Unprivileged updates for Fedora Atomic Desktops not working on F41

Ask Fedora
,
1

Hi all,

reading the F41 release notes, I stumble upon this new feature: Unprivileged updates for Fedora Atomic Desktops

So I wanted to test on my freshly updated silverblue F41, and I was surprised it did not work :thinking:

Looking at Changes/UnprivilegedUpdatesAtomicDesktops - Fedora Project Wiki,
It seems I should have this file present:
/etc/polkit-1/rules.d/org.projectatomic.rpmostree1.rules

But it is missing from my system…

Any idea why ?

2

hey there! Lets see

Like with many other areas, on Linux systems there are directories that are preferred over others.

/etc/polkit-1 is preferred over /usr/share/polkit-1

The system rules are all in /usr so they are included in the immutable system image and get all the updates Fedora ships.

The workaround to test it was to have a rule with all actions and place it in /etc so it overrides the default rule in /usr which blocks the updates.

Can you give me an

ls /usr/share/polkit-1/rules.d

cat /usr/share/polkit-1/rules.d/org.projectatomic.rpmostree1.rules
3

ah !

sure, so the rule is there…

ls /usr/share/polkit-1/rules.d
20-gnome-initial-setup.rules         gamemode.rules                                     org.fedoraproject.FirewallD1.rules  org.freedesktop.fwupd.rules         sssd-pcsc.rules
20-gnome-remote-desktop.rules        gnome-control-center.rules                         org.fedoraproject.thirdparty.rules  org.freedesktop.GeoClue2.rules      systemd-networkd.rules
50-default.rules                     org.a11y.brlapi.rules                              org.freedesktop.bolt.rules          org.gtk.vfs.file-operations.rules
com.endlessm.ParentalControls.rules  org.fedoraproject.FirewallD1.desktop.rules.choice  org.freedesktop.Flatpak.rules       org.projectatomic.rpmostree1.rules

cat /usr/share/polkit-1/rules.d/org.projectatomic.rpmostree1.rules
polkit.addRule(function(action, subject) {
    if ((action.id == "org.projectatomic.rpmostree1.repo-refresh" ||
         action.id == "org.projectatomic.rpmostree1.upgrade") &&
        subject.active == true &&
        subject.local == true) {
            return polkit.Result.YES;
    }

    if ((action.id == "org.projectatomic.rpmostree1.install-uninstall-packages" ||
         action.id == "org.projectatomic.rpmostree1.rollback" ||
         action.id == "org.projectatomic.rpmostree1.reload-daemon" ||
         action.id == "org.projectatomic.rpmostree1.cancel" ||
         action.id == "org.projectatomic.rpmostree1.cleanup" ||
         action.id == "org.projectatomic.rpmostree1.client-management") &&
        subject.active == true &&
        subject.local == true &&
        subject.isInGroup("wheel")) {
            return polkit.Result.YES;
    }
});

But if I try

$ rpm-ostree refresh-md 
error: rpmostreed OS operation RefreshMd not allowed for user

$ id
uid=1000(tognjul1) gid=1000(tognjul1) groups=1000(tognjul1),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
4

Maybe I know why !

does subject.local == true && means I need to seat in front of the computer ?

Because I’m connected remotely via gnome-remote-desktop !

5

Yes, it only works for users physically in front of the computer, not for remote sessions.

1 Like