Bug 1220852

Summary: AUDIT-WHITELIST: cinnamon-settings-daemon: whitelist wacom.wacom-led-helper and wacom.wacom-oled-helper
Product: [openSUSE] openSUSE Distribution Reporter: Max Lin <mlin>
Component: SecurityAssignee: Matthias Gerstner <matthias.gerstner>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None CC: filippo.bonazzi, wolfgang.frisch
Version: Leap 15.6   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Max Lin 2024-03-04 11:01:01 UTC 
Hi Security team,

We're aiming to bring newer cinnamon into Leap 15.6, cinnamon-settings-daemon has two polkit-unauthorized-privilege issues[1]:

cinnamon-settings-daemon.x86_64: E: polkit-unauthorized-privilege (Badness: 10000) org.cinnamon.settings-daemon.plugins.wacom.wacom-led-helper (no:no:yes)

cinnamon-settings-daemon.x86_64: E: polkit-unauthorized-privilege (Badness: 10000) org.cinnamon.settings-daemon.plugins.wacom.wacom-oled-helper (no:no:yes)

Could you please review and whitelist these two operations, and update polkit-default-privs to *SLE15*? I think the target should be SLE-15-SP6 codestream.

I supposed the same whitelist has been accepted on github and Tumbleweed via https://github.com/openSUSE/polkit-default-privs/pull/46 and https://github.com/openSUSE/polkit-default-privs/pull/100


[1] https://build.opensuse.org/package/live_build_log/home:mlin7442:rebuild_fails_156:cinnamon/cinnamon-settings-daemon/openSUSE_Leap_15.6/x86_64 , Cinnamon devel project doesn't enable leap15 build thus I use this project for the build verification.
Comment 1 Wolfgang Frisch 2024-03-04 11:20:11 UTC 
Thank you for bringing this issue to our attention.
We will schedule it in our team shortly.
Comment 2 Matthias Gerstner 2024-03-04 11:21:59 UTC 
Yes we already reviewed these components for Tumbleweed.

Backporting the whitelist to Leap will take some time since the SLE
maintenance process for rpmlint needs to be followed. We will start this
process.
Comment 3 Matthias Gerstner 2024-03-06 10:58:02 UTC 
I'm backporting the whitelist into SLE-15-SP6.
Comment 4 Filippo Bonazzi 2024-03-06 11:19:06 UTC 
The previous reviews for Tumbleweed happened in bug 1186845 and bug 1217532 respectively.
Comment 6 Matthias Gerstner 2024-03-27 11:03:54 UTC 
This is now in SLE-15-SP6:GA/polkit-default-privs. Closing as fixed.