Bug 922935
| Summary: | SELinux prevents ConsoleKit startup on F19 live image | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Adam Williamson <awilliam> |
| Component: | selinux-policy-targeted | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Ben Levenson <benl> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 19 | CC: | dwalsh, jones.peter.busi |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | All | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-04-30 18:43:27 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 834085 | ||
|
Description
Adam Williamson
2013-03-18 19:57:39 UTC
What does # ausearch -m user_avc Ok, I think you see
type=USER_AVC msg=audit(1363549924.056:323): pid=632 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.ConsoleKit.Manager member=OpenSessionWithParameters dest=org.freedesktop.ConsoleKit spid=667 tpid=1183 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:initrc_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
#============= local_login_t ==============
allow local_login_t initrc_t:dbus send_msg;
#============= xdm_t ==============
allow xdm_t initrc_t:dbus send_msg;
The problem is we removed consolekit policy in F19.
$ matchpathcon /usr/sbin/console-kit-daemon
/usr/sbin/console-kit-daemon system_u:object_r:bin_t:s
It shouldn't be dropped unless and until the CK package is actually killed. [root@adam images]# repoquery --whatrequires ConsoleKit ConsoleKit-docs-0:0.4.5-4.fc19.x86_64 ConsoleKit-x11-0:0.4.5-4.fc19.x86_64 cdm-0:0.5.3-9.fc19.noarch lxsession-0:0.4.6.1-5.fc19.x86_64 Looks like we're down to LXDE and cdm now. uggg, can we open bugs with these tools to get rid of the requirement. Last I checked, the 'submit bug' button worked, yes. :) https://bugzilla.redhat.com/show_bug.cgi?id=923821 https://bugzilla.redhat.com/show_bug.cgi?id=923823 Makes Adam happy. :^) I believe this bug prevents the LXDE live images from starting up correctly by default: try booting the LXDE live image from one of the Alpha TCs/RCs and all you get is a black screen. Actually booting with enforcing=0 doesn't succeed either, so I think there's another bug lurking behind this one for LXDM, but enforcing=0 does at least allow ConsoleKit startup to succeed, and I'm pretty sure we're going to need that for LXDM to work. It seems like migrating LXDM off of CK isn't going to happen in the short term, so can we put the CK policy back in F19 at least for now? Thanks! Nominating as a freeze exception bug as it's a blocker for the LXDE spin. I have found a way to start LXDE Live Alpha FC19 with enforcing unchanged: 1. Boot normally 2. When system settles down, use CTRL-ALT-F2 to open a login screen. 3. Login as liveuser 4. Enter the command startx. LXDE starts normally. Fixed in selinux-policy-3.12.1-33.fc19.noarch Consolekit policy was added back. selinux-policy-3.12.1-34.fc19 went stable, so let's close this. |