Bug 571758
| Summary: | sealert org.freedesktop.DBus.Error.AccessDenied: ? | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Jóhann B. Guðmundsson <johannbg> | ||||||
| Component: | lxdm | Assignee: | Christoph Wickert <christoph.wickert> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
| Severity: | medium | Docs Contact: | |||||||
| Priority: | low | ||||||||
| Version: | 13 | CC: | christoph.wickert, davidz, dwalsh, mgrepl, walters | ||||||
| Target Milestone: | --- | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | All | ||||||||
| OS: | Linux | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | lxdm-0.2.0-4.fc12 | Doc Type: | Bug Fix | ||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2010-04-20 13:04:16 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
|
Description
Jóhann B. Guðmundsson
2010-03-09 12:33:26 UTC
Looks like a problem with setroubleshoot to me. David, do you have any idea what is wrong with setroublshoot then? (In reply to comment #2) > David, do you have any idea what is wrong with setroublshoot then? It looks like you are not allowing access to the D-Bus interface org.freedesktop.DBus.Introspectable. Previously this access was granted by default but IIRC someone decided that behavior was too promiscuous. So you need to explicitly grant access now, see e.g. /etc/dbus-1/system.d/org.freedesktop.UDisks.conf for details. Created attachment 399091 [details]
Replacement dbus confi.
Johann
Could you copy the attached file to /etc/dbus-1/system.d/org.fedoraproject.Setroubleshootd.conf
And see if this fixes the problem.
Did not change anything and actually after a fresh reboot test the filed caused dbus to fail ( and everything that depends on it ) with all kinds of weirdness so I cat >> your file into the original one and even removed the deny entry's still nothing :/
I also allowed for org.fedoraproject.SetroubleshootdIface and even added those entry's also to "at_console" still nothing.
I'm wondering if we are adding this to the right file?
Looking at several files that have the Introspectable entry it should not be more pain in the ass other than adding
<policy context="default">
<allow send_destination="org.fedoraproject.Setroubleshootd>
send_interface="org.freedesktop.DBus.Introspectable"/>
</policy>
This stuff should just automatically deny all so you only have to add allow entry's in the conf files and it's also a bit wierd that you cant define send_interfaces that go to the same send_destination like..
<policy context="pony"/>
<allow send_destination="bla"
send_interface="bla-one"
send_interface="bla-two"
send_interface="bla-three"/>
</policy>
Unless you actually can and everyone got it wrong but then again there must be some good reason for doing this, this way..
Did adding
<policy context="default">
<allow send_destination="org.fedoraproject.Setroubleshootd>
send_interface="org.freedesktop.DBus.Introspectable"/>
</policy>
And removing the deny work?
I am not seeing the problem here
Nope. See attached file for full dbus selinux issues. Created attachment 399400 [details]
Selinux dbus errors
Is this caused because consolekit does not say you are at the console. What version of setroubleshoot are you using? Installed version is 2.2.64-1 Perhaps this is something related to the F13 LXDE spin only. What spin are you using that this does not happen on? ConsoleKit-0.4.1-5 is installed setools-console was not installed. Installed it to no prevail ( dbus errors still present ) sealert -l <alert> works if you execute the command from cli on tty2 however it does not work if you run it from LXDE terminal. Note that as of F13 LXDE uses it's own login manager now instead of gdm or kdm Does /var/run/console have any files in it? It should have a file with your username. I am not using LXDE. I am using gnome/gdm. I am questioning whether the system thinks you are not logged into the console. That is why it will not allow sealert to send messages to setroubleshoot. Since the dbus rules say you must be on the console to do this. What does ck-list-sessions return when you are logged into LXDE? /var/run/console does not have any files in it after login.... [root@localhost ~]#ls -alhZ /var/run/console drwxr-xr-x. root root system_u:object_r:pam_var_console_t:s0 . drwxr-xr-x. root root system_u:object_r:var_run_t:s0 .. Output from ck-list-sessions [root@localhost ~]#ck-list-sessions Session1: unix-user = '500' realname = 'Jóhann B. Guðmundsson' seat = 'Seat1' session-type = '' active = FALSE x11-display = ':0' x11-display-device = '/dev/tty1' display-device = '/dev/tty1' remote-host-name = '' is-local = TRUE on-since = '2010-03-12T08:49:33.157980Z' login-session-id = '' Session2: unix-user = '0' realname = 'root' seat = 'Seat1' session-type = '' active = TRUE x11-display = '' x11-display-device = '' display-device = '/dev/tty2' remote-host-name = '' is-local = TRUE on-since = '2010-03-12T08:49:47.662879Z' login-session-id = '1' Which I believe means consolekit thinks you are not logged into the console. (In reply to comment #16) > [root@localhost ~]#ck-list-sessions I asked for the output of ck-list-sessions when *you* are logget *into LXDE*, but you are running the command as root in a vt. Logged into LXDE as user it should look like this: Session2: unix-user = '500' realname = 'Christoph Wickert' seat = 'Seat1' session-type = '' active = TRUE x11-display = ':0' x11-display-device = '/dev/tty1' display-device = '' remote-host-name = '' is-local = TRUE on-since = '2010-03-15T15:00:50.138251Z' login-session-id = '1' (In reply to comment #17) > Which I believe means consolekit thinks you are not logged into the console. What makes you think so? Looks similar to me (except of the active/inactive thins but this is because Jóhann was working as root on the console) and I don't have any problems. @Christoph Not sure how that's relevant but definitely my bad and here is the output from within lxde [johannbg@valhalla ~]$ck-list-sessions Session1: unix-user = '500' realname = 'Jóhann B. Guðmundsson' seat = 'Seat1' session-type = '' active = TRUE x11-display = ':0' x11-display-device = '/dev/tty1' display-device = '/dev/tty1' remote-host-name = '' is-local = TRUE on-since = '2010-03-15T17:06:34.109563Z' login-session-id = '' Thanks a lot. Except of login-session-id this is just what I see but I don't have any problems here on F12. Can you boot with enforcing=0 to see if this is a selinux issue? Did not change anything. Dbus is still complaining. I also did a fresh LXDE ( lxde-x86_64-20100322.18.iso ) install on a VM to rule out any potential fuckup I could have made and the error is present there as well. Daniel mentioned in comment 13 that there should be a file with the user username in /var/run/console which is missing so it looks like LXDM does not create it @ login ( That is if it is LXDM that's supposed to create it ). According to http://www.freedesktop.org/software/ConsoleKit/doc/ConsoleKit.html Graphical Login Manager In addition to the requirements for the Text Graphical Login Manager, this pattern is typically used to show information about currently open sessions. It needs: 1. To determine which Seat it is running on. 2. To know if the current seat supports session switching. 3. A list of all sessions on the current Seat. 4. To know which session is active for the current Seat. 5. To know when the session active state changes. 6. To know when sessions are added or removed. 7. Access to the metadata for any open Session. You might wanna ping "dgod" to see if LXDM supports the dbus stuff.. And by dbus I mean consolekit/dbus.. Should be fine in the latest version, please test. lxdm-0.2.0-0.1.20100405gitd65ce94.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/lxdm-0.2.0-0.1.20100405gitd65ce94.fc13 lxdm-0.2.0-0.1.20100405gitd65ce94.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/lxdm-0.2.0-0.1.20100405gitd65ce94.fc12 Confirmed that lxdm-0.2.0-0.1.20100405gitd65ce94.fc13 fixes this and a whole bunch of other stuff ( opening terminal then running su does not take forever abrt has started working.. etc ) Note that selinux-policy might needed to be updated for this update.. ( had to setenforce 0 to be able to login ) and login out and back in does not work. The SELinux problems are suppose to be fixed at least twice now, at least I was promised. However I see two alerts left. See bug 564320 for more info. Please add your alerts there. lxdm-0.2.0-0.2.20100405gitd65ce94.fc13 has been pushed to the Fedora 13 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update lxdm'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/lxdm-0.2.0-0.2.20100405gitd65ce94.fc13 lxdm-0.2.0-0.2.20100405gitd65ce94.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update lxdm'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/lxdm-0.2.0-0.2.20100405gitd65ce94.fc12 lxdm-0.2.0-0.3.20100405gitd65ce94.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report. lxdm-0.2.0-4.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report. |