Red Hat Bugzilla – Full Text Bug Listing
|Summary:||Wrong permissions on /dev/dsp when starting KDE in runlevel 3|
|Product:||[Fedora] Fedora||Reporter:||Chuck Ebbert <cebbert>|
|Component:||xorg-x11-xinit||Assignee:||Søren Sandmann Pedersen <sandmann>|
|Status:||CLOSED RAWHIDE||QA Contact:||Fedora Extras Quality Assurance <extras-qa>|
|Version:||rawhide||CC:||davidz, kem, mattdm, nalin, tmraz, wtogami, xgl-maint|
|Fixed In Version:||1.0.7-2||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2007-10-12 14:34:48 EDT||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Bug Depends On:|
Description Chuck Ebbert 2007-09-12 12:18:58 EDT
Description of problem: KDE Sound Server can't start, reports "access denied" attempting to write to /dev/dsp. Looking at ACLs before starting KDE, "user:cebbert:rw-" is there, but in a terminal session inside KDE that permission is gone. And changing permssions to add "other::rw-" doesn't work because it gets changed to "other::r--". The only workaround is to chown the device file to the logged-in user before starting KDE. (/etc/sysconfig/desktop has DISPLAYMANAGER="KDE") Version-Release number of selected component (if applicable): 0.2.1-4.fc8 How reproducible: Every time. Steps to Reproduce: 1. boot in runlevel 3 2. start KDE with the startx command
Comment 1 Matthias Clasen 2007-09-14 19:27:08 EDT
We really shouldn't have 50 supported ways to start a session...
Comment 2 Chuck Ebbert 2007-09-17 10:06:16 EDT
(In reply to comment #1) > We really shouldn't have 50 supported ways to start a session... Huh? startx is now unsupported? I'm switching to Ubuntu :)
Comment 3 David Zeuthen 2007-09-18 15:33:27 EDT
startx is indeed supported and, as a matter of fact, works fine for me using GNOME. What is the output of 1. ck-list-sessions (both in the VC before startx and in a terminal window) 2. rpm -q xorg-x11-xinit ConsoleKit-libs util-linux-ng Thanks.
Comment 4 Chuck Ebbert 2007-09-18 19:39:25 EDT
> What is the output of > > 1. ck-list-sessions (both in the VC before startx and in a terminal window) On console before startx: Session1: uid = '501' realname = '' seat = 'Seat1' session-type = '' active = TRUE x11-display = '' x11-display-device = '' display-device = '/dev/tty1' remote-host-name = '' is-local = TRUE on-since = '2007-09-18T23:08:27Z' In Konsole: Session1: uid = '501' realname = '' seat = 'Seat1' session-type = '' active = TRUE x11-display = '' x11-display-device = '' display-device = '/dev/tty1' remote-host-name = '' is-local = TRUE on-since = '2007-09-18T23:08:27Z' > 2. rpm -q xorg-x11-xinit ConsoleKit-libs util-linux-ng xorg-x11-xinit-1.0.2-27.fc8 ConsoleKit-libs-0.2.1-4.fc8 util-linux-ng-2.13-1.fc8 With ConsoleKit 0.2.2-1, the text console shows *no* sessions, and an xterm shows: Session1: uid = '501' realname = '' seat = 'Seat1' session-type = 'xinit' active = FALSE x11-display = '' x11-display-device = '' display-device = '/dev/tty1' remote-host-name = '' is-local = TRUE on-since = '2007-09-18T23:34:12Z' idle-since-hint = '2007-09-18T23:34:42Z' (/dev/dsp is not writable by the logged-on user using the updated ConsoleKit either.)
Comment 5 David Zeuthen 2007-09-19 10:06:27 EDT
There was a bug in ConsoleKit 0.2.2; can you try with 0.2.3? Thanks.
Comment 6 Chuck Ebbert 2007-09-19 11:44:23 EDT
Still doesn't work with 0.2.3-1: Text console: Session1: uid = '501' realname = '' seat = 'Seat1' session-type = '' active = TRUE x11-display = '' x11-display-device = '' display-device = '/dev/tty1' remote-host-name = '' is-local = TRUE on-since = '2007-09-19T15:37:33Z' xterm: Session1: uid = '501' realname = '' seat = 'Seat1' session-type = '' active = FALSE x11-display = '' x11-display-device = '' display-device = '/dev/tty1' remote-host-name = '' is-local = TRUE on-since = '2007-09-19T15:37:33Z' idle-since-hint = '2007-09-19T15:38:36Z' Session2: uid = '501' realname = '' seat = 'Seat1' session-type = 'xinit' active = FALSE x11-display = '' x11-display-device = '' display-device = '/dev/tty1' remote-host-name = '' is-local = TRUE on-since = '2007-09-19T15:38:22Z' idle-since-hint = '2007-09-19T15:38:52Z'
Comment 7 David Zeuthen 2007-09-19 14:29:51 EDT
Are you running uptodate packages and the Rawhide kernel? Please try with that; I cannot reproduce this bug at all...
Comment 8 Chuck Ebbert 2007-09-19 16:59:56 EDT
Created attachment 200071 [details] /var/lib/hal/acl-list
Comment 9 Chuck Ebbert 2007-09-19 17:01:19 EDT
Still happens in the latest rawhide. I can see the audit trail: hald-runner is spawning the setfacl command and removing the logged-in user's rights to 12 devices when KDE starts. It is getting the list of device names from /var/lib/hal/acl-list.
Comment 10 David Zeuthen 2007-09-19 17:03:26 EDT
Oh. Are you running in enforcing mode? Please try permissive instead.
Comment 11 Chuck Ebbert 2007-09-19 17:17:23 EDT
Works in permissive mode: /dev/dsp has ACL "user:cebbert:rw-" when X is running.
Comment 12 David Zeuthen 2007-09-19 18:29:41 EDT
Gah. Reassigning to SELinux then. I don't mean to rant but I spend way too much time on bugs that only occur in SELinux enforcing mode. It is simply a waste of time to do development this way; policy and file labels _needs_ to be handled in a decentralized way.
Comment 13 Daniel Walsh 2007-09-21 14:07:59 EDT
Who is creating /dev/dsp? It is being created with the wrong context. restorecon /dev/dsp will fix it. Whatever app is creating it needs to add this to the mknod line, or better yet use udev to create it.
Comment 14 David Zeuthen 2007-09-21 14:19:35 EDT
(In reply to comment #13) > Who is creating /dev/dsp? udev is $ udevinfo --query path --name=/dev/dsp /class/sound/dsp > It is being created with the wrong context. Sounds fishy; on my system it's fine $ ls -lZ /dev/dsp crw-rw----+ root root system_u:object_r:sound_device_t /dev/dsp Chuck?
Comment 15 Chuck Ebbert 2007-09-21 14:43:27 EDT
(In reply to comment #14) > > Sounds fishy; on my system it's fine > > $ ls -lZ /dev/dsp > crw-rw----+ root root system_u:object_r:sound_device_t /dev/dsp > That's what I have.
Comment 16 Daniel Walsh 2007-09-21 16:10:00 EDT
What avc messages are you seeing in /var/log/audit/audit.log? or /var/log/messages?
Comment 17 Chuck Ebbert 2007-09-21 16:27:04 EDT
time->Fri Sep 21 16:20:13 2007 type=PATH msg=audit(1190406013.817:58): item=0 name="/dev/dsp" inode=5502 dev=00:10 mode=020660 ouid=0 ogid=0 rdev=0e:03 obj=system_u:object_r:sound_device_t:s0 type=CWD msg=audit(1190406013.817:58): cwd="/home/cebbert" type=SYSCALL msg=audit(1190406013.817:58): arch=c000003e syscall=2 success=no exit=-13 a0=63e968 a1=801 a2=0 a3=0 items=1 ppid=3065 pid=3094 auid=501 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none) comm="artsd" exe="/usr/bin/artsd" subj=system_u:system_r:unconfined_t:s0 key=(null)
Comment 18 Daniel Walsh 2007-09-22 07:33:07 EDT
Those are not avc messages. type=AVC
Comment 19 Nalin Dahyabhai 2007-09-24 12:55:27 EDT
David, am I right in thinking that the the ck-list-sessions output from the seond run in comment #6 is supposed to list at least one of the sessions as active?
Comment 20 Daniel Walsh 2007-10-09 15:50:49 EDT
After some more investigation the problem is that consolekit is not allowed to read the ~/.Xauthority record, in some cases. This is sometimes prevented by SELinux, but can also be prevented in the case of nfs home directories with no_root_squash set, or Kerberized NFS or AFS Home dirs. So we can change policy to allow consolekit to read home dirs in selinux policy but this is not the best solution, or even a good one. Consolekit should be able talk to the xserver via xhost because of the following command xhost access control enabled, only authorized clients can connect SI:localuser:dwalsh
Comment 21 Nalin Dahyabhai 2007-10-09 18:09:02 EDT
Created attachment 221981 [details] suggested yet another wrapper program for the user's session
Comment 22 Nalin Dahyabhai 2007-10-09 18:14:48 EDT
Created attachment 221991 [details] suggested patch to make xinitrc use the wrapper I think this'll do the right thing.
Comment 23 David Zeuthen 2007-10-10 11:09:19 EDT
(Moving bug to xinit since that's where we need to do the changes.)
Comment 24 Nalin Dahyabhai 2007-10-12 14:34:48 EDT
Building into 1.0.7-2; marking as fixed in Raw Hide because this fixes it for me. Please reopen if you continue to see problems with this (if you're using SELinux, you may also need to update policy to 3.0.8-21 or newer).