Bug 1214101

Summary: AUDIT-WHITELIST: deepin-api: Please keep the old com.deepin.* in whitelist for a while
Product: [openSUSE] openSUSE Tumbleweed Reporter: Hillwood Yang <hillwoodroc>
Component: SecurityAssignee: Matthias Gerstner <matthias.gerstner>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None CC: dimstar, matthias.gerstner
Version: Current   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Hillwood Yang 2023-08-09 07:37:54 UTC 
According to boo#1211376, com.deepin.* will be renamed to org.deepin.*. But the new version of deepin-api still is testing in X11:Deepin:Factory. We need to keep the old version in the com.deepin.* for a while. 

[  124s] deepin-api.x86_64: E: dbus-file-unauthorized (Badness: 10000) /usr/share/dbus-1/system-services/com.deepin.api.Device.service (sha256 file digest default filter:613bfd2b5d6373ecaa519a1c8a4d2351106cb5986cb9acb04f13df1ba9aef7d6 shell filter:613bfd2b5d6373ecaa519a1c8a4d2351106cb5986cb9acb04f13df1ba9aef7d6 xml filter:<failed-to-calculate>)
[  124s] deepin-api.x86_64: E: dbus-file-unauthorized (Badness: 10000) /usr/share/dbus-1/system.d/com.deepin.api.Device.conf (sha256 file digest default filter:e3effdf083da39eaddce7997c2c4c16f8268c9b9579dd30141f4c2f10a992a4d shell filter:3822da73f18676a6ddaa980449bf4051e1c9d234591a4222448c69830adcbd71 xml filter:36ecf94f509650ce97381a3af592319a124bb8c70e4b664a84fd2a2fb971c9f5)
[  124s] deepin-api.x86_64: E: dbus-file-unauthorized (Badness: 10000) /usr/share/dbus-1/system.d/com.deepin.api.SoundThemePlayer.conf (sha256 file digest default filter:93a5dbb3545ec99317914663407d8608046805a9b0718c592cd19ff47bcc9481 shell filter:d4ec55c10193024a44eef60c9f08a581a45c377e954293bcad3b0a8fcb94c155 xml filter:0e6254e6d3905934d3fa5db5e58815f32fcea5dbac93dbed2a9e15214c8f10eb)
[  124s] deepin-api.x86_64: E: dbus-file-unauthorized (Badness: 10000) /usr/share/dbus-1/system-services/com.deepin.api.SoundThemePlayer.service (sha256 file digest default filter:f906b7c664c7e0f3cf740cad1b63ed9ff668e1ac5233ba5c9a9734b6425b3763 shell filter:f906b7c664c7e0f3cf740cad1b63ed9ff668e1ac5233ba5c9a9734b6425b3763 xml filter:<failed-to-calculate>)
[  124s] deepin-api.x86_64: E: dbus-file-unauthorized (Badness: 10000) /usr/share/dbus-1/system-services/com.deepin.api.LocaleHelper.service (sha256 file digest default filter:c4896ab305c8dff7fa6cfeef2ba194aeec85e649c3d72d3afaa16cc0ac7b7b55 shell filter:c4896ab305c8dff7fa6cfeef2ba194aeec85e649c3d72d3afaa16cc0ac7b7b55 xml filter:<failed-to-calculate>)
[  124s] deepin-api.x86_64: E: dbus-file-unauthorized (Badness: 10000) /usr/share/dbus-1/system.d/com.deepin.api.LocaleHelper.conf (sha256 file digest default filter:7f339a4292fbd17478ff455471743c5a92f72183ca3c1c884f62e28a806ae893 shell
Comment 1 Hillwood Yang 2023-08-09 07:41:08 UTC 
Sorry, there is a mistake above. We need to keep com.deepin.* in the whitelist for a while.
Comment 2 Matthias Gerstner 2023-08-09 08:31:52 UTC 
You should only ask for whitelisting changes when you're actually going to
submit to Factory - this saves everybody unnecessary extra work.

I will check what can be done about this.
Comment 3 Matthias Gerstner 2023-08-15 08:11:09 UTC 
I will reinstate the old D-Bus service names and we will have both variants
active for the time until the rename becomes effective in Factory.
Comment 4 OBSbugzilla Bot 2023-08-18 10:15:04 UTC 
This is an autogenerated message for OBS integration:
This bug (1214101) was mentioned in
https://build.opensuse.org/request/show/1104652 Factory / rpmlint
Comment 5 OBSbugzilla Bot 2023-08-18 13:25:02 UTC 
This is an autogenerated message for OBS integration:
This bug (1214101) was mentioned in
https://build.opensuse.org/request/show/1104675 Factory / rpmlint
Comment 6 Matthias Gerstner 2023-08-22 10:58:53 UTC 
The change should be effective by now, closing as fixed.
Comment 7 Dominique Leuenberger 2023-08-28 11:56:47 UTC 
deepin-api still fails to build in Factory:

[   85s] deepin-api.x86_64: E: polkit-untracked-privilege (Badness: 10000) com.deepin.api.device.unblock-bluetooth-devices (no:no:auth_admin_keep)
[   85s] The polkit action is not listed in the polkit-default-privs profiles which
[   85s] makes it harder for admins to find. Furthermore improper polkit authorization
[   85s] checks can easily introduce security issues. If the package is intended for
[   85s] inclusion in any SUSE product please open a bug report to request review of
[   85s] the package by the security team. Please refer to
[   85s] https://en.opensuse.org/openSUSE:Package_security_guidelines#audit_bugs for
[   85s] more information.
Comment 8 Matthias Gerstner 2023-08-28 14:26:36 UTC 
Argh, this also affects polkit-default-privs. All right. I will adjust that,
too.