Bug 229465 - cd mounting fails with org.freedesktop.Hal.PermissionDenied
cd mounting fails with org.freedesktop.Hal.PermissionDenied
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: ConsoleKit (Show other bugs)
rawhide
x86_64 Linux
medium Severity high
: ---
: ---
Assigned To: David Zeuthen
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-02-21 06:35 EST by David Nielsen
Modified: 2013-03-05 22:49 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-03-17 11:02:02 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Nielsen 2007-02-21 06:35:30 EST
Description of problem:
When inserting a CD I get the following error message:

Error: org.freedesktop.Hal.PermissionDenied
Permission denied: Not active in session

Version-Release number of selected component (if applicable):
hal-0.5.9-0.git20070218.fc7

How reproducible:
100%

Steps to Reproduce:
1. insert cd
Comment 1 David Zeuthen 2007-02-21 09:56:38 EST
Let me guess? You're not logged in via gdm? Cuz if that's the case then please
close this as a dup of bug 228110 or one if it's dependents. Thanks.
Comment 2 David Nielsen 2007-02-21 10:59:50 EST
I am logged in via GDM
Comment 3 David Zeuthen 2007-02-21 12:17:21 EST
 - what are the versions of hal, gdm, ConsoleKit? Latest Rawhide?
 - from your session what is the value of $XDG_SESSION_COOKIE ?
 - is there a process of name 'console-kit-daemon' running?
 - as root, please paste the output of 'cat /var/lib/hal/acl-list'

Thanks.
Comment 4 David Nielsen 2007-02-21 12:27:41 EST
This is the latest Development as of 20th of February 2007.

hal-0.5.9-0.git20070218.fc7
gdm-2.17.6-4.fc7
ConsoleKit-0.1.0-5.fc7

XDG_SESSION_COOKIE doesn't exist.

console-kit-daemon is running.

/var/lib/hal/acl-list is empty.
Comment 5 David Zeuthen 2007-02-21 12:45:19 EST
Interesting - this suggests either ConsoleKit or gdm is buggy. You're logging in
on a local console right?
Comment 6 David Nielsen 2007-02-21 12:59:24 EST
Absolutely my good man
Comment 7 David Zeuthen 2007-02-21 13:16:04 EST
Is this a one-time thing that happened or can you reproduce it?
Comment 8 David Zeuthen 2007-02-21 13:17:48 EST
Also, are you running in SELinux enforcing mode? If so, please try permissive
and note that the fix for bug 229159 still haven't hit rawhide...
Comment 9 David Nielsen 2007-02-21 13:29:19 EST
SELinux is in enforcing mode, entirely as is the Fedora default. The issue
persists betweeen reboots.
Comment 10 David Zeuthen 2007-02-21 14:12:34 EST
Sigh. As if I didn't know that enforcing mode is the Fedora default. Please
realize that the way SELinux currently works such issues like AVC denials will
crop up as long as the policy and source are kept in two different packages. For
more rants about this see bug 229159 (which was filed before the new hal package
was available in Rawhide). The good thing is that this might get resolved. 

Anyway, since I can't read your mind nor log into your box (and I wouldn't want
to do neither :-)), it would be useful if you actually answered the question in
comment 8. Does it work in permissive mode? Would also be bloody useful if you
mentioned whether there was AVC denials. Thanks.
Comment 11 David Nielsen 2007-02-21 14:50:31 EST
David, please relax, I am working as fast as I can, you asked if I was running
SELinux and I told you I was running the default setup in that respect. 

It works when in permissive mode but under enforcing mode I saw no avc denials
which strikes me as odd. Could there be something preventing SELinux from
logging the denials?
Comment 12 David Nielsen 2007-02-21 14:57:11 EST
Odd, they turn up now.. ah well I hope these are helpful.

type=AVC msg=audit(1172086964.904:16): avc:  denied  { setattr } for  pid=2843
comm="setfacl" name="adsp" dev=tmpfs ino=6237
scontext=system_u:system_r:hald_t:s0
tcontext=system_u:object_r:sound_device_t:s0 tclass=chr_file
type=AVC msg=audit(1172086964.904:16): avc:  denied  { fowner } for  pid=2843
comm="setfacl" capability=3 scontext=system_u:system_r:hald_t:s0
tcontext=system_u:system_r:hald_t:s0 tclass=capability
type=AVC msg=audit(1172086964.906:17): avc:  denied  { setattr } for  pid=2843
comm="setfacl" name="scd0" dev=tmpfs ino=6447
scontext=system_u:system_r:hald_t:s0
tcontext=system_u:object_r:removable_device_t:s0 tclass=blk_file
Comment 13 David Zeuthen 2007-02-21 21:23:17 EST
Is $XDG_SESSION_COOKIE set in permissive mode? Because if that one is not set it
means that gdm failed to register your session with ConsoleKit and then HAL will
deny any Mount() method attempt because it thinks you're not in an active session.

(The assignment of ACL's only happens when your session starts and is as such
unrelated to this bug as HAL allows you to mount non-withstanding you've got
access to the device file...)

Are there other AVC's in permissive mode from gdm or ConsoleKit?
Comment 14 David Nielsen 2007-02-22 05:02:36 EST
the cookie is present in permissive mode. 

As for denials I get this one:
type=USER_AVC msg=audit(1172086964.846:14): user pid=2223 uid=81 auid=4294967295
subj=system_u:system_r:system_dbusd_t:s0 msg='avc:  denied  { send_msg } for
msgtype=method_call interface=org.freedesktop.ConsoleKit.Manager
member=OpenSessionWithParameters dest=org.freedesktop.ConsoleKit spid=2815
tpid=2434 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:system_r:initrc_t:s0 tclass=dbus : exe="/bin/dbus-daemon"
(sauid=81, hostname=?, addr=?, terminal=?)'
Comment 15 Knut J BJuland 2007-03-17 09:05:25 EDT
GDM is unbale to set cookie even if consolekit is running.
Comment 16 David Nielsen 2007-03-17 11:02:02 EDT
This was fixed a while back, let's close this mother up

Note You need to log in before you can comment on or make changes to this bug.