Bug 476402 - ConsoleKit/vncserver incompatibility (20081213 software)
ConsoleKit/vncserver incompatibility (20081213 software)
Status: CLOSED WONTFIX
Product: Fedora
Classification: Fedora
Component: vnc (Show other bugs)
9
i386 Linux
low Severity medium
: ---
: ---
Assigned To: Adam Tkac
Fedora Extras Quality Assurance
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-12-14 00:45 EST by bob mckay
Modified: 2013-04-30 19:42 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-07-14 13:47:56 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
ConnectKit Sessions Registered at time of problem (637 bytes, text/plain)
2008-12-14 01:12 EST, bob mckay
no flags Details
Relevant part of vncserver log (1.94 KB, text/plain)
2008-12-14 01:13 EST, bob mckay
no flags Details
xstartup script (337 bytes, text/plain)
2008-12-14 01:14 EST, bob mckay
no flags Details
setroubleshoot of ck-get-x11-serv (consolekit_t) problem (15.09 KB, application/pdf)
2008-12-14 01:16 EST, bob mckay
no flags Details
setroubleshoot of failed restorecon (possible failed autorelabel?) (14.94 KB, application/pdf)
2008-12-14 01:17 EST, bob mckay
no flags Details

  None (edit)
Description bob mckay 2008-12-14 00:45:31 EST
Description of problem:
VNCserver doesn't seem to connect properly to ConsoleKit (with consequent failures of PackageKit and similar). This may be a consequence of current selinux policies.

Version-Release number of selected component (if applicable):
Nov 20 01:53:01 Installed: vnc-libs-4.1.2-31.fc9.i386
Nov 20 01:53:01 Installed: vnc-server-4.1.2-31.fc9.i386
Dec 14 01:35:05 Updated: vnc-libs-4.1.2-32.fc9.i386
Dec 14 01:35:25 Updated: vnc-server-4.1.2-32.fc9.i386

Nov 20 00:45:57 Updated: selinux-policy-3.3.1-107.fc9.noarch
Nov 20 00:50:57 Updated: selinux-policy-targeted-3.3.1-107.fc9.noarch
Dec 14 01:32:54 Updated: selinux-policy-3.3.1-111.fc9.noarch
Dec 14 01:33:59 Updated: selinux-policy-targeted-3.3.1-111.fc9.noarch
(I'm running targeted/enforcing)

Can't find a way to get ConsoleKit details, but 
ck-list-sessions 0.2.10

How reproducible:
Always

Steps to Reproduce:
1. Start vncserver
2. Connect over ssh tunnel
3. Run Package installer (or anything else that depends on ConsoleKit)
  
Actual results:
"Package installer is running when the session is not active" etc.

Expected results:
Package installer runs normally

Additional info:
I normally run vnc over an ssh pipe, but have confirmed that the problem occurs whether the vnc connection is local over a pipe, or direct over port 59xx.

I'm using a stock standard xstartup (see xstartup.txt).

vncserver reports inability to acquire NetworkManagerUserSettings (I think this is the critical one) and some other problems (see vnc_log.txt)

ck-list-sessions reports only two sessions (see sessions.txt), but I don't think they relate to vncserver, as they don't disappear when the server is killed

setroubleshoot reports a problem with ck-get-x11-serv (I assume it's the cause of the above). See sel_ckgetx11serv.pdf

I don't think it's just a labeling problem, as this problem recurred immediately after an autorelabel. However I can't guarantee that the autorelabel was successful, as selinux reported some problems with restorecon at about the time the autorelabel should have been happening (see sel_restorecon.pdf). I can't figure any way to check this.

The problem may possibly be the same as but 466128, but it's hard to tell because
.there isn't enough detail in that bug report to be sure
.anyway, it's against F10 rather than F9
Comment 1 bob mckay 2008-12-14 01:12:47 EST
Created attachment 326842 [details]
ConnectKit Sessions Registered at time of problem
Comment 2 bob mckay 2008-12-14 01:13:32 EST
Created attachment 326843 [details]
Relevant part of vncserver log
Comment 3 bob mckay 2008-12-14 01:14:10 EST
Created attachment 326844 [details]
xstartup script
Comment 4 bob mckay 2008-12-14 01:16:08 EST
Created attachment 326845 [details]
setroubleshoot of ck-get-x11-serv (consolekit_t) problem
Comment 5 bob mckay 2008-12-14 01:17:15 EST
Created attachment 326846 [details]
setroubleshoot of failed restorecon (possible failed autorelabel?)
Comment 6 bob mckay 2008-12-19 03:25:33 EST

*** This bug has been marked as a duplicate of bug 477121 ***
Comment 7 bob mckay 2009-02-02 05:48:15 EST
Hope I'm doing this the right way; this bug is _not_ a duplicate of 477121. Recent updates fixed 477121 without fixing this.
Comment 8 bob mckay 2009-02-02 06:31:33 EST
The present stage of trying to run ssh-tunneled vncserver and undertake admin tasks is that it fails in two separate ways (FC9 updated to 2009/02/02). Firstly, there is a problem related to 446143 and 452156, namely that consolekit is not called for the vncserver x11 session. This is essentially a problem in the standard xstartup file, which uses:
exec /etc/X11/xinit/xinitrc
This means that the ConsoleKit calls supplied by the patch in response to 477121 are applied to the spawned process, not the vncserver x11 process (by the way, this means that the marking of 446143 as a duplicate of 477121 was almost certainly wrong, since the patches almost certainly did not fix 446143 - of course I have no direct way to verify this). I'm not sure that there's any way to fix this that doesn't involve changing the user xstartup files.

However even substituting the xstartup call with the result of what is in the 477121 patch:
. /etc/X11/xinit/xinitrc-common
exec $CK_XINIT_SESSION $SSH_AGENT /etc/X11/xinit/Xclients || \
exec $CK_XINIT_SESSION $SSH_AGENT /etc/X11/xinit/Xclients
still fails to give the vncserver process console capabilities. My best guess is that this is because of selinux interactions; when we initiate a vncserver session as above, we are still getting selinux violations identical to those reported in 471121 (even though 471121 selinux violations - i.e. relating to starting X11 independent of vncserver - have now gone away). 

This is a complete show-stopper for us. We have servers that need to be maintained headlessly; they are currently stuck at F8 and pre-December F9 because of this issue. We are about to install a replacement for the F8 server. Is there any hope of a fix or workaround, or should we be switching to CentOS?
Comment 9 bob mckay 2009-02-11 04:12:02 EST
Sorry, got my bug numbering wrong in some of the preceding (right numbers, wrong roles), should have read:

>This means that the ConsoleKit calls supplied by the patch in response to
>452156 are applied to the spawned process, not the vncserver x11 process (by
>the way, this means that the marking of 446143 as a duplicate of 452156 was
>almost certainly wrong, since the patches almost certainly did not fix 446143 -
>of course I have no direct way to verify this). I'm not sure that there's any
>way to fix this that doesn't involve changing the user xstartup files.

> However even substituting the xstartup call with the result of what is in the
> 452156 patch:
Comment 10 Adam Tkac 2009-02-12 06:41:49 EST
I'm not sure if I understand you correctly. Does patch written in https://bugzilla.redhat.com/show_bug.cgi?id=452156#c18 fix your problems? (you don't have to build entire rpm, patch only /etc/X11/xinit/Xsession and /etc/X11/xinit/xinitrc-common files)
Comment 11 Adam Tkac 2009-03-09 11:12:29 EDT

*** This bug has been marked as a duplicate of bug 452156 ***
Comment 12 bob mckay 2009-03-09 21:15:13 EDT
Dear Adam, firstly may I apologise? For some reason, I did not receive notification of the request in comment #10 - it may have got spam-trapped. Hence the delayed reply.

Unfortunately, no, the patch in 
https://bugzilla.redhat.com/show_bug.cgi?id=452156#c18 
doesn't fix the problem. I'm sorry, I don't fully understand the workings of ConsoleKit. But I would guess the problem is this. The standard vncserver ~user/.vnc/xstartup file (which presumably has an active seat) doesn't directly call xinitrc. Instead, it exec's it. Does this mean that the spawned process doesn't inherit the active seat? If so, I think it's probably the explanation: the ConsoleKit call supplied by the patch is applied to a process that already doesn't have an active seat. 

It may be that there is no way to fix this short of changing the standard vnc xstartup file (which will break most installations of vnc clients). But even including ConsoleKit calls in the xstartup file doesn't fix the problem, because selinux blocks the calls. Whether there is a secure way of overcoming that problem is way beyond my knowledge.

I'll attempt to remove the "mark duplicate", but not confident I understand bugzilla well enough to do so successfully.
Comment 13 Bug Zapper 2009-06-09 23:25:25 EDT
This message is a reminder that Fedora 9 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 9.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '9'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 9's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 9 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 14 Bug Zapper 2009-07-14 13:47:56 EDT
Fedora 9 changed to end-of-life (EOL) status on 2009-07-10. Fedora 9 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.