launchd & mDNSResponder: "Policy denied Mach service lookup"
Hi, I've recently migrated to a new MacBook Pro, and since that migration, found that Bonjour no longer worked, and indeed that all applications that used Bonjour just hang. I've traced this to what looks like a problem in the interaction of mDNSResponder and launchd; the log messages I get are lots of com.apple.launchd[1] (com.apple.mDNSResponder[2551]): Policy denied Mach service lookup: com.apple.distributed_notifications.2 etc.etc. with different services. I don't yet quite understand how launchd and launched processes interact. Why is launchd responsible for service lookups for other applications? Where are policies stored? etc. The manpage says nothing about this. I've tried looking for the above message in the launchd code and found it in launchd_core_logic.c in the SULeopard branch, which introduces the mspolicy_* functions, but I'm afraid I can't make much sense of it. I'll try to compile my own launchd and step through it, but it would be nice if somebody could push me in the right direction. (Is there even some documentation on this?) As a Unix rc guy, launchd is a twisty maze of passages, all alike... Thanks in advance & Regards, Björn
On Aug 1, 2009, at 11:38 PM, Björn Giesler wrote:
Hi,
I've recently migrated to a new MacBook Pro, and since that migration, found that Bonjour no longer worked, and indeed that all applications that used Bonjour just hang. I've traced this to what looks like a problem in the interaction of mDNSResponder and launchd; the log messages I get are lots of
com.apple.launchd[1] (com.apple.mDNSResponder[2551]): Policy denied Mach service lookup: com.apple.distributed_notifications.2
etc.etc. with different services.
I don't yet quite understand how launchd and launched processes interact. Why is launchd responsible for service lookups for other applications? Where are policies stored? etc. The manpage says nothing about this.
I've tried looking for the above message in the launchd code and found it in launchd_core_logic.c in the SULeopard branch, which introduces the mspolicy_* functions, but I'm afraid I can't make much sense of it. I'll try to compile my own launchd and step through it, but it would be nice if somebody could push me in the right direction. (Is there even some documentation on this?) As a Unix rc guy, launchd is a twisty maze of passages, all alike...
mDNSResponder has a policy set on it saying that is is allowed to look up only a certain set of MachService names. "com.apple.distributed_notifications.2" is not in that list, so we log a warning about it. There's probably a framework behind the scenes that mDNSResponder uses that is looking up that service. It's basically a harmless error (I don't believe distributed notifications are essential to mDNSResponder's function), but feel free to file a bug against mDNSResponder. -- Damien Sorresso BSD Engineering Apple Inc.
Hi, thanks for your reply! Am 02.08.2009 um 08:57 schrieb Damien Sorresso:
mDNSResponder has a policy set on it saying that is is allowed to look up only a certain set of MachService names. "com.apple.distributed_notifications.2" is not in that list, so we log a warning about it. There's probably a framework behind the scenes that mDNSResponder uses that is looking up that service.
It's basically a harmless error (I don't believe distributed notifications are essential to mDNSResponder's function), but feel free to file a bug against mDNSResponder.
Well, that's by far not the only service it requests; it fills up the log with those messages. I probably picked the least crucial one, it's also trying to lookup com.apple.system.notification_center, com.apple.system.DirectoryService.libinfo_v1, com.apple.SystemConfiguration.configd and lots more. So if you write that "mDNSResponder has a policy set on it", I guess my question is, where do these policies get set? Thanks a lot, Björn
Hi, can nobody answer my question? I'd like to know where I can set policies that allow launchd subprocesses (mDNSResponder in my case) to look up Mach services. My error is com.apple.launchd[1] (com.apple.mDNSResponder[2551]): Policy denied Mach service lookup: com.apple.system.notification_center com.apple.launchd[1] (com.apple.mDNSResponder[2551]): Policy denied Mach service lookup: com.apple.system.DirectoryService.libinfo_v1 com.apple.launchd[1] (com.apple.mDNSResponder[2551]): Policy denied Mach service lookup: com.apple.SystemConfiguration.configd etc.etc. The launchd documentation knows nothing about policies. Thanks a lot in advance, Björn Am 02.08.2009 um 09:06 schrieb Björn Giesler:
Hi,
thanks for your reply!
Am 02.08.2009 um 08:57 schrieb Damien Sorresso:
mDNSResponder has a policy set on it saying that is is allowed to look up only a certain set of MachService names. "com.apple.distributed_notifications.2" is not in that list, so we log a warning about it. There's probably a framework behind the scenes that mDNSResponder uses that is looking up that service.
It's basically a harmless error (I don't believe distributed notifications are essential to mDNSResponder's function), but feel free to file a bug against mDNSResponder.
Well, that's by far not the only service it requests; it fills up the log with those messages. I probably picked the least crucial one, it's also trying to lookup com.apple.system.notification_center, com.apple.system.DirectoryService.libinfo_v1, com.apple.SystemConfiguration.configd and lots more.
So if you write that "mDNSResponder has a policy set on it", I guess my question is, where do these policies get set?
Thanks a lot, Björn _______________________________________________ launchd-dev mailing list launchd-dev@lists.macosforge.org http://lists.macosforge.org/mailman/listinfo.cgi/launchd-dev
On Aug 10, 2009, at 11:43 AM, Björn Giesler wrote:
Hi,
can nobody answer my question? I'd like to know where I can set policies that allow launchd subprocesses (mDNSResponder in my case) to look up Mach services.
My error is
com.apple.launchd[1] (com.apple.mDNSResponder[2551]): Policy denied Mach service lookup: com.apple.system.notification_center com.apple.launchd[1] (com.apple.mDNSResponder[2551]): Policy denied Mach service lookup: com.apple.system.DirectoryService.libinfo_v1 com.apple.launchd[1] (com.apple.mDNSResponder[2551]): Policy denied Mach service lookup: com.apple.SystemConfiguration.configd
etc.etc.
The launchd documentation knows nothing about policies.
/usr/share/sandbox/mDNSResponder.sb -- Damien Sorresso BSD Engineering Apple Inc.
Hi, Am 10.08.2009 um 20:52 schrieb Damien Sorresso:
/usr/share/sandbox/mDNSResponder.sb
Thanks. That was it, indeed. Strangely, what I did was comment out (debug deny) and comment in (debug allow), then started mDNSResponder. That filled my log with all sorts of NET_OUTBOUND ALLOW messages, but the "Policy denied" messages were gone. So I restored the commenting, and now it works. I changed nothing else. Oh, I did change one more thing: mDNSResponder.sb has access bits rw- r--r-- now, was r--r--r--. But that can't have been it, can it? Surely sandbox doesn't need to write these config files? Regards, Björn
On Aug 10, 2009, at 12:18 PM, Björn Giesler wrote:
Hi,
Am 10.08.2009 um 20:52 schrieb Damien Sorresso:
/usr/share/sandbox/mDNSResponder.sb
Thanks. That was it, indeed. Strangely, what I did was comment out (debug deny) and comment in (debug allow), then started mDNSResponder. That filled my log with all sorts of NET_OUTBOUND ALLOW messages, but the "Policy denied" messages were gone. So I restored the commenting, and now it works. I changed nothing else.
You're better off just leaving that file alone. Just file a bug against mDNSResponder, since it is attempting to access resources outside its sandbox.
Oh, I did change one more thing: mDNSResponder.sb has access bits rw- r--r-- now, was r--r--r--. But that can't have been it, can it? Surely sandbox doesn't need to write these config files?
It's owned by root. What's the point of taking away the write bit? -- Damien Sorresso BSD Engineering Apple Inc.
participants (2)
-
Björn Giesler
-
Damien Sorresso