launchd & mDNSResponder: "Policy denied Mach service lookup"

Hi,

I've recently migrated to a new MacBook Pro, and since that migration,  
found that Bonjour no longer worked, and indeed that all applications  
that used Bonjour just hang. I've traced this to what looks like a  
problem in the interaction of mDNSResponder and launchd; the log  
messages I get are lots of

com.apple.launchd[1] (com.apple.mDNSResponder[2551]): Policy denied  
Mach service lookup: com.apple.distributed_notifications.2

etc.etc. with different services.

I don't yet quite understand how launchd and launched processes  
interact. Why is launchd responsible for service lookups for other  
applications? Where are policies stored? etc. The manpage says nothing  
about this.

I've tried looking for the above message in the launchd code and found  
it in launchd_core_logic.c in the SULeopard branch, which introduces  
the mspolicy_* functions, but I'm afraid I can't make much sense of  
it. I'll try to compile my own launchd and step through it, but it  
would be nice if somebody could push me in the right direction. (Is  
there even some documentation on this?) As a Unix rc guy, launchd is a  
twisty maze of passages, all alike...

Thanks in advance & Regards,
Björn
_______________________________________________
launchd-dev mailing list
launchd-dev@...
http://lists.macosforge.org/mailman/listinfo.cgi/launchd-dev

On Aug 1, 2009, at 11:38 PM, Björn Giesler wrote:
mDNSResponder has a policy set on it saying that is is allowed to look  
up only a certain set of MachService names.  
"com.apple.distributed_notifications.2" is not in that list, so we log  
a warning about it. There's probably a framework behind the scenes  
that mDNSResponder uses that is looking up that service.

It's basically a harmless error (I don't believe distributed  
notifications are essential to mDNSResponder's function), but feel  
free to file a bug against mDNSResponder.
--
Damien Sorresso
BSD Engineering
Apple Inc.



_______________________________________________
launchd-dev mailing list
launchd-dev@...
http://lists.macosforge.org/mailman/listinfo.cgi/launchd-dev

Hi,

thanks for your reply!

Am 02.08.2009 um 08:57 schrieb Damien Sorresso:
> mDNSResponder has a policy set on it saying that is is allowed to  
> look up only a certain set of MachService names.  
> "com.apple.distributed_notifications.2" is not in that list, so we  
> log a warning about it. There's probably a framework behind the  
> scenes that mDNSResponder uses that is looking up that service.
>
> It's basically a harmless error (I don't believe distributed  
> notifications are essential to mDNSResponder's function), but feel  
> free to file a bug against mDNSResponder.

Well, that's by far not the only service it requests; it fills up the  
log with those messages. I probably picked the least crucial one, it's  
also trying to lookup com.apple.system.notification_center,  
com.apple.system.DirectoryService.libinfo_v1,  
com.apple.SystemConfiguration.configd and lots more.

So if you write that "mDNSResponder has a policy set on it", I guess  
my question is, where do these policies get set?

Thanks a lot,
Björn
_______________________________________________
launchd-dev mailing list
launchd-dev@...
http://lists.macosforge.org/mailman/listinfo.cgi/launchd-dev

Hi,

can nobody answer my question? I'd like to know where I can set  
policies that allow launchd subprocesses (mDNSResponder in my case) to  
look up Mach services.

My error is

com.apple.launchd[1] (com.apple.mDNSResponder[2551]): Policy denied  
Mach service lookup: com.apple.system.notification_center
com.apple.launchd[1] (com.apple.mDNSResponder[2551]): Policy denied  
Mach service lookup: com.apple.system.DirectoryService.libinfo_v1
com.apple.launchd[1] (com.apple.mDNSResponder[2551]): Policy denied  
Mach service lookup: com.apple.SystemConfiguration.configd

etc.etc.

The launchd documentation knows nothing about policies.

Thanks a lot in advance,
Björn

Am 02.08.2009 um 09:06 schrieb Björn Giesler:

_______________________________________________
launchd-dev mailing list
launchd-dev@...
http://lists.macosforge.org/mailman/listinfo.cgi/launchd-dev

On Aug 10, 2009, at 11:43 AM, Björn Giesler wrote:
/usr/share/sandbox/mDNSResponder.sb
--
Damien Sorresso
BSD Engineering
Apple Inc.



_______________________________________________
launchd-dev mailing list
launchd-dev@...
http://lists.macosforge.org/mailman/listinfo.cgi/launchd-dev

Hi,

Am 10.08.2009 um 20:52 schrieb Damien Sorresso:
> /usr/share/sandbox/mDNSResponder.sb

Thanks. That was it, indeed. Strangely, what I did was comment out  
(debug deny) and comment in (debug allow), then started mDNSResponder.  
That filled my log with all sorts of NET_OUTBOUND ALLOW messages, but  
the "Policy denied" messages were gone. So I restored the commenting,  
and now it works. I changed nothing else.

Oh, I did change one more thing: mDNSResponder.sb has access bits rw-
r--r-- now, was r--r--r--. But that can't have been it, can it? Surely  
sandbox doesn't need to write these config files?

Regards,
Björn
_______________________________________________
launchd-dev mailing list
launchd-dev@...
http://lists.macosforge.org/mailman/listinfo.cgi/launchd-dev

On Aug 10, 2009, at 12:18 PM, Björn Giesler wrote: You're better off just leaving that file alone. Just file a bug  
against mDNSResponder, since it is attempting to access resources  
outside its sandbox.

> Oh, I did change one more thing: mDNSResponder.sb has access bits rw-
> r--r-- now, was r--r--r--. But that can't have been it, can it?  
> Surely sandbox doesn't need to write these config files?


It's owned by root. What's the point of taking away the write bit?
--
Damien Sorresso
BSD Engineering
Apple Inc.



_______________________________________________
launchd-dev mailing list
launchd-dev@...
http://lists.macosforge.org/mailman/listinfo.cgi/launchd-dev