Bug 235062 - ConsoleKit session not active, so USB mounting / suspend fail
ConsoleKit session not active, so USB mounting / suspend fail
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-04-03 13:06 EDT by Will Woods
Modified: 2007-11-30 17:12 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-04-05 12:24:16 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Will Woods 2007-04-03 13:06:11 EDT
After installing ConsoleKit 0.2.1-0.git20070204.fc7 and hal-0.5.9-1.fc7, I
rebooted the system and logged in through GDM as normal. After logging in,
plugging in a USB key gives a 'org.freedesktop.Hal.PermissionDenied error:

Permission denied: Not in active session

ck-list-sessions says the following:

[wwoods@zebes ~]$ ck-list-sessions 
Session1:
        uid = '500'
        realname = 'Will Woods'
        seat = 'Seat1'
        session-type = ''
        active = FALSE
        x11-display = ':0'
        x11-display-device = '/dev/tty7'
        display-device = ''
        remote-host-name = ''
        is-local = TRUE
        on-since = '2007-04-03T16:47:12Z'

Note that active = FALSE. This also prevents suspend/resume from working properly.
Comment 1 David Zeuthen 2007-04-03 17:06:41 EDT
Looks related to 

 http://lists.freedesktop.org/archives/hal/2007-April/007946.html

Let me try and reproduce this...
Comment 2 David Zeuthen 2007-04-03 17:11:46 EDT
Can't reproduce this - what architecture is this on?
Comment 3 David Zeuthen 2007-04-03 17:12:51 EDT
Also, is this something you can reproduce? Are you complete up to date with Rawhide?
Comment 4 Will Woods 2007-04-03 17:19:52 EDT
Rawhide's up to date, I can reproduce it on either x86_64 or i386 (haven't tried
ppc).

I'm currently updating a fresh Test3 install to see if I can reproduce it there.
Comment 5 Will Woods 2007-04-03 17:57:11 EDT
Confirmed - a fresh f7t3 install on i386, updated to current (3 April) rawhide,
exhibits this behavior. No related messages seem to appear in /var/log/messages
or .xsession-errors. ck-list-sessions output is as above.

Sending a SIGUSR1 to console-kit-daemon (as mentioned in the link you supplied)
doesn't seem to do anything except kill it off, so that's not helpful. Is there
any other way to get logging info from console-kit-daemon?
Comment 6 David Zeuthen 2007-04-03 19:46:03 EDT
Do you have ConsoleKit-x11 installed?
Comment 7 David Zeuthen 2007-04-03 19:54:48 EDT
There's a git snapshot in RPM form here

 http://people.redhat.com/davidz/CK/

Please see if that fixes it. Thanks!
Comment 8 Will Woods 2007-04-04 11:02:47 EDT
ConsoleKit-x11 is installed. The git snapshot doesn't seem to help so far - I
installed it, went down to runlevel 3, restarted the ConsoleKit service, then
went back to runlevel 5. No luck. Then I rebooted and tried again. Still nothing.

I'm going to try installing today's rawhide updates and see if that helps any,
but I don't think the git snapshot's fixed the problem.
Comment 9 Thomas J. Baker 2007-04-04 11:06:13 EDT
I'm having the same problem. I just put selinux into permissive mode (after
seeing console-kit errors in the audit log while looking at another problem) and
it fixes this mounting problem. And I even relabel my system everytime I see an
selinux-policy-targeted rpm upgrade.
Comment 10 Will Woods 2007-04-04 11:43:41 EDT
Strange that there are no avc denials at all on my test machine. But yes, if I
setenforce 0 and restart ConsoleKit (and log out and log back in) then the USB
stick works again. I may need to fiddle with SELinux a bit to get more messages
out of it.
Comment 11 David Zeuthen 2007-04-04 12:11:59 EDT
Gah, I should have asked for you to try this in permissive mode, sorry.
Reassigning. Thanks.
Comment 12 Will Woods 2007-04-04 13:20:50 EDT
I tried turning on auditing of the ConsoleKit SELinux module; here are the only
related messages I found.

type=AVC msg=audit(1175706586.713:366): avc:  denied  { siginh } for  pid=27217
comm="pam_console_app" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:system_r:pam_console_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1175706586.713:366): avc:  denied  { rlimitinh } for 
pid=27217 comm="pam_console_app"
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:system_r:pam_console_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1175706586.713:366): avc:  denied  { noatsecure } for 
pid=27217 comm="pam_console_app"
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:system_r:pam_console_t:s0-s0:c0.c1023 tclass=process

Is it possible that pam_console_apply would mess up ConsoleKit?
Comment 13 Thomas J. Baker 2007-04-04 13:38:31 EDT
I was seeing stuff like this on one of my systems having the problem. The other
one didn't have any errors.

type=AVC msg=audit(1175700101.120:2328): avc:  denied  { setgid } for  pid=5758
comm="ck-collect-sess" capability=6 scontext=system_u:system_r:consolekit_t:s0
tcontext=system_u:system_r:consolekit_t:s0 tclass=capability

type=SYSCALL msg=audit(1175700101.120:2328): arch=40000003 syscall=214
success=yes exit=0 a0=64 a1=4b7fdff4 a2=ffffffc8 a3=9559008 items=0 ppid=5757
pid=5758 auid=4294967295 uid=0 gid=100 euid=0 suid=0 fsuid=0 egid=100 sgid=100
fsgid=100 tty=(none) comm="ck-collect-sess"
exe="/usr/libexec/ck-collect-session-info"
subj=system_u:system_r:consolekit_t:s0 key=(null)

type=AVC msg=audit(1175700101.120:2329): avc:  denied  { setuid } for  pid=5758
comm="ck-collect-sess" capability=7 scontext=system_u:system_r:consolekit_t:s0
tcontext=system_u:system_r:consolekit_t:s0 tclass=capability

type=SYSCALL msg=audit(1175700101.120:2329): arch=40000003 syscall=213
success=yes exit=0 a0=118a a1=4b7fdff4 a2=0 a3=9559008 items=0 ppid=5757
pid=5758 auid=4294967295 uid=4490 gid=100 euid=4490 suid=4490 fsuid=4490
egid=100 sgid=100 fsgid=100 tty=(none) comm="ck-collect-sess"
exe="/usr/libexec/ck-collect-session-info"
subj=system_u:system_r:consolekit_t:s0 key=(null)

type=AVC msg=audit(1175700101.620:2330): avc:  denied  { search } for  pid=5758
comm="ck-get-x11-serv" name="tmp" dev=dm-0 ino=557057
scontext=system_u:system_r:consolekit_t:s0 tcontext=system_u:object_r:tmp_t:s0
tclass=dir

type=AVC msg=audit(1175700101.620:2330): avc:  denied  { search } for  pid=5758
comm="ck-get-x11-serv" name=".X11-unix" dev=dm-0 ino=632559
scontext=system_u:system_r:consolekit_t:s0
tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir

type=AVC msg=audit(1175700101.620:2330): avc:  denied  { write } for  pid=5758
comm="ck-get-x11-serv" name="X0" dev=dm-0 ino=632732
scontext=system_u:system_r:consolekit_t:s0 tcontext=user_u:object_r:xdm_tmp_t:s0
tclass=sock_file

type=AVC msg=audit(1175700101.620:2330): avc:  denied  { connectto } for 
pid=5758 comm="ck-get-x11-serv" name="X0"
scontext=system_u:system_r:consolekit_t:s0
tcontext=user_u:system_r:xdm_xserver_t:s0 tclass=unix_stream_socket

type=SYSCALL msg=audit(1175700101.620:2330): arch=40000003 syscall=102
success=yes exit=0 a0=3 a1=bfb1a900 a2=4b9efb24 a3=13 items=0 ppid=5757 pid=5758
auid=4294967295 uid=4490 gid=100 euid=4490 suid=4490 fsuid=4490 egid=100
sgid=100 fsgid=100 tty=(none) comm="ck-get-x11-serv"
exe="/usr/libexec/ck-get-x11-server-pid" subj=system_u:system_r:consolekit_t:s0
key=(null)

type=AVC msg=audit(1175700101.620:2331): avc:  denied  { search } for  pid=5758
comm="ck-get-x11-serv" name="/" dev=dm-1 ino=2
scontext=system_u:system_r:consolekit_t:s0
tcontext=system_u:object_r:home_root_t:s0 tclass=dir

type=AVC msg=audit(1175700101.620:2331): avc:  denied  { search } for  pid=5758
comm="ck-get-x11-serv" name="tjb" dev=dm-1 ino=8978433
scontext=system_u:system_r:consolekit_t:s0
tcontext=root:object_r:user_home_dir_t:s0 tclass=dir

type=AVC msg=audit(1175700101.620:2331): avc:  denied  { read } for  pid=5758
comm="ck-get-x11-serv" name=".Xauthority" dev=dm-1 ino=8979852
scontext=system_u:system_r:consolekit_t:s0
tcontext=user_u:object_r:user_home_t:s0 tclass=file

type=SYSCALL msg=audit(1175700101.620:2331): arch=40000003 syscall=33
success=yes exit=0 a0=bfb1bfb4 a1=4 a2=4b8ee9b8 a3=bfb1bfb4 items=0 ppid=5757
pid=5758 auid=4294967295 uid=4490 gid=100 euid=4490 suid=4490 fsuid=4490
egid=100 sgid=100 fsgid=100 tty=(none) comm="ck-get-x11-serv"
exe="/usr/libexec/ck-get-x11-server-pid" subj=system_u:system_r:consolekit_t:s0
key=(null)

type=AVC msg=audit(1175700101.620:2332): avc:  denied  { getattr } for  pid=5758
comm="ck-get-x11-serv" name=".Xauthority" dev=dm-1 ino=8979852
scontext=system_u:system_r:consolekit_t:s0
tcontext=user_u:object_r:user_home_t:s0 tclass=file

type=SYSCALL msg=audit(1175700101.620:2332): arch=40000003 syscall=197
success=yes exit=0 a0=4 a1=bfb1a9dc a2=4b7fdff4 a3=9393630 items=0 ppid=5757
pid=5758 auid=4294967295 uid=4490 gid=100 euid=4490 suid=4490 fsuid=4490
egid=100 sgid=100 fsgid=100 tty=(none) comm="ck-get-x11-serv"
exe="/usr/libexec/ck-get-x11-server-pid" subj=system_u:system_r:consolekit_t:s0
key=(null)

Comment 14 David Zeuthen 2007-04-04 13:52:10 EDT
(In reply to comment #12)
> Is it possible that pam_console_apply would mess up ConsoleKit?

Highly unlikely I'd say.
Comment 15 Daniel Walsh 2007-04-05 09:21:28 EDT
Fixed in selinux-policy-2.5.11-4.fc7
Comment 16 Will Woods 2007-04-05 12:24:16 EDT
Confirmed fixed in today's rawhide. Thanks!

Note You need to log in before you can comment on or make changes to this bug.