Policy Kit does not allow to restart a service, despite an adequate rule

Question

As nagios user, I cannot execute systemctl. Tracking it down to pkexec, I get :

-sh-4.2$ pkexec systemctl reload nagios
==== AUTHENTICATING FOR org.freedesktop.policykit.exec ===
Authentication is needed to run `/bin/systemctl' as the super user

However, I have a very, very lenient polkit rule (it is a NOT a production system)

polkit.addRule(function(action, subject) {
    if (action.id == "org.freedesktop.systemd1.manage-units") {
        var verb = action.lookup("verb");
        if (verb == "start" || verb == "stop" || verb == "restart" || verb == "reload") {
            return polkit.Result.YES;
        }
    }
});

I double check it is compiled when restarting polkit.service What is the problem ?

OS : RHEL7
Sytemd version 219
PolKit version : 0.112

Thanks,

Xavier

Answer 1

It seems that the combo Sytemd 219 + PolKit 0.112 does not support the "verb" statement. Added some logging to the rule shows me this :

/etc/polkit-1/rules.d/01-nagios.rules:7: verb=undefined

Looks like a bug in Polkit 0.112.

Xavier

Answer 2

This is not a bug in Polkit; rather it is bug (or at least a limitation) in this version of Systemd. The reason being is that the 'action' is provided by the mechanism using Polkit, and in this case that is provided by SystemD.

You can cross-check this in polkit(8)

See systemd release notes (https://github.com/systemd/systemd/blob/main/NEWS)

CHANGES WITH 226:

    * When systemd requests a polkit decision when managing units it
      will now add additional fields to the request, including unit
      name and desired operation. This enables more powerful polkit
      policies, that make decisions depending on these parameters.

So for the likes of RHEL7, I guess that would mean futzing around the issue using sudo, whereas this does work nicely in RHEL8.

Shame, I was looking forward to using that.