Bug 263716 - devel/dbus: not allowed to own service due to security policies in configuration file
Summary: devel/dbus: not allowed to own service due to security policies in configurat...
Status: Closed Not A Bug
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: freebsd-desktop (Team)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-05-02 08:02 UTC by Slawomir Wojciech Wojtczak
Modified: 2022-06-08 12:14 UTC (History)
4 users (show)

See Also:
madpilot: maintainer-feedback+


Attachments
Konsole output from a run of caja (2.17 KB, text/plain)
2022-06-03 05:32 UTC, Graham Perrin
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Slawomir Wojciech Wojtczak 2022-05-02 08:02:15 UTC
After updating packages to most recent version the DBUS started to misbehave ...

root # service dbus onestart
Starting dbus.

user % caja
Could not register the application: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: Connection ":1.0" is not allowed to own the service "org.mate.Caja" due to security policies in the configuration file

user % transmission-gtk 
Failed to register: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: Connection ":1.12" is not allowed to own the service "com.transmissionbt.transmission_11777313103303193847_36724" due to security policies in the configuration file

user % thunar
Failed to register: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: Connection ":1.14" is not allowed to own the service "org.xfce.Thunar" due to security policies in the configuration file

... but Firefox starts without a problem.

Any hints?

I did not touched/changed the dbus configuration.

Regards.
Comment 1 Guido Falsi freebsd_committer 2022-05-02 12:47:54 UTC
(In reply to Slawomir Wojciech Wojtczak from comment #0)

Not sure about the error you report, but what version exactly do you have installed of dbus?

A broken update to 1.14 was pushed to the tree for a short while, then reverted back to 1.12.50, which was working fine. If you happen to have updated at the wrong time you can simply update again and get the old version.

In the while the issue with 1.14 has been identified and I posted a patch with a working update, you can find it here if you want to test it:

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=263014
Comment 2 Slawomir Wojciech Wojtczak 2022-05-02 12:58:52 UTC
Its 1.12.20_5.

I have just tried the patch for 1.14.0,1.

It has the same problem.

Details below.

% pkg info devel/dbus
dbus-1.14.0,1
Name           : dbus
Version        : 1.14.0,1
Installed on   : Mon May  2 14:55:46 2022 CEST
Origin         : devel/dbus
Architecture   : FreeBSD:13:amd64
Prefix         : /usr/local
Categories     : gnome devel
Licenses       : GPLv2
Maintainer     : desktop@FreeBSD.org
WWW            : http://www.freedesktop.org/Software/dbus
Comment        : Message bus system for inter-application communication
Options        :
        EXAMPLES       : off
        MANPAGES       : on
        X11            : on
Shared Libs required:
        libexpat.so.1
Shared Libs provided:
        libdbus-1.so.3
Annotations    :
        FreeBSD_version: 1301000
        cpe            : cpe:2.3:a:d-bus_project:d-bus:1.14.0:::::freebsd13:x64
Flat size      : 1.59MiB
Description    :
D-BUS supplies both a system daemon (for events such as "new hardware device
added" or "printer queue changed") and a per-user-login-session daemon (for
general IPC needs among user applications). Also, the message bus is built on
top of a general one-to-one message passing framework, which can be used by
any two apps to communicate directly (without going through the message bus
daemon).

WWW: http://www.freedesktop.org/Software/dbus



% caja
Could not register the application: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: Connection ":1.1" is not allowed to own the service "org.mate.Caja" due to security policies in the configuration file



% thunar
Failed to register: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: Connection ":1.2" is not allowed to own the service "org.xfce.Thunar" due to security policies in the configuration file



% transmission-gtk
Failed to register: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: Connection ":1.3" is not allowed to own the service "com.transmissionbt.transmission_11777313103303193847_36724" due to security policies in the configuration file



% ps auxwww | grep dbus
messagebus 55474   0.0  0.0  14292  3864  -  Ss   14:56      0:00.01 /usr/local/bin/dbus-daemon --system
vermaden   62513   0.0  0.0  12920  2544  0  R+   14:57      0:00.00 grep --color dbus



% service dbus onestatus
dbus is running as pid 55474.



Regards.
Comment 3 Slawomir Wojciech Wojtczak 2022-05-02 13:00:23 UTC
For the record - the dbus-1.12.20_5 version on 13.1-RC3 worked without problems.

Now I am on 13.1-RC5. This is where dbus 1.12.20_5 and 1.14.0,1 have this problem.

Not sure that this is the cause of the problem but I wanted you to have the whole picture.

Regards.
Comment 4 Guido Falsi freebsd_committer 2022-05-02 13:16:46 UTC
(In reply to Slawomir Wojciech Wojtczak from comment #2)

I replied just in case you were not aware of the situation with the dbus port at present.

Unluckily I can't make much of your error messages and have no insight about those.

Only thing that comes to mind is take a look at the files in /usr/local/share/dbus-1, make sure they are the default ones, and have not been somehow replaced with non default ones, or whatever.
Comment 5 Guido Falsi freebsd_committer 2022-05-02 13:17:43 UTC
(In reply to Guido Falsi from comment #4)

Ah,. also take a look in /usr/local/etc/dbus-1 for anything strange. But I've never modified those files and I'm not sure what could be causing those errors, if anything.
Comment 6 Tomoaki AOKI 2022-05-02 16:37:31 UTC
(In reply to Slawomir Wojciech Wojtczak from comment #3)

I had no error related to dbus 1.12.20_5 on stable/13, amd64.
I had an error related to dbus 1.14.0 on the very same stable/13 installation.
It was fixed by Guido's v2 patch on Bug 263014.

Have you rebooted the whole system after each dbus updates?
If not, try rebooting after updating dbus with Guido's v2 patch applied.

If it doesn't work, try looking into settings related with sysutils/polkit.
As your error messages indicates "due to security policies in the configuration file", I come to suspect that.
Comment 7 Slawomir Wojciech Wojtczak 2022-05-03 01:01:30 UTC
I did not touched the configs - these files were installed from the packages.



/usr/local/etc/dbus-1/system.d/avahi-dbus.conf
===============================================================================
<!DOCTYPE busconfig PUBLIC
          "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
          "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>

  <!-- Only root or user avahi can own the Avahi service -->
  <policy user="avahi">
    <allow own="org.freedesktop.Avahi"/>
  </policy>
  <policy user="root">
    <allow own="org.freedesktop.Avahi"/>
  </policy>

  <!-- Allow anyone to invoke methods on Avahi server, except SetHostName -->
  <policy context="default">
    <allow send_destination="org.freedesktop.Avahi"/>
    <allow receive_sender="org.freedesktop.Avahi"/>

    <deny send_destination="org.freedesktop.Avahi"
          send_interface="org.freedesktop.Avahi.Server" send_member="SetHostName"/>
  </policy>

  <!-- Allow everything, including access to SetHostName to users of the group "network" -->
  <policy group="network">
    <allow send_destination="org.freedesktop.Avahi"/>
    <allow receive_sender="org.freedesktop.Avahi"/>
  </policy>
  <policy user="root">
    <allow send_destination="org.freedesktop.Avahi"/>
    <allow receive_sender="org.freedesktop.Avahi"/>
  </policy>
</busconfig>



/usr/local/etc/dbus-1/system.d/ConsoleKit.conf
===============================================================================
<!DOCTYPE busconfig PUBLIC
 "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
 "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>

  <!-- Only root can own the service -->
  <policy user="root">
    <allow own="org.freedesktop.ConsoleKit"/>

    <!-- Allow all methods on interfaces -->
    <allow send_destination="org.freedesktop.ConsoleKit"/>
  </policy>

  <!-- Deny all and then allow some methods on interfaces -->
  <policy context="default">
    <allow send_destination="org.freedesktop.ConsoleKit"
           send_interface="org.freedesktop.DBus.Introspectable"/>
    <deny send_destination="org.freedesktop.ConsoleKit"
          send_interface="org.freedesktop.ConsoleKit.Manager"/>
    <deny send_destination="org.freedesktop.ConsoleKit"
          send_interface="org.freedesktop.ConsoleKit.Seat"/>
    <deny send_destination="org.freedesktop.ConsoleKit"
          send_interface="org.freedesktop.ConsoleKit.Session"/>
    <allow send_destination="org.freedesktop.ConsoleKit"
          send_interface="org.freedesktop.DBus.Properties" />

    <allow send_destination="org.freedesktop.ConsoleKit"
           send_interface="org.freedesktop.ConsoleKit.Manager"
           send_member="Restart"/>
    <allow send_destination="org.freedesktop.ConsoleKit"
           send_interface="org.freedesktop.ConsoleKit.Manager"
           send_member="CanRestart"/>
    <allow send_destination="org.freedesktop.ConsoleKit"
           send_interface="org.freedesktop.ConsoleKit.Manager"
           send_member="Stop"/>
    <allow send_destination="org.freedesktop.ConsoleKit"
           send_interface="org.freedesktop.ConsoleKit.Manager"
           send_member="CanStop"/>
    <allow send_destination="org.freedesktop.ConsoleKit"
           send_interface="org.freedesktop.ConsoleKit.Manager"
           send_member="Reboot"/>
    <allow send_destination="org.freedesktop.ConsoleKit"
           send_interface="org.freedesktop.ConsoleKit.Manager"
           send_member="CanReboot"/>
    <allow send_destination="org.freedesktop.ConsoleKit"
           send_interface="org.freedesktop.ConsoleKit.Manager"
           send_member="PowerOff"/>
    <allow send_destination="org.freedesktop.ConsoleKit"
           send_interface="org.freedesktop.ConsoleKit.Manager"
           send_member="CanPowerOff"/>
    <allow send_destination="org.freedesktop.ConsoleKit"
           send_interface="org.freedesktop.ConsoleKit.Manager"
           send_member="Suspend"/>
    <allow send_destination="org.freedesktop.ConsoleKit"
           send_interface="org.freedesktop.ConsoleKit.Manager"
           send_member="CanSuspend"/>
    <allow send_destination="org.freedesktop.ConsoleKit"
           send_interface="org.freedesktop.ConsoleKit.Manager"
           send_member="Hibernate"/>
    <allow send_destination="org.freedesktop.ConsoleKit"
           send_interface="org.freedesktop.ConsoleKit.Manager"
           send_member="CanHibernate"/>
    <allow send_destination="org.freedesktop.ConsoleKit"
           send_interface="org.freedesktop.ConsoleKit.Manager"
           send_member="HybridSleep"/>
    <allow send_destination="org.freedesktop.ConsoleKit"
           send_interface="org.freedesktop.ConsoleKit.Manager"
           send_member="CanHybridSleep"/>
    <allow send_destination="org.freedesktop.ConsoleKit"
           send_interface="org.freedesktop.ConsoleKit.Manager"
           send_member="Inhibit"/>
    <allow send_destination="org.freedesktop.ConsoleKit"
           send_interface="org.freedesktop.ConsoleKit.Manager"
           send_member="ListInhibitors"/>
    <allow send_destination="org.freedesktop.ConsoleKit"
           send_interface="org.freedesktop.ConsoleKit.Manager"
           send_member="OpenSession"/>
    <allow send_destination="org.freedesktop.ConsoleKit"
           send_interface="org.freedesktop.ConsoleKit.Manager"
           send_member="CloseSession"/>
    <allow send_destination="org.freedesktop.ConsoleKit"
           send_interface="org.freedesktop.ConsoleKit.Manager"
           send_member="ListSeats"/>
    <allow send_destination="org.freedesktop.ConsoleKit"
           send_interface="org.freedesktop.ConsoleKit.Manager"
           send_member="GetSeats"/>
    <allow send_destination="org.freedesktop.ConsoleKit"
           send_interface="org.freedesktop.ConsoleKit.Manager"
           send_member="GetSessions"/>
    <allow send_destination="org.freedesktop.ConsoleKit"
           send_interface="org.freedesktop.ConsoleKit.Manager"
           send_member="GetSessionForCookie"/>
    <allow send_destination="org.freedesktop.ConsoleKit"
           send_interface="org.freedesktop.ConsoleKit.Manager"
           send_member="GetSessionForUnixProcess"/>
    <allow send_destination="org.freedesktop.ConsoleKit"
           send_interface="org.freedesktop.ConsoleKit.Manager"
           send_member="GetSessionByPID"/>
    <allow send_destination="org.freedesktop.ConsoleKit"
           send_interface="org.freedesktop.ConsoleKit.Manager"
           send_member="GetCurrentSession"/>
    <allow send_destination="org.freedesktop.ConsoleKit"
           send_interface="org.freedesktop.ConsoleKit.Manager"
           send_member="GetSessionsForUnixUser"/>
    <allow send_destination="org.freedesktop.ConsoleKit"
           send_interface="org.freedesktop.ConsoleKit.Manager"
           send_member="GetSessionsForUser"/>
    <allow send_destination="org.freedesktop.ConsoleKit"
           send_interface="org.freedesktop.ConsoleKit.Manager"
           send_member="ActivateSession"/>
    <allow send_destination="org.freedesktop.ConsoleKit"
           send_interface="org.freedesktop.ConsoleKit.Manager"
           send_member="ActivateSessionOnSeat"/>
    <allow send_destination="org.freedesktop.ConsoleKit"
           send_interface="org.freedesktop.ConsoleKit.Manager"
           send_member="GetSystemIdleHint"/>
    <allow send_destination="org.freedesktop.ConsoleKit"
           send_interface="org.freedesktop.ConsoleKit.Manager"
           send_member="GetSystemIdleSinceHint"/>

    <allow send_destination="org.freedesktop.ConsoleKit"
           send_interface="org.freedesktop.ConsoleKit.Seat"
           send_member="GetId"/>
    <allow send_destination="org.freedesktop.ConsoleKit"
           send_interface="org.freedesktop.ConsoleKit.Seat"
           send_member="GetName"/>
    <allow send_destination="org.freedesktop.ConsoleKit"
           send_interface="org.freedesktop.ConsoleKit.Seat"
           send_member="GetSessions"/>
    <allow send_destination="org.freedesktop.ConsoleKit"
           send_interface="org.freedesktop.ConsoleKit.Seat"
           send_member="GetDevices"/>
    <allow send_destination="org.freedesktop.ConsoleKit"
           send_interface="org.freedesktop.ConsoleKit.Seat"
           send_member="GetActiveSession"/>
    <allow send_destination="org.freedesktop.ConsoleKit"
           send_interface="org.freedesktop.ConsoleKit.Seat"
           send_member="CanActivateSessions"/>
    <allow send_destination="org.freedesktop.ConsoleKit"
           send_interface="org.freedesktop.ConsoleKit.Seat"
           send_member="ActivateSession"/>
    <allow send_destination="org.freedesktop.ConsoleKit"
           send_interface="org.freedesktop.ConsoleKit.Seat"
           send_member="SwitchTo"/>

    <allow send_destination="org.freedesktop.ConsoleKit"
           send_interface="org.freedesktop.ConsoleKit.Session"
           send_member="GetId"/>
    <allow send_destination="org.freedesktop.ConsoleKit"
           send_interface="org.freedesktop.ConsoleKit.Session"
           send_member="GetSeatId"/>
    <allow send_destination="org.freedesktop.ConsoleKit"
           send_interface="org.freedesktop.ConsoleKit.Session"
           send_member="GetLoginSessionId"/>
    <allow send_destination="org.freedesktop.ConsoleKit"
           send_interface="org.freedesktop.ConsoleKit.Session"
           send_member="GetSessionType"/>
    <allow send_destination="org.freedesktop.ConsoleKit"
           send_interface="org.freedesktop.ConsoleKit.Session"
           send_member="GetSessionClass"/>
    <allow send_destination="org.freedesktop.ConsoleKit"
           send_interface="org.freedesktop.ConsoleKit.Session"
           send_member="GetSessionState"/>
    <allow send_destination="org.freedesktop.ConsoleKit"
           send_interface="org.freedesktop.ConsoleKit.Session"
           send_member="GetUser"/>
    <allow send_destination="org.freedesktop.ConsoleKit"
           send_interface="org.freedesktop.ConsoleKit.Session"
           send_member="GetUnixUser"/>
    <allow send_destination="org.freedesktop.ConsoleKit"
           send_interface="org.freedesktop.ConsoleKit.Session"
           send_member="GetXDGRuntimeDir"/>
    <allow send_destination="org.freedesktop.ConsoleKit"
           send_interface="org.freedesktop.ConsoleKit.Session"
           send_member="GetX11Display"/>
    <allow send_destination="org.freedesktop.ConsoleKit"
           send_interface="org.freedesktop.ConsoleKit.Session"
           send_member="GetX11DisplayDevice"/>
    <allow send_destination="org.freedesktop.ConsoleKit"
           send_interface="org.freedesktop.ConsoleKit.Session"
           send_member="GetDisplayDevice"/>
    <allow send_destination="org.freedesktop.ConsoleKit"
           send_interface="org.freedesktop.ConsoleKit.Session"
           send_member="GetRemoteHostName"/>
    <allow send_destination="org.freedesktop.ConsoleKit"
           send_interface="org.freedesktop.ConsoleKit.Session"
           send_member="GetVTNr"/>
    <allow send_destination="org.freedesktop.ConsoleKit"
           send_interface="org.freedesktop.ConsoleKit.Session"
           send_member="IsActive"/>
    <allow send_destination="org.freedesktop.ConsoleKit"
           send_interface="org.freedesktop.ConsoleKit.Session"
           send_member="IsLocal"/>
    <allow send_destination="org.freedesktop.ConsoleKit"
           send_interface="org.freedesktop.ConsoleKit.Session"
           send_member="GetCreationTime"/>
    <allow send_destination="org.freedesktop.ConsoleKit"
           send_interface="org.freedesktop.ConsoleKit.Session"
           send_member="Activate"/>
    <allow send_destination="org.freedesktop.ConsoleKit"
           send_interface="org.freedesktop.ConsoleKit.Session"
           send_member="GetIdleHint"/>
    <allow send_destination="org.freedesktop.ConsoleKit"
           send_interface="org.freedesktop.ConsoleKit.Session"
           send_member="SetIdleHint"/>
    <allow send_destination="org.freedesktop.ConsoleKit"
           send_interface="org.freedesktop.ConsoleKit.Session"
           send_member="GetIdleSinceHint"/>
    <allow send_interface="org.freedesktop.ConsoleKit.Session"
           send_member="SetIdleHint"/>
    <allow send_interface="org.freedesktop.ConsoleKit.Session"
           send_member="SetLockedHint"/>
    <allow send_destination="org.freedesktop.ConsoleKit"
           send_interface="org.freedesktop.ConsoleKit.Session"
           send_member="CanControlSession"/>
    <allow send_destination="org.freedesktop.ConsoleKit"
           send_interface="org.freedesktop.ConsoleKit.Session"
           send_member="TakeControl"/>
    <allow send_destination="org.freedesktop.ConsoleKit"
           send_interface="org.freedesktop.ConsoleKit.Session"
           send_member="ReleaseControl"/>
    <allow send_destination="org.freedesktop.ConsoleKit"
           send_interface="org.freedesktop.ConsoleKit.Session"
           send_member="TakeDevice"/>
    <allow send_destination="org.freedesktop.ConsoleKit"
           send_interface="org.freedesktop.ConsoleKit.Session"
           send_member="ReleaseDevice"/>
    <allow send_destination="org.freedesktop.ConsoleKit"
           send_interface="org.freedesktop.ConsoleKit.Session"
           send_member="PauseDeviceComplete"/>
  </policy>

</busconfig>



/usr/local/etc/dbus-1/system.d/cups.conf
===============================================================================
<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
 "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>
  <!-- Only root can send this message -->
  <policy user="root">
    <allow send_interface="com.redhat.PrinterSpooler"/>
  </policy>

  <!-- Allow any connection to receive the message -->
  <policy context="default">
    <allow receive_interface="com.redhat.PrinterSpooler"/>
  </policy>
</busconfig>



/usr/local/etc/dbus-1/system.d/dbus-wpa_supplicant.conf
===============================================================================
<!DOCTYPE busconfig PUBLIC
 "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
 "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>
        <policy user="root">
                <allow own="fi.w1.wpa_supplicant1"/>

                <allow send_destination="fi.w1.wpa_supplicant1"/>
                <allow send_interface="fi.w1.wpa_supplicant1"/>
                <allow receive_sender="fi.w1.wpa_supplicant1" receive_type="signal"/>
        </policy>
        <policy context="default">
                <deny own="fi.w1.wpa_supplicant1"/>
                <deny send_destination="fi.w1.wpa_supplicant1"/>
                <deny receive_sender="fi.w1.wpa_supplicant1" receive_type="signal"/>
        </policy>
</busconfig>



/usr/local/etc/dbus-1/system.d/org.freedesktop.ColorManager.conf
===============================================================================
<?xml version="1.0" encoding="UTF-8"?> <!-- -*- XML -*- -->

<!DOCTYPE busconfig PUBLIC
 "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
 "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>

  <!-- This configuration file specifies the required security policies
       for the ColorManager to work. -->

  <!-- Only user root or user colord can own the colord service -->
  <policy user="root">
    <allow own="org.freedesktop.ColorManager"/>
  </policy>
  <policy user="colord">
    <allow own="org.freedesktop.ColorManager"/>
  </policy>

 <!-- Allow anyone to call into the service - we'll reject callers using PolicyKit -->
  <policy context="default">
    <allow send_destination="org.freedesktop.ColorManager"
           send_interface="org.freedesktop.ColorManager"/>
    <allow send_destination="org.freedesktop.ColorManager"
           send_interface="org.freedesktop.ColorManager.Profile"/>
    <allow send_destination="org.freedesktop.ColorManager"
           send_interface="org.freedesktop.ColorManager.Device"/>
    <allow send_destination="org.freedesktop.ColorManager"
           send_interface="org.freedesktop.ColorManager.Sensor"/>
    <allow send_destination="org.freedesktop.ColorManager"
           send_interface="org.freedesktop.DBus.Properties"/>
    <allow send_destination="org.freedesktop.ColorManager"
           send_interface="org.freedesktop.DBus.Introspectable"/>
    <allow send_destination="org.freedesktop.ColorManager"
           send_interface="org.freedesktop.DBus.Peer"/>
  </policy>

</busconfig>



/usr/local/etc/dbus-1/system.d/org.freedesktop.GeoClue2.Agent.conf
===============================================================================
<!DOCTYPE busconfig PUBLIC
 "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
 "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>
  <policy user="root">
    <allow send_interface="org.freedesktop.GeoClue2.Agent"
           send_path="/org/freedesktop/GeoClue2/Agent"/>
    <allow send_interface="org.freedesktop.DBus.Properties"
           send_path="/org/freedesktop/GeoClue2/Agent"/>
  </policy>

  <policy user="root">
    <allow send_interface="org.freedesktop.GeoClue2.Agent"
           send_path="/org/freedesktop/GeoClue2/Agent"/>
    <allow send_interface="org.freedesktop.DBus.Properties"
           send_path="/org/freedesktop/GeoClue2/Agent"/>
  </policy>
</busconfig>



/usr/local/etc/dbus-1/system.d/org.freedesktop.GeoClue2.conf
===============================================================================
<!DOCTYPE busconfig PUBLIC
 "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
 "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>
  <policy context="default">
    <!-- Allow everyone to talk to main service. We'll later add an agent to
         only share the location if user allows it. -->
    <allow send_destination="org.freedesktop.GeoClue2"/>
  </policy>

  <policy user="root">
    <!-- Only allow root to own the name on the bus -->
    <allow own="org.freedesktop.GeoClue2"/>

    <!-- Also give root access to wpa_supplicant API -->
    <allow receive_sender="fi.w1.wpa_supplicant1"
           receive_type="signal"/>

    <allow send_destination="fi.w1.wpa_supplicant1"
           send_interface="org.freedesktop.DBus.Properties"
           send_member="Get"/>

    <allow send_destination="fi.w1.wpa_supplicant1"
           send_interface="org.freedesktop.DBus.Properties"
           send_member="GetAll"/>

    <allow send_destination="fi.w1.wpa_supplicant1"
           send_interface="org.freedesktop.DBus.Introspectable"/>

    <allow send_destination="fi.w1.wpa_supplicant1"
           send_interface="fi.w1.wpa_supplicant1.Interface"
           send_type="method_call"
           send_member="Scan"/>
  </policy>

  <policy user="root">
    <!-- Allow root to own the name on the bus -->
    <allow own="org.freedesktop.GeoClue2"/>
  </policy>
</busconfig>




/usr/local/etc/dbus-1/system.d/org.freedesktop.PolicyKit1.conf
===============================================================================
<?xml version="1.0" encoding="UTF-8"?> <!-- -*- XML -*- -->

<!DOCTYPE busconfig PUBLIC
 "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
 "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>
  <policy user="polkitd">
    <allow own="org.freedesktop.PolicyKit1"/>
  </policy>

  <policy context="default">
    <allow send_destination="org.freedesktop.PolicyKit1"/>
  </policy>

  <!-- Allow uid 0 to send messages on the org.freedesktop.PolicyKit1.AuthenticationAgent interface -->
  <policy user="polkitd">
    <allow send_interface="org.freedesktop.PolicyKit1.AuthenticationAgent"/>
  </policy>

</busconfig>




/usr/local/etc/dbus-1/system.d/org.freedesktop.UDisks2.conf
===============================================================================
<?xml version="1.0" encoding="UTF-8"?> <!-- -*- XML -*- -->

<!DOCTYPE busconfig PUBLIC
 "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
 "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>
  <!-- Only root can own the service -->
  <policy user="root">
    <allow own="org.freedesktop.UDisks2"/>
  </policy>

  <!-- Anyone can send messages to the owner of org.freedesktop.UDisks2 -->
  <policy context="default">
    <allow send_destination="org.freedesktop.UDisks2"/>
  </policy>
</busconfig>



/usr/local/etc/dbus-1/system.d/pulseaudio-system.conf
===============================================================================
<?xml version="1.0"?><!--*-nxml-*-->
<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
 "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">

<!--
This file is part of PulseAudio.

PulseAudio is free software; you can redistribute it and/or modify it
under the terms of the GNU Lesser General Public License as
published by the Free Software Foundation; either version 2.1 of the
License, or (at your option) any later version.

PulseAudio is distributed in the hope that it will be useful, but WITHOUT
ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General
Public License for more details.

You should have received a copy of the GNU Lesser General Public
License along with PulseAudio; if not, see <http://www.gnu.org/licenses/>.
-->

<busconfig>

  <!-- System-wide PulseAudio runs as 'pulse' user. This fragment is
       not necessary for user PulseAudio instances. -->

  <policy user="pulse">
    <allow own="org.pulseaudio.Server"/>
  </policy>

</busconfig>



/usr/local/etc/dbus-1/session.conf
===============================================================================
<!--
This configuration file is no longer required and may be removed.

In older versions of dbus, this file defined the behaviour of the well-known
session bus. That behaviour is now determined by
/usr/local/share/dbus-1/session.conf, which should not be edited.

For local configuration changes, create a file
session-local.conf or files matching session.d/*.conf in the same directory
as this one, with a <busconfig> element containing configuration directives.
These directives can override D-Bus or OS defaults.

For upstream or distribution-wide defaults that can be overridden
by a local sysadmin, create files matching
/usr/local/share/dbus-1/session.d/*.conf instead.
-->
<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-Bus Bus Configuration 1.0//EN"
 "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig></busconfig>




/usr/local/etc/dbus-1/system.conf
===============================================================================
<!--
This configuration file is no longer required and may be removed.

In older versions of dbus, this file defined the behaviour of the well-known
system bus. That behaviour is now determined by
/usr/local/share/dbus-1/system.conf, which should not be edited.

For local configuration changes, create a file
system-local.conf or files matching system.d/*.conf in the same directory
as this one, with a <busconfig> element containing configuration directives.
These directives can override D-Bus or OS defaults.

For upstream or distribution-wide defaults that can be overridden
by a local sysadmin, create files matching
/usr/local/share/dbus-1/system.d/*.conf instead.
-->
<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-Bus Bus Configuration 1.0//EN"
 "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig></busconfig>



Regards.
Comment 8 Slawomir Wojciech Wojtczak 2022-06-02 22:05:30 UTC
Its still broken on latest packages.

No questions?

No attempt to make it fixed?

No one uses FreeBSD desktop anymore?

All FreeBSD developers on macOS now? :)
Comment 9 Tomoaki AOKI 2022-06-02 23:22:02 UTC
(In reply to Slawomir Wojciech Wojtczak from comment #8)

Just not bitten anymore after the fix I pointed at comment #6.

BTW, what groups is your affected user belongs to?
For me, the user I usually use belongs to wheel, and registered to operator, video, network, webcamd, pulse, pulse-access, pulse-rt, u2f and vboxusers in /etc/group file. This could be why I'm not bitten.

Note that groups including and after webcamd are needed only when related ports are installed and required to work.
Comment 10 Graham Perrin 2022-06-03 05:32:36 UTC
Created attachment 234408 [details]
Konsole output from a run of caja

(In reply to Slawomir Wojciech Wojtczak from comment #0)

> …
> 
> user % caja
> Could not register the application: 
> GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: Connection ":1.0" is 
> not allowed to own the service "org.mate.Caja" due to security policies 
> in the configuration file
> 
> …

I don't get anything like that …
Comment 11 Slawomir Wojciech Wojtczak 2022-06-03 11:47:41 UTC
I just did a fresh entire FreeBSD install with ZFS on GELI. The 13.1-RELEASE version. Then added all the same packages from 'latest' branch.

Started dbus(8) and its the same:

# service dbus onestatus
dbus is running as pid 75663.

% id vermaden                
uid=1000(vermaden) gid=1000(vermaden) groups=1000(vermaden),0(wheel),5(operator),44(video),69(network),556(messagebus),145(webcamd),563(pulse),564(pulse-access),557(pulse-rt)

% caja                       
Could not register the application: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: Connection ":1.10" is not allowed to own the service "org.mate.Caja" due to security policies in the configuration file

% thunar                     
Failed to register: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: Connection ":1.11" is not allowed to own the service "org.xfce.Thunar" due to security policies in the configuration file
11:42 w520 vermaden ~ % grep latest /etc/pkg/FreeBSD.conf 
  url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest",

% pkg stats
Local package database:
        Installed packages: 1208
        Disk space occupied: 12 GiB

Remote package database(s):
        Number of repositories: 1
        Packages available: 31439
        Unique packages: 31439
        Total size of packages: 101 GiB

% uname -prism
FreeBSD 13.1-RELEASE amd64 amd64 GENERIC



Regards.
Comment 12 Slawomir Wojciech Wojtczak 2022-06-08 10:43:07 UTC
Maybe this will help to get this further ...



% doas truss -a -o caja.out caja
Could not register the application: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: Connection ":1.7" is not allowed to own the service "org.mate.Caja" due to security policies in the configuration file

caja.out --> https://pastebin.com/raw/a7vvmKxa



% doas truss -a -o thunar.out thunar
Failed to register: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: Connection ":1.8" is not allowed to own the service "org.xfce.Thunar" due to security policies in the configuration file

thunar.out --> https://pastebin.com/raw/cbjVVSq7



Regards.
Comment 13 Slawomir Wojciech Wojtczak 2022-06-08 10:52:19 UTC
Its probably not the dbus config as I removed it and problem is still there:

% ls -l /usr/local/etc/dbus-1
total 43K
drwxr-xr-x 2 root wheel  12 2022-06-02 23:41 BACKUP.system.d/
-rw-r--r-- 1 root wheel 850 2022-05-05 03:16 BACKUP.session.conf
-rw-r--r-- 1 root wheel 845 2022-05-05 03:16 BACKUP.system.conf
-rw-r--r-- 1 root wheel 850 2022-05-05 03:16 session.conf.sample
-rw-r--r-- 1 root wheel 845 2022-05-05 03:16 system.conf.sample

% doas service dbus onerestart            
Stopping dbus.
Waiting for PIDS: 4357.
Starting dbus.

% doas service dbus onestatus 
dbus is running as pid 17036.

% caja                                    
Could not register the application: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: Connection ":1.0" is not allowed to own the service "org.mate.Caja" due to security policies in the configuration file
Comment 14 Tobias C. Berner freebsd_committer 2022-06-08 10:54:17 UTC
(In reply to Slawomir Wojciech Wojtczak from comment #12)
Moin moin 

In what kind of an environment are you starting the applications? 


mfg Tobias
Comment 15 Slawomir Wojciech Wojtczak 2022-06-08 11:06:13 UTC
(In reply to Tobias C. Berner from comment #14)

Under Openbox.

Described here:

- https://vermaden.wordpress.com/2018/07/01/freebsd-desktop-part-12-configuration-openbox/
Comment 16 Slawomir Wojciech Wojtczak 2022-06-08 11:12:06 UTC
Found the problem.

It was this line in my ~/.xinitrc file:

  % grep -C 1 -i dbus .xinitrc 

  # dbus(8) VARIABLES
    export DBUS_SESSION_BUS_ADDRESS=unix:path=/var/run/dbus/system_bus_socket 



After I commented it out like that:

  # dbus(8) VARIABLES
  # export DBUS_SESSION_BUS_ADDRESS=unix:path=/var/run/dbus/system_bus_socket 

and started 'my environment' everything works well and both 'caja' and 'thunar' connect properly to the dbus(8) bus.



Sorry for wasting your time.

I had that line in my ~/.xinitrc for ages ... and only lately (as bug was submitted) it started to cause this trouble.

Regards.
Comment 17 Baptiste Daroussin freebsd_committer 2022-06-08 11:17:43 UTC
I can't reproduce either, must be something related with how you do launch your desktop which results in something non acceptable anymore with dbus 1.14.

How do your start your desktop? in particular I am interested in the seatd related and dbus-launch related parts.
Comment 18 Slawomir Wojciech Wojtczak 2022-06-08 12:14:33 UTC
(In reply to Baptiste Daroussin from comment #17)

I found the problem.

Check Comment 16 for details:
- https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=263716#c16