Bug 571758 - sealert org.freedesktop.DBus.Error.AccessDenied: ?
sealert org.freedesktop.DBus.Error.AccessDenied: ?
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: lxdm (Show other bugs)
13
All Linux
low Severity medium
: ---
: ---
Assigned To: Christoph Wickert
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-03-09 07:33 EST by Jóhann B. Guðmundsson
Modified: 2010-06-01 14:22 EDT (History)
5 users (show)

See Also:
Fixed In Version: lxdm-0.2.0-4.fc12
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-04-20 09:04:16 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Replacement dbus confi. (821 bytes, application/octet-stream)
2010-03-10 09:14 EST, Daniel Walsh
no flags Details
Selinux dbus errors (6.68 KB, text/plain)
2010-03-11 12:26 EST, Jóhann B. Guðmundsson
no flags Details

  None (edit)
Description Jóhann B. Guðmundsson 2010-03-09 07:33:26 EST
Description of problem:

Running sealert -b from terminal on a fullt updated lxde f13 spin ( 20100307 ) results in this.. 

Mar  9 12:26:30 localhost dbus: Rejected send message, 2 matched rules; type="method_call", sender=":1.51" (uid=500 pid=1920 comm="/usr/bin/python) interface="org.freedesktop.DBus.Introspectable" member="Introspect" error name="(unset)" requested_reply=0 destination=":1.52" (uid=0 pid=1922 comm="/usr/bin/python))
Mar  9 12:26:30 localhost setroubleshoot: [dbus.proxies.ERROR] Introspect error on :1.52:/org/fedoraproject/Setroubleshootd: dbus.exceptions.DBusException: org.freedesktop.DBus.Error.AccessDenied: Rejected send message, 2 matched rules; type="method_call", sender=":1.51" (uid=500 pid=1920 comm="/usr/bin/python) interface="org.freedesktop.DBus.Introspectable" member="Introspect" error name="(unset)" requested_reply=0 destination=":1.52" (uid=0 pid=1922 comm="/usr/bin/python))
Mar  9 12:26:30 localhost dbus: Rejected send message, 2 matched rules; type="method_call", sender=":1.51" (uid=500 pid=1920 comm="/usr/bin/python) interface="org.fedoraproject.SetroubleshootdIface" member="start" error name="(unset)" requested_reply=0 destination=":1.52" (uid=0 pid=1922 comm="/usr/bin/python))
Mar  9 12:26:30 localhost setroubleshoot: [dbus.ERROR] could not start dbus: org.freedesktop.DBus.Error.AccessDenied: Rejected send message, 2 matched rules; type="method_call", sender=":1.51" (uid=500 pid=1920 comm="/usr/bin/python) interface="org.fedoraproject.SetroubleshootdIface" member="start" error name="(unset)" requested_reply=0 destination=":1.52" (uid=0 pid=1922 comm="/usr/bin/python))
Mar  9 12:26:30 localhost dbus: Rejected send message, 2 matched rules; type="method_call", sender=":1.51" (uid=500 pid=1920 comm="/usr/bin/python) interface="org.fedoraproject.SetroubleshootdIface" member="finish" error name="(unset)" requested_reply=0 destination=":1.52" (uid=0 pid=1922 comm="/usr/bin/python))
Mar  9 12:26:30 localhost setroubleshoot: [dbus.proxies.ERROR] Introspect error on :1.19:/org/fedoraproject/Setroubleshootd: dbus.exceptions.DBusException: org.freedesktop.DBus.Error.NoReply: Message did not receive a reply (timeout by message bus)
Mar  9 12:26:30 localhost setroubleshoot: [dbus.ERROR] could not start dbus: org.freedesktop.DBus.Error.ServiceUnknown: The name :1.19 was not provided by any .service files

abrt-gui also fails with "Error while loading the dumplist org.freedesktop.DBus.error.NOreply 

How reproducible:

Always 

Steps to Reproduce:
1. Start application that require dbus? 
2.
3.
  
Actual results:

Fail

Expected results:

Working application and a pony

Additional info:

F13 fully updated LXDE Spin
Comment 1 David Zeuthen 2010-03-09 09:10:57 EST
Looks like a problem with setroubleshoot to me.
Comment 2 Daniel Walsh 2010-03-09 09:17:12 EST
David, do you have any idea what is wrong with setroublshoot then?
Comment 3 David Zeuthen 2010-03-09 09:29:12 EST
(In reply to comment #2)
> David, do you have any idea what is wrong with setroublshoot then?

It looks like you are not allowing access to the D-Bus interface org.freedesktop.DBus.Introspectable. Previously this access was granted by default but IIRC someone decided that behavior was too promiscuous. So you need to explicitly grant access now, see e.g.

 /etc/dbus-1/system.d/org.freedesktop.UDisks.conf

for details.
Comment 4 Daniel Walsh 2010-03-10 09:14:20 EST
Created attachment 399091 [details]
Replacement dbus confi.

Johann 

Could you copy the attached file to /etc/dbus-1/system.d/org.fedoraproject.Setroubleshootd.conf

And see if this fixes the problem.
Comment 5 Jóhann B. Guðmundsson 2010-03-10 11:48:20 EST
Did not change anything and actually after a fresh reboot test the filed caused dbus to fail ( and everything that depends on it ) with all kinds of weirdness so I cat >> your file into the original one and even removed the deny entry's still nothing :/ 

I also allowed for org.fedoraproject.SetroubleshootdIface and even added those entry's also to "at_console" still nothing.

I'm wondering if we are adding this to the right file? 

Looking at several files that have the Introspectable entry it should not be more pain in the ass other than adding

<policy context="default">
        <allow send_destination="org.fedoraproject.Setroubleshootd>
               send_interface="org.freedesktop.DBus.Introspectable"/>
</policy>

This stuff should just automatically deny all so you only have to add allow entry's in the conf files and it's also a bit wierd that you cant define send_interfaces that go to the same send_destination like.. 

<policy context="pony"/>

<allow send_destination="bla"
       send_interface="bla-one"
       send_interface="bla-two"
       send_interface="bla-three"/> 
</policy> 

Unless you actually can and everyone got it wrong but then again there must be some good reason for doing this, this way..
Comment 6 Daniel Walsh 2010-03-10 16:34:08 EST
Did adding

<policy context="default">
        <allow send_destination="org.fedoraproject.Setroubleshootd>
               send_interface="org.freedesktop.DBus.Introspectable"/>
</policy>


And removing the deny work?

I am not seeing the problem here
Comment 7 Jóhann B. Guðmundsson 2010-03-11 12:25:47 EST
Nope. 

See attached file for full dbus selinux issues.
Comment 8 Jóhann B. Guðmundsson 2010-03-11 12:26:31 EST
Created attachment 399400 [details]
Selinux dbus errors
Comment 9 Daniel Walsh 2010-03-11 12:36:07 EST
Is this caused because consolekit does not say you are at the console.
Comment 10 Daniel Walsh 2010-03-11 12:38:08 EST
What version of setroubleshoot are you using?
Comment 11 Jóhann B. Guðmundsson 2010-03-11 12:57:36 EST
Installed version is 2.2.64-1 

Perhaps this is something related to the F13 LXDE spin only. 

What spin are you using that this does not happen on?
Comment 12 Jóhann B. Guðmundsson 2010-03-11 13:08:39 EST
ConsoleKit-0.4.1-5 is installed

setools-console was not installed. Installed it to no prevail ( dbus errors still present ) 

sealert -l <alert> works if you execute the command from cli on tty2 however it does not work if you run it from LXDE terminal. 

Note that as of F13 LXDE uses it's own login manager now instead of gdm or kdm
Comment 13 Daniel Walsh 2010-03-11 14:57:12 EST
Does /var/run/console have any files in it?

It should have a file with your username.
Comment 14 Daniel Walsh 2010-03-11 15:01:27 EST
I am not using LXDE.  I am using gnome/gdm.  I am questioning whether the system thinks you are not logged into the console.  That is why it will not allow sealert to send messages to setroubleshoot.  Since the dbus rules say you must be on the console to do this.
Comment 15 Christoph Wickert 2010-03-11 15:20:35 EST
What does ck-list-sessions return when you are logged into LXDE?
Comment 16 Jóhann B. Guðmundsson 2010-03-12 03:55:32 EST
/var/run/console does not have any files in it after login....

[root@localhost ~]#ls -alhZ /var/run/console
drwxr-xr-x. root root system_u:object_r:pam_var_console_t:s0 .
drwxr-xr-x. root root system_u:object_r:var_run_t:s0   ..

Output from ck-list-sessions 

[root@localhost ~]#ck-list-sessions
Session1:
	unix-user = '500'
	realname = 'Jóhann B. Guðmundsson'
	seat = 'Seat1'
	session-type = ''
	active = FALSE
	x11-display = ':0'
	x11-display-device = '/dev/tty1'
	display-device = '/dev/tty1'
	remote-host-name = ''
	is-local = TRUE
	on-since = '2010-03-12T08:49:33.157980Z'
	login-session-id = ''
Session2:
	unix-user = '0'
	realname = 'root'
	seat = 'Seat1'
	session-type = ''
	active = TRUE
	x11-display = ''
	x11-display-device = ''
	display-device = '/dev/tty2'
	remote-host-name = ''
	is-local = TRUE
	on-since = '2010-03-12T08:49:47.662879Z'
	login-session-id = '1'
Comment 17 Daniel Walsh 2010-03-12 09:02:39 EST
Which I believe means consolekit thinks you are not logged into the console.
Comment 18 Christoph Wickert 2010-03-15 12:14:38 EDT
(In reply to comment #16)

> [root@localhost ~]#ck-list-sessions

I asked for the output of ck-list-sessions when *you* are logget *into LXDE*, but you are running the command as root in a vt.

Logged into LXDE as user it should look like this:

Session2:
	unix-user = '500'
	realname = 'Christoph Wickert'
	seat = 'Seat1'
	session-type = ''
	active = TRUE
	x11-display = ':0'
	x11-display-device = '/dev/tty1'
	display-device = ''
	remote-host-name = ''
	is-local = TRUE
	on-since = '2010-03-15T15:00:50.138251Z'
	login-session-id = '1'

(In reply to comment #17)
> Which I believe means consolekit thinks you are not logged into the console.    

What makes you think so? Looks similar to me (except of the active/inactive thins but this is because Jóhann was working as root on the console) and I don't have any problems.
Comment 19 Jóhann B. Guðmundsson 2010-03-15 13:15:05 EDT
@Christoph Not sure how that's relevant but definitely my bad and here is the output from within lxde 

[johannbg@valhalla ~]$ck-list-sessions
Session1:
	unix-user = '500'
	realname = 'Jóhann B. Guðmundsson'
	seat = 'Seat1'
	session-type = ''
	active = TRUE
	x11-display = ':0'
	x11-display-device = '/dev/tty1'
	display-device = '/dev/tty1'
	remote-host-name = ''
	is-local = TRUE
	on-since = '2010-03-15T17:06:34.109563Z'
	login-session-id = ''
Comment 20 Christoph Wickert 2010-03-15 16:53:05 EDT
Thanks a lot. Except of login-session-id this is just what I see but I don't have any problems here on F12.
Comment 21 Christoph Wickert 2010-03-19 21:15:06 EDT
Can you boot with enforcing=0 to see if this is a selinux issue?
Comment 22 Jóhann B. Guðmundsson 2010-03-23 04:14:00 EDT
Did not change anything. 

Dbus is still complaining.

I also did a fresh LXDE ( lxde-x86_64-20100322.18.iso ) install on a VM to rule out any potential fuckup I could have made and the error is present there as well.

Daniel mentioned in comment 13 that there should be a file with the user username in /var/run/console which is missing so it looks like LXDM does not create it @ login ( That is if it is LXDM that's supposed to create it ).

According to http://www.freedesktop.org/software/ConsoleKit/doc/ConsoleKit.html 

Graphical Login Manager

In addition to the requirements for the Text Graphical Login Manager, this pattern is typically used to show information about currently open sessions. It needs:

   1. To determine which Seat it is running on.
   2. To know if the current seat supports session switching.
   3. A list of all sessions on the current Seat.
   4. To know which session is active for the current Seat.
   5. To know when the session active state changes.
   6. To know when sessions are added or removed.
   7. Access to the metadata for any open Session.

You might wanna ping "dgod" to see if LXDM supports the dbus stuff..
Comment 23 Jóhann B. Guðmundsson 2010-03-23 04:15:48 EDT
And by dbus I mean consolekit/dbus..
Comment 24 Christoph Wickert 2010-04-05 16:52:49 EDT
Should be fine in the latest version, please test.
Comment 25 Fedora Update System 2010-04-05 16:55:39 EDT
lxdm-0.2.0-0.1.20100405gitd65ce94.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/lxdm-0.2.0-0.1.20100405gitd65ce94.fc13
Comment 26 Fedora Update System 2010-04-05 16:56:49 EDT
lxdm-0.2.0-0.1.20100405gitd65ce94.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/lxdm-0.2.0-0.1.20100405gitd65ce94.fc12
Comment 27 Jóhann B. Guðmundsson 2010-04-06 07:43:52 EDT
Confirmed that lxdm-0.2.0-0.1.20100405gitd65ce94.fc13 fixes this and a whole bunch of other stuff ( opening terminal then running su does not take forever abrt has started working.. etc ) Note that selinux-policy might needed to be updated for this update.. ( had to setenforce 0 to be able to login ) and login out and back in does not work.
Comment 28 Christoph Wickert 2010-04-06 08:27:41 EDT
The SELinux problems are suppose to be fixed at least twice now, at least I was promised. However I see two alerts left. See bug 564320 for more info. Please add your alerts there.
Comment 29 Fedora Update System 2010-04-06 15:57:59 EDT
lxdm-0.2.0-0.2.20100405gitd65ce94.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update lxdm'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/lxdm-0.2.0-0.2.20100405gitd65ce94.fc13
Comment 30 Fedora Update System 2010-04-08 21:39:54 EDT
lxdm-0.2.0-0.2.20100405gitd65ce94.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update lxdm'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/lxdm-0.2.0-0.2.20100405gitd65ce94.fc12
Comment 31 Fedora Update System 2010-04-20 09:04:10 EDT
lxdm-0.2.0-0.3.20100405gitd65ce94.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 32 Fedora Update System 2010-06-01 14:21:59 EDT
lxdm-0.2.0-4.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.