Bug 229465 - cd mounting fails with org.freedesktop.Hal.PermissionDenied
Summary: cd mounting fails with org.freedesktop.Hal.PermissionDenied
Alias: None
Product: Fedora
Classification: Fedora
Component: ConsoleKit
Version: rawhide
Hardware: x86_64
OS: Linux
Target Milestone: ---
Assignee: David Zeuthen
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2007-02-21 11:35 UTC by David Nielsen
Modified: 2013-03-06 03:49 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2007-03-17 15:02:02 UTC
Type: ---

Attachments (Terms of Use)

Description David Nielsen 2007-02-21 11:35:30 UTC
Description of problem:
When inserting a CD I get the following error message:

Error: org.freedesktop.Hal.PermissionDenied
Permission denied: Not active in session

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. insert cd

Comment 1 David Zeuthen 2007-02-21 14:56:38 UTC
Let me guess? You're not logged in via gdm? Cuz if that's the case then please
close this as a dup of bug 228110 or one if it's dependents. Thanks.

Comment 2 David Nielsen 2007-02-21 15:59:50 UTC
I am logged in via GDM

Comment 3 David Zeuthen 2007-02-21 17:17:21 UTC
 - what are the versions of hal, gdm, ConsoleKit? Latest Rawhide?
 - from your session what is the value of $XDG_SESSION_COOKIE ?
 - is there a process of name 'console-kit-daemon' running?
 - as root, please paste the output of 'cat /var/lib/hal/acl-list'


Comment 4 David Nielsen 2007-02-21 17:27:41 UTC
This is the latest Development as of 20th of February 2007.


XDG_SESSION_COOKIE doesn't exist.

console-kit-daemon is running.

/var/lib/hal/acl-list is empty.

Comment 5 David Zeuthen 2007-02-21 17:45:19 UTC
Interesting - this suggests either ConsoleKit or gdm is buggy. You're logging in
on a local console right?

Comment 6 David Nielsen 2007-02-21 17:59:24 UTC
Absolutely my good man

Comment 7 David Zeuthen 2007-02-21 18:16:04 UTC
Is this a one-time thing that happened or can you reproduce it?

Comment 8 David Zeuthen 2007-02-21 18:17:48 UTC
Also, are you running in SELinux enforcing mode? If so, please try permissive
and note that the fix for bug 229159 still haven't hit rawhide...

Comment 9 David Nielsen 2007-02-21 18:29:19 UTC
SELinux is in enforcing mode, entirely as is the Fedora default. The issue
persists betweeen reboots.

Comment 10 David Zeuthen 2007-02-21 19:12:34 UTC
Sigh. As if I didn't know that enforcing mode is the Fedora default. Please
realize that the way SELinux currently works such issues like AVC denials will
crop up as long as the policy and source are kept in two different packages. For
more rants about this see bug 229159 (which was filed before the new hal package
was available in Rawhide). The good thing is that this might get resolved. 

Anyway, since I can't read your mind nor log into your box (and I wouldn't want
to do neither :-)), it would be useful if you actually answered the question in
comment 8. Does it work in permissive mode? Would also be bloody useful if you
mentioned whether there was AVC denials. Thanks.

Comment 11 David Nielsen 2007-02-21 19:50:31 UTC
David, please relax, I am working as fast as I can, you asked if I was running
SELinux and I told you I was running the default setup in that respect. 

It works when in permissive mode but under enforcing mode I saw no avc denials
which strikes me as odd. Could there be something preventing SELinux from
logging the denials?

Comment 12 David Nielsen 2007-02-21 19:57:11 UTC
Odd, they turn up now.. ah well I hope these are helpful.

type=AVC msg=audit(1172086964.904:16): avc:  denied  { setattr } for  pid=2843
comm="setfacl" name="adsp" dev=tmpfs ino=6237
tcontext=system_u:object_r:sound_device_t:s0 tclass=chr_file
type=AVC msg=audit(1172086964.904:16): avc:  denied  { fowner } for  pid=2843
comm="setfacl" capability=3 scontext=system_u:system_r:hald_t:s0
tcontext=system_u:system_r:hald_t:s0 tclass=capability
type=AVC msg=audit(1172086964.906:17): avc:  denied  { setattr } for  pid=2843
comm="setfacl" name="scd0" dev=tmpfs ino=6447
tcontext=system_u:object_r:removable_device_t:s0 tclass=blk_file

Comment 13 David Zeuthen 2007-02-22 02:23:17 UTC
Is $XDG_SESSION_COOKIE set in permissive mode? Because if that one is not set it
means that gdm failed to register your session with ConsoleKit and then HAL will
deny any Mount() method attempt because it thinks you're not in an active session.

(The assignment of ACL's only happens when your session starts and is as such
unrelated to this bug as HAL allows you to mount non-withstanding you've got
access to the device file...)

Are there other AVC's in permissive mode from gdm or ConsoleKit?

Comment 14 David Nielsen 2007-02-22 10:02:36 UTC
the cookie is present in permissive mode. 

As for denials I get this one:
type=USER_AVC msg=audit(1172086964.846:14): user pid=2223 uid=81 auid=4294967295
subj=system_u:system_r:system_dbusd_t:s0 msg='avc:  denied  { send_msg } for
msgtype=method_call interface=org.freedesktop.ConsoleKit.Manager
member=OpenSessionWithParameters dest=org.freedesktop.ConsoleKit spid=2815
tpid=2434 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:system_r:initrc_t:s0 tclass=dbus : exe="/bin/dbus-daemon"
(sauid=81, hostname=?, addr=?, terminal=?)'

Comment 15 Knut J BJuland 2007-03-17 13:05:25 UTC
GDM is unbale to set cookie even if consolekit is running.

Comment 16 David Nielsen 2007-03-17 15:02:02 UTC
This was fixed a while back, let's close this mother up

Note You need to log in before you can comment on or make changes to this bug.