Control: retitle -1 dbus: system bus logs repeated denials for session buses
calling GetDynamicUsers() on systemd Manager
On Wed, 21 Nov 2018 at 15:29:37 +0100, Francesco Potortì wrote:
> dbus generates over 100 lines a day like this in auth.log:
>
> Nov 21 13:20:39 tucano dbus-daemon[3507]: [system] Rejected send message, 4
> matched rules; type="method_call", sender=":1.383314" (uid=1000 pid=2330
> comm="/usr/bin/dbus-daemon --syslog --fork --print-pid 5")
> interface="org.freedesktop.systemd1.Manager" member="GetDynamicUsers" error
> name="(unset)" requested_reply="0" destination="org.freedesktop.systemd1"
> (uid=0 pid=1 comm="/lib/systemd/systemd --system --deserialize 538 ")
>
> This happens while I work at the console, but not when I work remotely.
>
> Using the atop logs, I can tell that process 2330 was a dbus-daemon starting
> and ending at 13:20:39.
Code in the session dbus-daemon doesn't explicitly connect to the system
dbus-daemon and comunicate with pid 1, so I think this must be something
in a shared library that it uses, most likely libsystemd or a PAM module?
systemd installs a policy with
<allow send_destination="org.freedesktop.systemd1"
send_interface="org.freedesktop.systemd1.Manager"
send_member="GetDynamicUsers"/>
so this is meant to be allowed.
"4 matched rules" is consistent with the matched rules being:
* <deny send_type="method_call"/> in /usr/share/dbus-1/system.conf
* <deny send_destination="org.freedesktop.systemd1"/>
in /usr/share/dbus-1/system.d/org.freedesktop.systemd1.conf
* the rule above in /usr/share/dbus-1/system.d/org.freedesktop.systemd1.conf
* some other rule
... so perhaps you have a <deny> rule in /usr/share/dbus-1/system.d/*.conf
or in /etc/dbus-1/system.d/*.conf, with higher precedence,
that is interfering with those messages? If you search for
org.freedesktop.systemd1 or GetDynamicUsers in those files, what do
you get?
smcv
