Bug 922935

Summary: SELinux prevents ConsoleKit startup on F19 live image
Product: [Fedora] Fedora Reporter: Adam Williamson <awilliam>
Component: selinux-policy-targetedAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 19CC: dwalsh, jones.peter.busi
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-04-30 18:43:27 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 834085    

Description Adam Williamson 2013-03-18 19:57:39 UTC
I have no idea how CK got pulled into the F19 desktop live compose I just did, but disregarding that, CK fails to start if SELinux is enforcing:

Mar 18 15:53:42 localhost console-kit-daemon[1146]: console-kit-daemon[1146]: WARNING: Failed to acquire org.freedesktop.ConsoleKit: An SELinux policy prevents this sender from sending this message to this recipient, 0 matched rules; type="method_call", sender=":1.19" (uid=0 pid=596 comm="/bin/login --      ") interface="org.freedesktop.ConsoleKit.Manager" member="OpenSessionWithParameters" error name="(unset)" requested_reply="0" destination="org.freedesktop.ConsoleKit" (uid=0 pid=1146 comm="/usr/sbin/console-kit-daemon --no-daemon ")
Mar 18 15:53:42 localhost console-kit-daemon[1146]: console-kit-daemon[1146]: WARNING: Could not acquire name; bailing out
Mar 18 15:53:42 localhost systemd[1]: Started Console Manager.
Mar 18 15:53:42 localhost systemd[1]: console-kit-daemon.service: main process exited, code=exited, status=1/FAILURE
Mar 18 15:53:42 localhost systemd[1]: Unit console-kit-daemon.service entered failed state
Mar 18 15:53:42 localhost console-kit-daemon[1146]: WARNING: Failed to acquire org.freedesktop.ConsoleKit: An SELinux policy prevents this sender from sending this message to this recipient, 0 matched rules; type="method_call", sender=":1.19" (uid=0 pid=596 comm="/bin/login --      ") interface="org.freedesktop.ConsoleKit.Manager" member="OpenSessionWithParameters" error name="(unset)" requested_reply="0" destination="org.freedesktop.ConsoleKit" (uid=0 pid=1146 comm="/usr/sbin/console-kit-daemon --no-daemon ")
Mar 18 15:53:42 localhost console-kit-daemon[1146]: WARNING: Could not acquire name; bailing out

This is a clean F19 live image compose from current F19 repos.

Comment 1 Miroslav Grepl 2013-03-18 20:31:08 UTC
What does

# ausearch -m user_avc

Comment 2 Miroslav Grepl 2013-03-18 20:48:02 UTC
Ok, I think you see

type=USER_AVC msg=audit(1363549924.056:323): pid=632 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.ConsoleKit.Manager member=OpenSessionWithParameters dest=org.freedesktop.ConsoleKit spid=667 tpid=1183 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:initrc_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'


#============= local_login_t ==============
allow local_login_t initrc_t:dbus send_msg;

#============= xdm_t ==============
allow xdm_t initrc_t:dbus send_msg;


The problem is we removed consolekit policy in F19.

$ matchpathcon /usr/sbin/console-kit-daemon
/usr/sbin/console-kit-daemon	system_u:object_r:bin_t:s

Comment 3 Adam Williamson 2013-03-18 21:21:44 UTC
It shouldn't be dropped unless and until the CK package is actually killed.

[root@adam images]# repoquery --whatrequires ConsoleKit
ConsoleKit-docs-0:0.4.5-4.fc19.x86_64
ConsoleKit-x11-0:0.4.5-4.fc19.x86_64
cdm-0:0.5.3-9.fc19.noarch
lxsession-0:0.4.6.1-5.fc19.x86_64

Looks like we're down to LXDE and cdm now.

Comment 4 Daniel Walsh 2013-03-19 23:39:26 UTC
uggg, can we open bugs with these tools to get rid of the requirement.

Comment 5 Adam Williamson 2013-03-20 05:11:22 UTC
Last I checked, the 'submit bug' button worked, yes. :)

Comment 7 Adam Williamson 2013-04-09 21:49:22 UTC
I believe this bug prevents the LXDE live images from starting up correctly by default: try booting the LXDE live image from one of the Alpha TCs/RCs and all you get is a black screen. Actually booting with enforcing=0 doesn't succeed either, so I think there's another bug lurking behind this one for LXDM, but enforcing=0 does at least allow ConsoleKit startup to succeed, and I'm pretty sure we're going to need that for LXDM to work.

It seems like migrating LXDM off of CK isn't going to happen in the short term, so can we put the CK policy back in F19 at least for now? Thanks!

Nominating as a freeze exception bug as it's a blocker for the LXDE spin.

Comment 8 Peter H. Jones 2013-04-18 14:48:21 UTC
I have found a way to start LXDE Live Alpha FC19 with enforcing unchanged:

1. Boot normally
2. When system settles down, use CTRL-ALT-F2 to open a login screen.
3. Login as liveuser
4. Enter the command startx. LXDE starts normally.

Comment 9 Daniel Walsh 2013-04-18 20:47:21 UTC
Fixed in selinux-policy-3.12.1-33.fc19.noarch


Consolekit policy was added back.

Comment 10 Adam Williamson 2013-04-30 18:43:27 UTC
selinux-policy-3.12.1-34.fc19 went stable, so let's close this.