922935 – SELinux prevents ConsoleKit startup on F19 live image

Bug 922935 - SELinux prevents ConsoleKit startup on F19 live image

Summary: SELinux prevents ConsoleKit startup on F19 live image

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	19
Hardware:	All
OS:	All
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	F19Alpha-accepted, F19AlphaFreezeException
TreeView+	depends on / blocked

Reported:	2013-03-18 19:57 UTC by Adam Williamson
Modified:	2013-04-30 18:43 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2013-04-30 18:43:27 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Adam Williamson 2013-03-18 19:57:39 UTC

I have no idea how CK got pulled into the F19 desktop live compose I just did, but disregarding that, CK fails to start if SELinux is enforcing:

Mar 18 15:53:42 localhost console-kit-daemon[1146]: console-kit-daemon[1146]: WARNING: Failed to acquire org.freedesktop.ConsoleKit: An SELinux policy prevents this sender from sending this message to this recipient, 0 matched rules; type="method_call", sender=":1.19" (uid=0 pid=596 comm="/bin/login --      ") interface="org.freedesktop.ConsoleKit.Manager" member="OpenSessionWithParameters" error name="(unset)" requested_reply="0" destination="org.freedesktop.ConsoleKit" (uid=0 pid=1146 comm="/usr/sbin/console-kit-daemon --no-daemon ")
Mar 18 15:53:42 localhost console-kit-daemon[1146]: console-kit-daemon[1146]: WARNING: Could not acquire name; bailing out
Mar 18 15:53:42 localhost systemd[1]: Started Console Manager.
Mar 18 15:53:42 localhost systemd[1]: console-kit-daemon.service: main process exited, code=exited, status=1/FAILURE
Mar 18 15:53:42 localhost systemd[1]: Unit console-kit-daemon.service entered failed state
Mar 18 15:53:42 localhost console-kit-daemon[1146]: WARNING: Failed to acquire org.freedesktop.ConsoleKit: An SELinux policy prevents this sender from sending this message to this recipient, 0 matched rules; type="method_call", sender=":1.19" (uid=0 pid=596 comm="/bin/login --      ") interface="org.freedesktop.ConsoleKit.Manager" member="OpenSessionWithParameters" error name="(unset)" requested_reply="0" destination="org.freedesktop.ConsoleKit" (uid=0 pid=1146 comm="/usr/sbin/console-kit-daemon --no-daemon ")
Mar 18 15:53:42 localhost console-kit-daemon[1146]: WARNING: Could not acquire name; bailing out

This is a clean F19 live image compose from current F19 repos.

Comment 1 Miroslav Grepl 2013-03-18 20:31:08 UTC

What does

# ausearch -m user_avc

Comment 2 Miroslav Grepl 2013-03-18 20:48:02 UTC

Ok, I think you see

type=USER_AVC msg=audit(1363549924.056:323): pid=632 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.ConsoleKit.Manager member=OpenSessionWithParameters dest=org.freedesktop.ConsoleKit spid=667 tpid=1183 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:initrc_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'


#============= local_login_t ==============
allow local_login_t initrc_t:dbus send_msg;

#============= xdm_t ==============
allow xdm_t initrc_t:dbus send_msg;


The problem is we removed consolekit policy in F19.

$ matchpathcon /usr/sbin/console-kit-daemon
/usr/sbin/console-kit-daemon	system_u:object_r:bin_t:s

Comment 3 Adam Williamson 2013-03-18 21:21:44 UTC

It shouldn't be dropped unless and until the CK package is actually killed.

[root@adam images]# repoquery --whatrequires ConsoleKit
ConsoleKit-docs-0:0.4.5-4.fc19.x86_64
ConsoleKit-x11-0:0.4.5-4.fc19.x86_64
cdm-0:0.5.3-9.fc19.noarch
lxsession-0:0.4.6.1-5.fc19.x86_64

Looks like we're down to LXDE and cdm now.

Comment 4 Daniel Walsh 2013-03-19 23:39:26 UTC

uggg, can we open bugs with these tools to get rid of the requirement.

Comment 5 Adam Williamson 2013-03-20 05:11:22 UTC

Last I checked, the 'submit bug' button worked, yes. :)

Comment 6 Daniel Walsh 2013-03-20 14:24:59 UTC

https://bugzilla.redhat.com/show_bug.cgi?id=923821
https://bugzilla.redhat.com/show_bug.cgi?id=923823

Makes Adam happy.  :^)

Comment 7 Adam Williamson 2013-04-09 21:49:22 UTC

I believe this bug prevents the LXDE live images from starting up correctly by default: try booting the LXDE live image from one of the Alpha TCs/RCs and all you get is a black screen. Actually booting with enforcing=0 doesn't succeed either, so I think there's another bug lurking behind this one for LXDM, but enforcing=0 does at least allow ConsoleKit startup to succeed, and I'm pretty sure we're going to need that for LXDM to work.

It seems like migrating LXDM off of CK isn't going to happen in the short term, so can we put the CK policy back in F19 at least for now? Thanks!

Nominating as a freeze exception bug as it's a blocker for the LXDE spin.

Comment 8 Peter H. Jones 2013-04-18 14:48:21 UTC

I have found a way to start LXDE Live Alpha FC19 with enforcing unchanged:

1. Boot normally
2. When system settles down, use CTRL-ALT-F2 to open a login screen.
3. Login as liveuser
4. Enter the command startx. LXDE starts normally.

Comment 9 Daniel Walsh 2013-04-18 20:47:21 UTC

Fixed in selinux-policy-3.12.1-33.fc19.noarch


Consolekit policy was added back.

Comment 10 Adam Williamson 2013-04-30 18:43:27 UTC

selinux-policy-3.12.1-34.fc19 went stable, so let's close this.

Note You need to log in before you can comment on or make changes to this bug.