A security policy in place prevents mounting of volumes.

If you happen to access a CD-ROM device or USB device which results in the following error:

A security policy in place prevents this sender from sending this message to this recipient, see message bus configuration file (rejected message had interface “org.freedesktop.Hal.Device.Volume” member “Mount” error name “(unset)” destination “org.freedesktop.Hal”)

….. I have a fix for you. This is caused by the hal daemon not allowing you to access the device because of a security policy. The hal daemons security policy resides in a file at “/etc/dbus-1/system.d/hal.conf”. Lets open and see whats in there.



< !DOCTYPE busconfig PUBLIC
 "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
 "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>

  <!-- This configuration file specifies the required security policies
       for the HAL to work. -->

  <!-- Only root or user haldaemon can own the HAL service -->
  <policy user="haldaemon">
    <allow own="org.freedesktop.Hal"/>
  </policy>
  <policy user="root">
    <allow own="org.freedesktop.Hal"/>
  </policy>

  <!-- Allow anyone to invoke methods on the Manager and Device interfaces -->
  <policy context="default">
    <allow send_interface="org.freedesktop.Hal.Manager"/>
    <allow send_interface="org.freedesktop.Hal.Device"/>

    <allow receive_interface="org.freedesktop.Hal.Manager"
           receive_sender="org.freedesktop.Hal"/>
    <allow receive_interface="org.freedesktop.Hal.Device"
           receive_sender="org.freedesktop.Hal"/>
  </policy>

  <!-- Default policy for the exported interfaces -->
  <policy context="default">
    <deny send_interface="org.freedesktop.Hal.Device.SystemPowerManagement"/>
    <deny send_interface="org.freedesktop.Hal.Device.LaptopPanel"/>
    <deny send_interface="org.freedesktop.Hal.Device.Volume"/>
    <deny send_interface="org.freedesktop.Hal.Device.Volume.Crypto"/>
  </policy>

  <!-- This will not work if pam_console support is not enabled -->
  <policy at_console="true">
    <allow send_interface="org.freedesktop.Hal.Device.SystemPowerManagement"/>
    <allow send_interface="org.freedesktop.Hal.Device.LaptopPanel"/>
    <allow send_interface="org.freedesktop.Hal.Device.Volume"/>
    <allow send_interface="org.freedesktop.Hal.Device.Volume.Crypto"/>
  </policy>

  <!-- You can change this to a more suitable user, or make per-group -->
  <policy user="0">
    <allow send_interface="org.freedesktop.Hal.Device.SystemPowerManagement"/>
    <allow send_interface="org.freedesktop.Hal.Device.LaptopPanel"/>
    <allow send_interface="org.freedesktop.Hal.Device.Volume"/>
    <allow send_interface="org.freedesktop.Hal.Device.Volume.Crypto"/>
  </policy>

</busconfig>
</pre>

If you observer this config file you will see there are the following sections:

  • Owners of tha HAL service
  • Permissions for anyone to invoke the Manager and Device interfaces
  • Default policy for the exported interfaces
  • Policy for Console Interface
  • Policies for Users or Groups

In our error message, the problem was with the “org.freedesktop.Hal.Device.Volume” security policy. In our policy file shown above, we do not have a policy allowing any user to use the Volume devices. However towards the end of the policy config file, you can see there is a policy set for the “root” user. The user=”0″ attribute, means that its referencing the root user. Therefore as the policy says, only the root user has access to the Volume device. It also states in the comment, that we can change this policy or add an other one to suit our needs.

So we can add a new policy for the group called “plugdev” or “cdrom” or whatever group you feel like. Make sure you have the group created before adding the policy. In my case I added the group “plugdev” and added my user account to belong to that group. Now lets add the new policy:

  <policy group="plugdev">
    <allow send_interface="org.freedesktop.Hal.Device.SystemPowerManagement"/>
    <allow send_interface="org.freedesktop.Hal.Device.LaptopPanel"/>
    <allow send_interface="org.freedesktop.Hal.Device.Volume"/>
    <allow send_interface="org.freedesktop.Hal.Device.Volume.Crypto"/>
  </policy>

Once you have added the new policy, restarting X would be a good idea to make the changes affective. I don’t know if this is in fact the case for everyone but do so if you are still get the the error. On the other hand you could also try restarting the hal daemon by executing:

/etc/init.d/haldaemon restart

Another way of fixing the problem is to just add the policies to the Permissions for anyone to invoke the Manager and Device interfaces section of the config. That way you don’t have to add a group and specify to which group you are allowing access to the Volume devices. So that section will look like:

  <!-- Allow anyone to invoke methods on the Manager and Device interfaces -->
  <policy context="default">
    <allow send_interface="org.freedesktop.Hal.Manager"/>
    <allow send_interface="org.freedesktop.Hal.Device"/>

    <allow receive_interface="org.freedesktop.Hal.Manager"
           receive_sender="org.freedesktop.Hal"/>
    <allow receive_interface="org.freedesktop.Hal.Device"
           receive_sender="org.freedesktop.Hal"/>

    <allow send_interface="org.freedesktop.Hal.Device.SystemPowerManagement"/>
    <allow send_interface="org.freedesktop.Hal.Device.LaptopPanel"/>
    <allow send_interface="org.freedesktop.Hal.Device.Volume"/>
    <allow send_interface="org.freedesktop.Hal.Device.Volume.Crypto"/>

  </policy>

I haven’t test this method of allowing Volume access. So if you have and got it working, your feedback is welcome.

This entry was posted in Linux, openSuSe. Bookmark the permalink.

5 Responses to A security policy in place prevents mounting of volumes.

  1. Pingback: A security policy in place prevents mounting of volumes | gabcicala

  2. Pingback: Instalar Arch Linux « descomposiciones

  3. Tomas Hroch says:

    Very, very and once more very thanks for this, you save my life :)

  4. Warq says:

    Thank you very much, it’s helps a lot.

  5. Sven says:

    Thank a lot!
    This helped me to use my USB Flash Drive under Vector Linux 6.0!

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>