Anastasia asked me to take a look at this. I'm still not sure what the underlying cause is, but here is some of what I've discovered so far.
1. There has been a change in policykit-1 that sounds like it might be relevant. Namely:
[ Martin Pitt ]
* Use PAM's common-session-noninteractive modules for pkexec instead of
common-session. The latter also runs pam_systemd (the only difference
normally) which is a no-op under the classic session-centric
D-BUS/graphical login model (as it won't start a new one if it is already
running within a logind session), but very expensive when using
dbus-user-session and being called from a service that runs outside the
PAM session. This causes long delays in e. g. gnome-settings-daemon's
backlight helpers. (LP: #1626651)
So if something is being run by pkexec, it is no longer executing pam_systemd.so. That module is responsible for registering with logind, setting up the user bus, etc.
So it seems possible that there is some code in the test suite that looked like it was running under an interactive user session on Xenial, but doesn't any more on Zesty.
2. The default policies for systemd1.manage-units haven't changed between versions. In both cases, it reads:
So it is possible that the test works on previous versions by piggy backing off a previous authorisation via auth_admin_keep. If we look like a non-interactive invocation on Zesty, we may need authentication every time now.
3. Maybe we can bypass all of this by configuring the polkit local authority to allow the test process to manage units unconditionally. This would work for all versions irrespective of whether we look like an interactive session.
This would involve placing a policy file under /etc/polkit-1/localauthority/50-local.d before running the tests.
Anastasia asked me to take a look at this. I'm still not sure what the underlying cause is, but here is some of what I've discovered so far.
1. There has been a change in policykit-1 that sounds like it might be relevant. Namely:
[ Martin Pitt ] session- noninteractive modules for pkexec instead of user-session and being called from a service that runs outside the daemon' s
* Use PAM's common-
common-session. The latter also runs pam_systemd (the only difference
normally) which is a no-op under the classic session-centric
D-BUS/graphical login model (as it won't start a new one if it is already
running within a logind session), but very expensive when using
dbus-
PAM session. This causes long delays in e. g. gnome-settings-
backlight helpers. (LP: #1626651)
So if something is being run by pkexec, it is no longer executing pam_systemd.so. That module is responsible for registering with logind, setting up the user bus, etc.
So it seems possible that there is some code in the test suite that looked like it was running under an interactive user session on Xenial, but doesn't any more on Zesty.
2. The default policies for systemd1. manage- units haven't changed between versions. In both cases, it reads:
<action id="org. freedesktop. systemd1. manage- units">
<defaults>
<allow_ any>auth_ admin</ allow_any>
<allow_ inactive> auth_admin< /allow_ inactive>
<allow_ active> auth_admin_ keep</allow_ active>
</defaults>
</action>
So it is possible that the test works on previous versions by piggy backing off a previous authorisation via auth_admin_keep. If we look like a non-interactive invocation on Zesty, we may need authentication every time now.
3. Maybe we can bypass all of this by configuring the polkit local authority to allow the test process to manage units unconditionally. This would work for all versions irrespective of whether we look like an interactive session.
This would involve placing a policy file under /etc/polkit- 1/localauthorit y/50-local. d before running the tests.