Bug 287941 - Wrong permissions on /dev/dsp when starting KDE in runlevel 3
Wrong permissions on /dev/dsp when starting KDE in runlevel 3
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: xorg-x11-xinit (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Søren Sandmann Pedersen
Fedora Extras Quality Assurance
:
Depends On:
Blocks: F8Target
  Show dependency treegraph
 
Reported: 2007-09-12 12:18 EDT by Chuck Ebbert
Modified: 2014-06-18 05:09 EDT (History)
7 users (show)

See Also:
Fixed In Version: 1.0.7-2
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-10-12 14:34:48 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
/var/lib/hal/acl-list (972 bytes, text/plain)
2007-09-19 16:59 EDT, Chuck Ebbert
no flags Details
suggested yet another wrapper program for the user's session (1.49 KB, text/plain)
2007-10-09 18:09 EDT, Nalin Dahyabhai
no flags Details
suggested patch to make xinitrc use the wrapper (1.60 KB, text/plain)
2007-10-09 18:14 EDT, Nalin Dahyabhai
no flags Details

  None (edit)
Description Chuck Ebbert 2007-09-12 12:18:58 EDT
Description of problem:

KDE Sound Server can't start, reports "access denied" attempting to write to
/dev/dsp. Looking at ACLs before starting KDE, "user:cebbert:rw-" is there, but
in a terminal session inside KDE that permission is gone. And changing
permssions to add "other::rw-" doesn't work because it gets changed to
"other::r--". The only workaround is to chown the device file to the logged-in
user before starting KDE. (/etc/sysconfig/desktop has DISPLAYMANAGER="KDE")

Version-Release number of selected component (if applicable):
0.2.1-4.fc8


How reproducible:
Every time.

Steps to Reproduce:
1. boot in runlevel 3
2. start KDE with the startx command
Comment 1 Matthias Clasen 2007-09-14 19:27:08 EDT
We really shouldn't have 50 supported ways to start a session...
Comment 2 Chuck Ebbert 2007-09-17 10:06:16 EDT
(In reply to comment #1)
> We really shouldn't have 50 supported ways to start a session...

Huh? startx is now unsupported? I'm switching to Ubuntu :)
Comment 3 David Zeuthen 2007-09-18 15:33:27 EDT
startx is indeed supported and, as a matter of fact, works fine for me using GNOME.

What is the output of 

 1. ck-list-sessions (both in the VC before startx and in a terminal window)
 2. rpm -q xorg-x11-xinit ConsoleKit-libs util-linux-ng

Thanks.
Comment 4 Chuck Ebbert 2007-09-18 19:39:25 EDT
> What is the output of 
>
>  1. ck-list-sessions (both in the VC before startx and in a terminal window)

On console before startx:
Session1:
        uid = '501'
        realname = ''
        seat = 'Seat1'
        session-type = ''
        active = TRUE
        x11-display = ''
        x11-display-device = ''
        display-device = '/dev/tty1'
        remote-host-name = ''
        is-local = TRUE
        on-since = '2007-09-18T23:08:27Z'


In Konsole:
Session1:
        uid = '501'
        realname = ''
        seat = 'Seat1'
        session-type = ''
        active = TRUE
        x11-display = ''
        x11-display-device = ''
        display-device = '/dev/tty1'
        remote-host-name = ''
        is-local = TRUE
        on-since = '2007-09-18T23:08:27Z'

>  2. rpm -q xorg-x11-xinit ConsoleKit-libs util-linux-ng

xorg-x11-xinit-1.0.2-27.fc8
ConsoleKit-libs-0.2.1-4.fc8
util-linux-ng-2.13-1.fc8

With ConsoleKit 0.2.2-1, the text console shows *no* sessions, and an xterm shows:

Session1:
        uid = '501'
        realname = ''
        seat = 'Seat1'
        session-type = 'xinit'
        active = FALSE
        x11-display = ''
        x11-display-device = ''
        display-device = '/dev/tty1'
        remote-host-name = ''
        is-local = TRUE
        on-since = '2007-09-18T23:34:12Z'
        idle-since-hint = '2007-09-18T23:34:42Z'

(/dev/dsp is not writable by the logged-on user using the updated ConsoleKit
either.)
Comment 5 David Zeuthen 2007-09-19 10:06:27 EDT
There was a bug in ConsoleKit 0.2.2; can you try with 0.2.3? Thanks.
Comment 6 Chuck Ebbert 2007-09-19 11:44:23 EDT
Still doesn't work with 0.2.3-1:

Text console:
Session1:
        uid = '501'
        realname = ''
        seat = 'Seat1'
        session-type = ''
        active = TRUE
        x11-display = ''
        x11-display-device = ''
        display-device = '/dev/tty1'
        remote-host-name = ''
        is-local = TRUE
        on-since = '2007-09-19T15:37:33Z'

xterm:
Session1:
        uid = '501'
        realname = ''
        seat = 'Seat1'
        session-type = ''
        active = FALSE
        x11-display = ''
        x11-display-device = ''
        display-device = '/dev/tty1'
        remote-host-name = ''
        is-local = TRUE
        on-since = '2007-09-19T15:37:33Z'
        idle-since-hint = '2007-09-19T15:38:36Z'
Session2:
        uid = '501'
        realname = ''
        seat = 'Seat1'
        session-type = 'xinit'
        active = FALSE
        x11-display = ''
        x11-display-device = ''
        display-device = '/dev/tty1'
        remote-host-name = ''
        is-local = TRUE
        on-since = '2007-09-19T15:38:22Z'
        idle-since-hint = '2007-09-19T15:38:52Z'
Comment 7 David Zeuthen 2007-09-19 14:29:51 EDT
Are you running uptodate packages and the Rawhide kernel? Please try with that;
I cannot reproduce this bug at all...
Comment 8 Chuck Ebbert 2007-09-19 16:59:56 EDT
Created attachment 200071 [details]
/var/lib/hal/acl-list
Comment 9 Chuck Ebbert 2007-09-19 17:01:19 EDT
Still happens in the latest rawhide. I can see the audit trail: hald-runner is
spawning the setfacl command and removing the logged-in user's rights to 12
devices when KDE starts. It is getting the list of device names from
/var/lib/hal/acl-list.

Comment 10 David Zeuthen 2007-09-19 17:03:26 EDT
Oh. Are you running in enforcing mode? Please try permissive instead.
Comment 11 Chuck Ebbert 2007-09-19 17:17:23 EDT
Works in permissive mode: /dev/dsp has ACL "user:cebbert:rw-" when X is running.
Comment 12 David Zeuthen 2007-09-19 18:29:41 EDT
Gah. Reassigning to SELinux then. I don't mean to rant but I spend way too much
time on bugs that only occur in SELinux enforcing mode. It is simply a waste of
time to do development this way; policy and file labels _needs_ to be handled in
a decentralized way.
Comment 13 Daniel Walsh 2007-09-21 14:07:59 EDT
Who is creating /dev/dsp?  It is being created with the wrong context.

restorecon /dev/dsp will fix it.  

Whatever app is creating it needs to add this to the mknod line, or better yet
use udev to create it.
Comment 14 David Zeuthen 2007-09-21 14:19:35 EDT
(In reply to comment #13)
> Who is creating /dev/dsp?  

udev is

$ udevinfo --query path --name=/dev/dsp 
/class/sound/dsp

> It is being created with the wrong context.

Sounds fishy; on my system it's fine

$ ls -lZ /dev/dsp 
crw-rw----+ root root system_u:object_r:sound_device_t /dev/dsp

Chuck?
Comment 15 Chuck Ebbert 2007-09-21 14:43:27 EDT
(In reply to comment #14)
> 
> Sounds fishy; on my system it's fine
> 
> $ ls -lZ /dev/dsp 
> crw-rw----+ root root system_u:object_r:sound_device_t /dev/dsp
> 

That's what I have.
Comment 16 Daniel Walsh 2007-09-21 16:10:00 EDT
What avc messages are you seeing in /var/log/audit/audit.log? or /var/log/messages?
Comment 17 Chuck Ebbert 2007-09-21 16:27:04 EDT
time->Fri Sep 21 16:20:13 2007
type=PATH msg=audit(1190406013.817:58): item=0 name="/dev/dsp" inode=5502
dev=00:10 mode=020660 ouid=0 ogid=0 rdev=0e:03
obj=system_u:object_r:sound_device_t:s0
type=CWD msg=audit(1190406013.817:58):  cwd="/home/cebbert"
type=SYSCALL msg=audit(1190406013.817:58): arch=c000003e syscall=2 success=no
exit=-13 a0=63e968 a1=801 a2=0 a3=0 items=1 ppid=3065 pid=3094 auid=501 uid=501
gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none)
comm="artsd" exe="/usr/bin/artsd" subj=system_u:system_r:unconfined_t:s0 key=(null)
Comment 18 Daniel Walsh 2007-09-22 07:33:07 EDT
Those are not avc messages.
type=AVC
Comment 19 Nalin Dahyabhai 2007-09-24 12:55:27 EDT
David, am I right in thinking that the the ck-list-sessions output from the
seond run in comment #6 is supposed to list at least one of the sessions as active?
Comment 20 Daniel Walsh 2007-10-09 15:50:49 EDT
After some more investigation the problem is that consolekit is not allowed to
read the ~/.Xauthority record, in some cases.  This is sometimes prevented by
SELinux, but can also be prevented in the case of nfs home directories with
no_root_squash set, or Kerberized NFS or AFS Home dirs.

So we can change policy to allow consolekit to read home dirs in selinux policy
but this is not the best solution, or even a good one.

Consolekit should be able talk to the xserver via xhost because of the following
command

 xhost
access control enabled, only authorized clients can connect
SI:localuser:dwalsh
Comment 21 Nalin Dahyabhai 2007-10-09 18:09:02 EDT
Created attachment 221981 [details]
suggested yet another wrapper program for the user's session
Comment 22 Nalin Dahyabhai 2007-10-09 18:14:48 EDT
Created attachment 221991 [details]
suggested patch to make xinitrc use the wrapper

I think this'll do the right thing.
Comment 23 David Zeuthen 2007-10-10 11:09:19 EDT
(Moving bug to xinit since that's where we need to do the changes.)
Comment 24 Nalin Dahyabhai 2007-10-12 14:34:48 EDT
Building into 1.0.7-2; marking as fixed in Raw Hide because this fixes it for
me.  Please reopen if you continue to see problems with this (if you're using
SELinux, you may also need to update policy to 3.0.8-21 or newer).

Note You need to log in before you can comment on or make changes to this bug.