From Fedora Project Wiki
(add PK, as that broke last time)
(Add complete list of possibly-affected packages - scope OK)
Line 28: Line 28:
  
 
== Scope ==
 
== Scope ==
Any package which ships a file in <tt>/etc/dbus-1/system.d</tt> may be affected.
+
Any package which ships a file in <tt>/etc/dbus-1/system.d</tt> may be affected. Here is a complete list of those packages, for reference:
 
+
<small>
 +
<pre>
 +
[wwoods@brinstar ~]$ sudo repoquery -sf '/etc/dbus-1/system.d/*' --qf '%{NAME}' | sort -u
 +
avahi
 +
bluez
 +
ConsoleKit
 +
cups
 +
cups-pk-helper
 +
DeviceKit
 +
DeviceKit-disks
 +
DeviceKit-power
 +
dnsmasq
 +
fprintd
 +
galago-daemon
 +
GConf2
 +
gdm
 +
gnome-applets
 +
gnome-lirc-properties
 +
gnome-panel
 +
gnome-system-monitor
 +
gypsy
 +
hal
 +
kerneloops
 +
modcluster
 +
NetworkManager
 +
NetworkManager-gnome
 +
NetworkManager-openconnect
 +
NetworkManager-openvpn
 +
NetworkManager-pptp
 +
NetworkManager-vpnc
 +
odccm
 +
oddjob
 +
oddjob-mkhomedir
 +
ohm
 +
PackageKit
 +
PolicyKit
 +
ricci
 +
setroubleshoot-server
 +
sugar
 +
system-config-printer-libs
 +
system-config-samba
 +
system-config-services
 +
wpa_supplicant
 +
yum-updatesd
 +
</pre>
 +
</small>
 
== Test Plan ==
 
== Test Plan ==
 
* Desktop: Test NetworkManager and HAL+device mounting.
 
* Desktop: Test NetworkManager and HAL+device mounting.
Line 55: Line 100:
  
 
[[Category:FeatureProposedF11]]
 
[[Category:FeatureProposedF11]]
[[Category:Features needing QA approval]]
+
[[Category:Features with incomplete test plans]]

Revision as of 17:12, 26 February 2009

DBus Policy

Summary

Due to a [security issue], the DBus system bus policy has changed, and many applications were incorrect.

Owner

  • Name: Colin Walters <walters@redhat.com>

Current status

  • Targeted release: Fedora 11
  • Last updated: 2009-02-26
  • Percentage of completion: 90%

Detailed Description

Essentially the system bus policy was unintentionally wide open, and a number of applications relied on this and shipped incorrect or incomplete policy files in /etc/dbus-1/system.d.

There's more information in [this mail], as well as [this mail].

Known issues have been added to [this upstream tracker bug].

There is logging of denials to /var/log/messages.

Benefit to Fedora

Fixes an important line of defense in the core OS security.

Scope

Any package which ships a file in /etc/dbus-1/system.d may be affected. Here is a complete list of those packages, for reference:

[wwoods@brinstar ~]$ sudo repoquery -sf '/etc/dbus-1/system.d/*' --qf '%{NAME}' | sort -u
avahi
bluez
ConsoleKit
cups
cups-pk-helper
DeviceKit
DeviceKit-disks
DeviceKit-power
dnsmasq
fprintd
galago-daemon
GConf2
gdm
gnome-applets
gnome-lirc-properties
gnome-panel
gnome-system-monitor
gypsy
hal
kerneloops
modcluster
NetworkManager
NetworkManager-gnome
NetworkManager-openconnect
NetworkManager-openvpn
NetworkManager-pptp
NetworkManager-vpnc
odccm
oddjob
oddjob-mkhomedir
ohm
PackageKit
PolicyKit
ricci
setroubleshoot-server
sugar
system-config-printer-libs
system-config-samba
system-config-services
wpa_supplicant
yum-updatesd

Test Plan

  • Desktop: Test NetworkManager and HAL+device mounting.
  • Desktop: Test PackageKit and installing updates using a GUI tool

Shouldn't be any denials in /var/log/messages

User Experience

No user visible experience.

Dependencies

None.

Contingency Plan

We could continue to be in "permissive" mode for another release, but I'd really like not to do that.

Documentation

See the detailed description for information.

Release Notes

Comments and Discussion

Can be discussed on the fedora-devel list or the [upstream list].