Bug 230155 - Sleep fails with permission denied
Sleep fails with permission denied
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
rawhide
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
: 230240 (view as bug list)
Depends On:
Blocks: FC7Blocker
  Show dependency treegraph
 
Reported: 2007-02-26 16:52 EST by Karl MacMillan
Modified: 2007-11-30 17:11 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-04-01 12:48:59 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Karl MacMillan 2007-02-26 16:52:08 EST
Description of problem:

Laptop will no longer sleep from gnome-power-manager. An error pops up over the
power manager icon in the panel and the following error appears in the log:

Feb 26 16:45:21 localhost gnome-power-manager: (kmacmill) Suspending computer
because the suspend button has been pressed
Feb 26 16:45:21 localhost gnome-power-manager: (kmacmill) Permission denied: Not
in active session code='30' quark='g-exec-error-quark'

Sleep (suspend to memory) has worked perfectly on this laptop for a while (ibm
t43p). This does not seem to be an selinux problem (no denials that I saw).

Version-Release number of selected component (if applicable):

gnome-power-manager-2.17.91-1.fc7

How reproducible:

Sleep laptop using function key on keyboard. Error happens every time.
Comment 1 David Zeuthen 2007-02-26 17:16:48 EST
Are you logging in via gdm? If no, please close as dupe of bug 228110.
Comment 2 Karl MacMillan 2007-02-26 17:25:40 EST
Yes, I'm logged in via gdm.
Comment 3 David Zeuthen 2007-02-26 17:47:38 EST
Please try this in permissive mode. I was just going through the same thing with
dwalsh... Thanks.
Comment 4 Karl MacMillan 2007-02-26 18:00:37 EST
Permissive doesn't help.
Comment 5 Daniel Walsh 2007-02-27 11:56:43 EST
I have been working on this today and now have $XDG_SESSION_COOKIE showing up,
with an updated policy.  But still getting error on sleep.

Feb 27 11:54:41 redsox gnome-power-manager: (dwalsh) Suspending computer because
the lid has been closed, and the ac adapter removed (and gconf is okay)
Feb 27 11:54:41 redsox gnome-power-manager: (dwalsh) Permission denied: Not in
active session code='30' quark='g-exec-error-quark'
Feb 27 11:54:41 redsox gnome-power-manager: (dwalsh) Resuming computer
Feb 27 11:54:41 redsox gnome-power-manager: (dwalsh) suspend failed

No avc messages
Comment 6 David Zeuthen 2007-02-27 12:06:04 EST
Mmm.. can you run hald with 

 # hald --daemon=no --verbose=yes

There's a ton of debug output. Then kill g-p-m and start g-p-m again. I'm
interested in the output after you make g-p-m call Suspend() on HAL. What
happens is this

 1. g-p-m connects to the system bus
 2. when it calls into HAL we get the pid/uid from D-Bus
 3. given the pid, HAL asks ConsoleKit, via GetSessionFromUnixProcess() (see
http://fedoraproject.org/wiki/Desktop/FastUserSwitching for details) about the
desktop session
 4. HAL caches the pid/uid/session and tracks whether that session is active
 5. when g-p-m calls Suspend() we look up the cached information

Because of the caching going on, I need g-p-m to be restarted. Thanks.

Comment 7 David Zeuthen 2007-02-27 13:23:56 EST
*** Bug 230240 has been marked as a duplicate of this bug. ***
Comment 8 Will Woods 2007-02-27 13:40:09 EST
I've got the same problem on a T43; here's the hald output you requested.

13:37:23.834 [W] hald_dbus.c:1078: Error doing GetSessionForUnixProcess on
ConsoleKit: org.freedesktop.DBus.GLib.UnmappedError.CkManagerError.Code0: Unable
to lookup session information for process '4138'
13:37:23.834 [I] hald_dbus.c:4073: Caller :1.32 (uid 500, pid 4138) for
interface org.freedesktop.Hal.Device.CPUFreq on add-on method SetCPUFreqGovernor
for /org/freedesktop/Hal/devices/computer is not in any session; refusing service
13:37:23.834 [W] hald_dbus.c:96: Permission denied: Not in active session
13:37:23.835 [I] hald_dbus.c:4073: Caller :1.32 (uid 500, pid 4138) for
interface org.freedesktop.Hal.Device.CPUFreq on add-on method GetCPUFreqGovernor
for /org/freedesktop/Hal/devices/computer is not in any session; refusing service
13:37:23.836 [W] hald_dbus.c:96: Permission denied: Not in active session
13:37:23.837 [I] hald_dbus.c:4073: Caller :1.32 (uid 500, pid 4138) for
interface org.freedesktop.Hal.Device.CPUFreq on add-on method GetCPUFreqGovernor
for /org/freedesktop/Hal/devices/computer is not in any session; refusing service
13:37:23.837 [W] hald_dbus.c:96: Permission denied: Not in active session
13:37:23.838 [I] hald_dbus.c:4073: Caller :1.32 (uid 500, pid 4138) for
interface org.freedesktop.Hal.Device.CPUFreq on add-on method
SetCPUFreqPerformance for /org/freedesktop/Hal/devices/computer is not in any
session; refusing service
13:37:23.838 [W] hald_dbus.c:96: Permission denied: Not in active session
13:37:24.050 [I] hald_dbus.c:4151: OK for method 'SetPowerSave' with signature
'b' on interface 'org.freedesktop.Hal.Device.SystemPowerManagement' for UDI
'/org/freedesktop/Hal/devices/computer' and execpath
'hal-system-power-set-power-save'
13:37:24.050 [I] hald_dbus.c:3310: Caller :1.32 (uid 500, pid 4138) for
interface org.freedesktop.Hal.Device.SystemPowerManagement on exec'ed method
SetPowerSave for /org/freedesktop/Hal/devices/computer is not in any session;
refusing service
13:37:24.050 [W] hald_dbus.c:96: Permission denied: Not in active session
13:37:24.377 [W] hald_dbus.c:96: No property battery.remaining_time on device
with id /org/freedesktop/Hal/devices/acpi_BAT0
13:37:24.383 [W] hald_dbus.c:96: No property info.vendor on device with id
/org/freedesktop/Hal/devices/acpi_BAT0
13:37:24.397 [W] hald_dbus.c:96: No property info.is_recalled on device with id
/org/freedesktop/Hal/devices/acpi_BAT0
Comment 9 David Zeuthen 2007-02-27 13:58:18 EST
Probably the problem is that you need to allow ConsoleKit to look in
/proc/<pic>/environ for the pid that HAL is passing. That's what
XDG_SESSION_COOKIE is just for...
Comment 10 Will Woods 2007-02-27 14:32:43 EST
Ah, I think I confused part of the problem.

My /proc/$(pidof gnome-power-manager)/environ did not contain
XDG_SESSION_COOKIE, until I turned SELinux to Permissive and logged back in.
Then suspend worked OK.

With SELinux set to enforcing, I get the following message in audit.log *at
login* (not at sleep time):

type=USER_AVC msg=audit(1172603954.457:157): user pid=1846 uid=81
auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc:  denied  {
send_msg } for msgtype=
method_call interface=org.freedesktop.ConsoleKit.Manager
member=OpenSessionWithParameters dest=org.freedesktop.ConsoleKit spid=2492
tpid=2068 scontext=system_u:system_
r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:initrc_t:s0 tclass=dbus :
exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'

So that's probably the SELinux problem that dwalsh has apparently solved above.
It didn't show up in dmesg or setroubleshoot so I assumed this was a different
problem. Sorry for any confusion.
Comment 11 Matthias Clasen 2007-04-01 11:45:49 EDT
David, whats the status of this ?
Comment 12 David Zeuthen 2007-04-01 12:47:44 EDT
It's a SELinux bug (which I think is fixed as it works for me on fresh
installs), so reassigning.. 
Comment 13 David Zeuthen 2007-04-01 12:48:59 EDT
... and also closing! (since it's working for me on a fresh T3 install). Feel
free to reopen if this still doesn't work.

Note You need to log in before you can comment on or make changes to this bug.