#626180 useless without ag_console policy

Package:
network-manager-openvpn
Source:
network-manager-openvpn
Description:
network management framework (OpenVPN plugin core)
Submitter:
Date:
2015-04-27 16:09:04 UTC
Severity:
important
#626180#5
Date:
2011-05-09 16:28:14 UTC
From:
To:
The content of /etc/dbus-1/system.d/nm-openvpn-service.conf as provided does not
appear sufficient to allow the openvpn functionality in network manager to work
in a useful way.  Adding an 'at_console' policy seems to fix things for me:
--- nm-openvpn-service.conf.orig	2011-05-09 09:47:31.484513417 -0600
+++ nm-openvpn-service.conf	2011-05-09 09:53:55.314350004 -0600
@@ -6,6 +6,10 @@
 		<allow own="org.freedesktop.NetworkManager.openvpn"/>
 		<allow send_destination="org.freedesktop.NetworkManager.openvpn"/>
 	</policy>
+	<policy user="at_console">
+		<allow own="org.freedesktop.NetworkManager.openvpn"/>
+		<allow send_destination="org.freedesktop.NetworkManager.openvpn"/>
+	</policy>
 	<policy context="default">
 		<deny own="org.freedesktop.NetworkManager.openvpn"/>
 		<deny send_destination="org.freedesktop.NetworkManager.openvpn"/>

Could this be fixed in the default configuration, please?

Bdale

#626180#10
Date:
2011-05-09 16:38:12 UTC
From:
To:
Hi

Am 09.05.2011 18:28, schrieb Bdale Garbee:

Could you elaborate on that, please.
What is your setup, what is the error message. See [1] for debugging tips.

  Adding an 'at_console' policy seems to fix things for me:

This opens a security hole, so I'd rather not do that and first try to
understand what your actual problem is.
Only root should be able to own that bus name.

Michael

[1] http://live.gnome.org/NetworkManager/Debugging

#626180#15
Date:
2011-05-09 17:15:56 UTC
From:
To:
employer.  This means I'm filling in a username but no password in the
configuration dialog and expect to be prompted for an OTP on connection
establishment.  With the provided nm-openvpn-service.conf content, an
attempt to establish a VPN connection does not result in the expected
password entry dialog box.  In fact, there is no visible activity on the
desktop at all. However, the following shows up in syslog:

May  9 09:22:14 rover NetworkManager[3149]: <info> Starting VPN service 'openvpn'...
May  9 09:22:14 rover NetworkManager[3149]: <info> VPN service 'openvpn' started (org.freedesktop.NetworkManager.openvpn), PID 17457
May  9 09:22:14 rover NetworkManager[3149]: <info> VPN service 'openvpn' appeared; activating connections
May  9 09:22:14 rover NetworkManager[3149]: <error> [1304954534.441698] [nm-vpn-connection.c:819] connection_need_secrets_cb(): NeedSecrets failed: dbus-glib-error-quar
k Rejected send message, 1 matched rules; type="method_call", sender=":1.3" (uid=0 pid=3149 comm="/usr/sbin/NetworkManager ") interface="org.freedesktop.NetworkManager.
VPN.Plugin" member="NeedSecrets" error name="(unset)" requested_reply=0 destination="org.freedesktop.NetworkManager.openvpn" (uid=0 pid=17457 comm="/usr/lib/NetworkMana
ger/nm-openvpn-service "))
May  9 09:22:14 rover NetworkManager[3149]: <warn> error disconnecting VPN: Rejected send message, 1 matched rules; type="method_call", sender=":1.3" (uid=0 pid=3149 co
mm="/usr/sbin/NetworkManager ") interface="org.freedesktop.NetworkManager.VPN.Plugin" member="Disconnect" error name="(unset)" requested_reply=0 destination="org.freede
sktop.NetworkManager.openvpn" (uid=0 pid=17457 comm="/usr/lib/NetworkManager/nm-openvpn-service "))

Chasing the symptoms, I found a post by an Ubuntu user with the same
problem who worked around it with the at_console policy addition that I
included.  With that, things work as expected.

If there's a better fix, I'd be happy to know it.

Bdale

#626180#20
Date:
2011-05-09 17:40:01 UTC
From:
To:
Am 09.05.2011 19:15, schrieb Bdale Garbee:
trying connect to the OpenVPN server? Do you have a /var/run/console/root state
file?
Does it help if you close all root sessions, ie there is no more
/var/run/console/root

Michael

#626180#25
Date:
2011-05-09 17:57:21 UTC
From:
To:
I do not.

No.

Bdale

#626180#30
Date:
2011-05-09 21:10:29 UTC
From:
To:
Am 09.05.2011 19:57, schrieb Bdale Garbee:

Ok, then I'll need to setup a test system to debug this further.

Thanks for the input so far,
Michael

#626180#35
Date:
2011-05-09 23:32:37 UTC
From:
To:
My pleasure.  And of course I'll be happy to try things for you if/when
that would be useful.

Bdale

#626180#40
Date:
2012-07-14 20:48:34 UTC
From:
To:
Hi,

Just to be sure, is that stable or wheezy/sid?

Do you have anything in the syslog?
The dbus messages might be a red herring and your problems are somewhere
else, [1] has some debugging tips.

What desktop environment do you use? What does ck-list-sessions say.

I've CCed #626180, so we this conversation archived.

Michael

[1] https://live.gnome.org/NetworkManager/Debugging/

#626180#45
Date:
2012-09-28 15:25:22 UTC
From:
To:
Hello

I'm in a situation similar to Bdale (albeit in May...).

I'd like to use NetworkManager to setup openvpn with my company's network.

Thing is, I cannot reproduce Bdale's issue: when setting up VPN, I can see the
popup window asking me for a password after I ask for a new VPN connection
through the GUI (and KDE)

Unfortunately, the connection authentication fails, but that's another
problem.

HTH

#626180#50
Date:
2012-11-13 16:49:46 UTC
From:
To:
Hello

I've resolved the certificate problem that plagued me. I can now confirm that
network-manager + OpenVPN is working fine on Debian/sid *without* the work-
around provided by Bdale.

All the best

#626180#55
Date:
2013-02-21 13:28:51 UTC
From:
To:
Hi Bdale,

Do you still encounter this problem with an up-to-date sid system?

What's the output of "ck-list-sessions" when that problem happens?

Michael

#626180#60
Date:
2015-04-27 16:05:25 UTC
From:
To:
Hi Bdale,

I'm going through some old bug reports and notice we got stuck here
somehow. Can you install the latest version from jessie and test if that
version works for you now?