but without the ability to see the parameters passed to the rule, or otherwise enhance the logging, I'm completely blind.
0
Reply
mx flag
wadeh
Here is the current status on this: I cannot get the pkla rule to match, no matter what I try. I was able to get the desired behavior by just editing the defaults for the subject in the /usr/share/polkit-1/actions directory, but that is just a workaround.
0
Reply
mx flag
wadeh
I can only think of three things that are causing the problem: 1) The pkla file isn't getting recognized. I tend to discount this because I have two other pkla files that work as expected. 2) The action is not matching at runtime. I tend to discount this, since the popup dialog box contains the action string in the details (and I have tried copying and pasting it directly into the rule, so I know that it's correct in the pkla file).
0
Reply
mx flag
wadeh
3) The subject is not matching at runtime. This one seems the most likely, since the xRDP session clearly behaves differently than a local session. But the entry in the auth.log file shows the user name as expected.
0
Reply
mx flag
wadeh
At this point, I am giving up for now and just going with the workaround. If something grabs my attention in the future, I will revisit it. I would also welcome any suggestions for actually debugging this, instead of just banging my head against it by trial and error.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.