Description of problem: KDE Sound Server can't start, reports "access denied" attempting to write to /dev/dsp. Looking at ACLs before starting KDE, "user:cebbert:rw-" is there, but in a terminal session inside KDE that permission is gone. And changing permssions to add "other::rw-" doesn't work because it gets changed to "other::r--". The only workaround is to chown the device file to the logged-in user before starting KDE. (/etc/sysconfig/desktop has DISPLAYMANAGER="KDE") Version-Release number of selected component (if applicable): 0.2.1-4.fc8 How reproducible: Every time. Steps to Reproduce: 1. boot in runlevel 3 2. start KDE with the startx command
We really shouldn't have 50 supported ways to start a session...
(In reply to comment #1) > We really shouldn't have 50 supported ways to start a session... Huh? startx is now unsupported? I'm switching to Ubuntu :)
startx is indeed supported and, as a matter of fact, works fine for me using GNOME. What is the output of 1. ck-list-sessions (both in the VC before startx and in a terminal window) 2. rpm -q xorg-x11-xinit ConsoleKit-libs util-linux-ng Thanks.
> What is the output of > > 1. ck-list-sessions (both in the VC before startx and in a terminal window) On console before startx: Session1: uid = '501' realname = '' seat = 'Seat1' session-type = '' active = TRUE x11-display = '' x11-display-device = '' display-device = '/dev/tty1' remote-host-name = '' is-local = TRUE on-since = '2007-09-18T23:08:27Z' In Konsole: Session1: uid = '501' realname = '' seat = 'Seat1' session-type = '' active = TRUE x11-display = '' x11-display-device = '' display-device = '/dev/tty1' remote-host-name = '' is-local = TRUE on-since = '2007-09-18T23:08:27Z' > 2. rpm -q xorg-x11-xinit ConsoleKit-libs util-linux-ng xorg-x11-xinit-1.0.2-27.fc8 ConsoleKit-libs-0.2.1-4.fc8 util-linux-ng-2.13-1.fc8 With ConsoleKit 0.2.2-1, the text console shows *no* sessions, and an xterm shows: Session1: uid = '501' realname = '' seat = 'Seat1' session-type = 'xinit' active = FALSE x11-display = '' x11-display-device = '' display-device = '/dev/tty1' remote-host-name = '' is-local = TRUE on-since = '2007-09-18T23:34:12Z' idle-since-hint = '2007-09-18T23:34:42Z' (/dev/dsp is not writable by the logged-on user using the updated ConsoleKit either.)
There was a bug in ConsoleKit 0.2.2; can you try with 0.2.3? Thanks.
Still doesn't work with 0.2.3-1: Text console: Session1: uid = '501' realname = '' seat = 'Seat1' session-type = '' active = TRUE x11-display = '' x11-display-device = '' display-device = '/dev/tty1' remote-host-name = '' is-local = TRUE on-since = '2007-09-19T15:37:33Z' xterm: Session1: uid = '501' realname = '' seat = 'Seat1' session-type = '' active = FALSE x11-display = '' x11-display-device = '' display-device = '/dev/tty1' remote-host-name = '' is-local = TRUE on-since = '2007-09-19T15:37:33Z' idle-since-hint = '2007-09-19T15:38:36Z' Session2: uid = '501' realname = '' seat = 'Seat1' session-type = 'xinit' active = FALSE x11-display = '' x11-display-device = '' display-device = '/dev/tty1' remote-host-name = '' is-local = TRUE on-since = '2007-09-19T15:38:22Z' idle-since-hint = '2007-09-19T15:38:52Z'
Are you running uptodate packages and the Rawhide kernel? Please try with that; I cannot reproduce this bug at all...
Created attachment 200071 [details] /var/lib/hal/acl-list
Still happens in the latest rawhide. I can see the audit trail: hald-runner is spawning the setfacl command and removing the logged-in user's rights to 12 devices when KDE starts. It is getting the list of device names from /var/lib/hal/acl-list.
Oh. Are you running in enforcing mode? Please try permissive instead.
Works in permissive mode: /dev/dsp has ACL "user:cebbert:rw-" when X is running.
Gah. Reassigning to SELinux then. I don't mean to rant but I spend way too much time on bugs that only occur in SELinux enforcing mode. It is simply a waste of time to do development this way; policy and file labels _needs_ to be handled in a decentralized way.
Who is creating /dev/dsp? It is being created with the wrong context. restorecon /dev/dsp will fix it. Whatever app is creating it needs to add this to the mknod line, or better yet use udev to create it.
(In reply to comment #13) > Who is creating /dev/dsp? udev is $ udevinfo --query path --name=/dev/dsp /class/sound/dsp > It is being created with the wrong context. Sounds fishy; on my system it's fine $ ls -lZ /dev/dsp crw-rw----+ root root system_u:object_r:sound_device_t /dev/dsp Chuck?
(In reply to comment #14) > > Sounds fishy; on my system it's fine > > $ ls -lZ /dev/dsp > crw-rw----+ root root system_u:object_r:sound_device_t /dev/dsp > That's what I have.
What avc messages are you seeing in /var/log/audit/audit.log? or /var/log/messages?
time->Fri Sep 21 16:20:13 2007 type=PATH msg=audit(1190406013.817:58): item=0 name="/dev/dsp" inode=5502 dev=00:10 mode=020660 ouid=0 ogid=0 rdev=0e:03 obj=system_u:object_r:sound_device_t:s0 type=CWD msg=audit(1190406013.817:58): cwd="/home/cebbert" type=SYSCALL msg=audit(1190406013.817:58): arch=c000003e syscall=2 success=no exit=-13 a0=63e968 a1=801 a2=0 a3=0 items=1 ppid=3065 pid=3094 auid=501 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none) comm="artsd" exe="/usr/bin/artsd" subj=system_u:system_r:unconfined_t:s0 key=(null)
Those are not avc messages. type=AVC
David, am I right in thinking that the the ck-list-sessions output from the seond run in comment #6 is supposed to list at least one of the sessions as active?
After some more investigation the problem is that consolekit is not allowed to read the ~/.Xauthority record, in some cases. This is sometimes prevented by SELinux, but can also be prevented in the case of nfs home directories with no_root_squash set, or Kerberized NFS or AFS Home dirs. So we can change policy to allow consolekit to read home dirs in selinux policy but this is not the best solution, or even a good one. Consolekit should be able talk to the xserver via xhost because of the following command xhost access control enabled, only authorized clients can connect SI:localuser:dwalsh
Created attachment 221981 [details] suggested yet another wrapper program for the user's session
Created attachment 221991 [details] suggested patch to make xinitrc use the wrapper I think this'll do the right thing.
(Moving bug to xinit since that's where we need to do the changes.)
Building into 1.0.7-2; marking as fixed in Raw Hide because this fixes it for me. Please reopen if you continue to see problems with this (if you're using SELinux, you may also need to update policy to 3.0.8-21 or newer).