macOS assistive execution module fails on 10.12

[jfindlay]

Description of Issue/Question

The macOS assistive execution module fails on 10.12 because between 10.11 and 10.12, Apple added a readonly extended attribute (SIP) to the database's parent directory, effectively preventing any modifications to the inodes located within the directory.

# xattr "/Library/Application Support/com.apple.TCC/TCC.db"
# xattr "/Library/Application Support/com.apple.TCC"
com.apple.rootless

This appears to be an upstream bug with macOS as I have not found an alternative tool or method to update the settings. The tutorials (raymii.org, hints.macworld.com) and tools (tccutil.py) I have found all use sqlite against the database file in a way similar to the mac_assistive execution module.

Similar bugs:

• TCC.db protected by SIP in Sierra jacobsalmela/tccutil#18

Steps to Reproduce Issue

# salt-call --local -l debug assistive.install /usr/bin/osascript
[DEBUG   ] Reading configuration from /etc/salt/minion
[DEBUG   ] Using cached minion ID from /etc/salt/minion_id: jk-sierra-base.lehi.saltstack.net
[DEBUG   ] Configuration file path: /etc/salt/minion
[WARNING ] Insecure logging configuration detected! Sensitive data may be logged.
[DEBUG   ] Reading configuration from /etc/salt/minion
[DEBUG   ] Please install 'virt-what' to improve results of the 'virtual' grain.
[DEBUG   ] Determining pillar cache
[DEBUG   ] LazyLoaded jinja.render
[DEBUG   ] LazyLoaded yaml.render
[DEBUG   ] LazyLoaded jinja.render
[DEBUG   ] LazyLoaded yaml.render
[DEBUG   ] LazyLoaded assistive.install
[DEBUG   ] LazyLoaded cmd.run_all
[INFO    ] Executing command 'sqlite3 "/Library/Application Support/com.apple.TCC/TCC.db" "INSERT or REPLACE INTO access VALUES('kTCCServiceAccessibility','/usr/bin/osascript',1,1,1,NULL,NULL)"' in directory '/var/root'
[ERROR   ] Command 'sqlite3 "/Library/Application Support/com.apple.TCC/TCC.db" "INSERT or REPLACE INTO access VALUES('kTCCServiceAccessibility','/usr/bin/osascript',1,1,1,NULL,NULL)"' failed with return code: 8
[ERROR   ] stderr: Error: attempt to write a readonly database
[ERROR   ] retcode: 8
Traceback (most recent call last):
  File "/testing/salt/cli/caller.py", line 197, in call
    ret['return'] = func(*args, **kwargs)
  File "/testing/salt/modules/mac_assistive.py", line 73, in install
    raise CommandExecutionError('Error installing app: {0}'.format(comment))
CommandExecutionError: Error installing app: Error: attempt to write a readonly database
Error running 'assistive.install': Error installing app: Error: attempt to write a readonly database

Versions Report

# salt-call --versions
Salt Version:
           Salt: 2016.3.3-263-ge0baf4b

Dependency Versions:
           cffi: 1.5.0
       cherrypy: 4.0.0
       dateutil: 2.4.2
          gitdb: 0.6.4
      gitpython: 1.0.1
          ioflo: 1.5.0
         Jinja2: 2.8
        libgit2: Not Installed
        libnacl: 1.4.4
       M2Crypto: Not Installed
           Mako: 1.0.3
   msgpack-pure: Not Installed
 msgpack-python: 0.4.7
   mysql-python: Not Installed
      pycparser: 2.14
       pycrypto: 2.6.1
         pygit2: Not Installed
         Python: 2.7.12 (default, Aug 24 2016, 14:05:14)
   python-gnupg: 0.3.8
         PyYAML: 3.11
          PyZMQ: 15.2.0
           RAET: 0.6.5
          smmap: 0.9.0
        timelib: 0.2.4
        Tornado: 4.3
            ZMQ: 4.1.2

System Versions:
           dist:
        machine: x86_64
        release: 16.0.0
         system: Darwin
        version: 10.12 x86_64

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

If this issue is closed prematurely, please leave a comment and we will gladly reopen the issue.