975897 – ConsoleKit (via lightdm/pam_ck_connector.so) registration fails

Bug 975897 - ConsoleKit (via lightdm/pam_ck_connector.so) registration fails

Summary: ConsoleKit (via lightdm/pam_ck_connector.so) registration fails

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	19
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	F19-accepted, F19FinalFreezeException 972881 976640 979637
TreeView+	depends on / blocked

Reported:	2013-06-19 14:33 UTC by Rex Dieter
Modified:	2013-07-06 01:03 UTC (History)
CC List:	8 users (show)
Fixed In Version:	selinux-policy-3.12.1-57.fc19
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-07-04 00:55:03 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	976640	0	unspecified	CLOSED	Initial console login as root with ConsoleKit enabled is slow	2021-02-22 00:41:40 UTC

Internal Links: 976640

Description Rex Dieter 2013-06-19 14:33:10 UTC

Per these audit.log denials:

type=USER_AVC msg=audit(1371651676.513:840): pid=349 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.ConsoleKit.Manager member=OpenSessionWithParameters dest=org.freedesktop.ConsoleKit spid=6334 tpid=461 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:initrc_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'                                                                                                                                                      
type=USER_AVC msg=audit(1371651677.569:842): pid=349 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.ConsoleKit.Manager member=CanRestart dest=:1.10 spid=6336 tpid=461 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:initrc_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1371651677.583:843): pid=349 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.ConsoleKit.Manager member=CanStop dest=:1.10 spid=6336 tpid=461 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:initrc_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'


The OpenSessionWithParameters call is the most important one here, essentially blocks session registration, so any CK aware/using application fails to recognize active sessions.

Comment 1 Daniel Walsh 2013-06-19 19:43:48 UTC

What is running as initrc_t?

ps -eZ | grep initrc_t

Your login program is trying to communicate via dbus with a program running with the default init script label.

Comment 2 Rex Dieter 2013-06-19 19:53:21 UTC

$ ps -eZ | grep initrc_t
system_u:system_r:initrc_t:s0     461 ?        00:00:00 console-kit-dae

looks like it's the consolekit daemon itself

Comment 4 Rex Dieter 2013-06-20 15:43:54 UTC

up'd to selinux-policy-3.12.1-54.fc19

interestingly, I still see a denial,

type=USER_AVC msg=audit(1371742686.578:401): pid=360 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.ConsoleKit.Manager member=OpenSessionWithParameters dest=org.freedesktop.ConsoleKit spid=660 tpid=835 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:initrc_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

but at least now the linked bug #972881 seems to no longer occur.

Comment 5 Miroslav Grepl 2013-06-20 19:58:26 UTC

Rex,
just to be sure

# ps -eZ |grep initrc

Comment 6 Miroslav Grepl 2013-06-20 20:01:07 UTC

Hmm,
on my F19 system

# ps -eZ |grep initrc
system_u:system_r:initrc_t:s0     955 ?        00:00:00 console-kit-dae


commit a61bb14d57ebe4fb4209562e409cbb5e64ae414c
Author: Miroslav Grepl <mgrepl>
Date:   Thu Jun 20 22:00:12 2013 +0200

    We still need to have consolekit policy

Comment 7 Rex Dieter 2013-06-20 20:23:23 UTC

$ ps aZx | grep console
system_u:system_r:initrc_t:s0   21216 ?        Ssl    0:00 /usr/sbin/console-kit-daemon --no-daemon

(with selinux-policy-3.12.1-54.fc19)

Comment 8 Rex Dieter 2013-06-20 20:43:10 UTC

nominating blocker, since dependent bug #972881 needs this fix

Comment 9 Adam Williamson 2013-06-24 19:00:03 UTC

-54 is already stable. Is there actually something here that is still broken in -54 and needs fixing?

Comment 10 Rex Dieter 2013-06-24 19:20:23 UTC

I suspect that it's not fixed 100% per comment #6 and comment #7 , but , for purposes of mate and bug #972881 , it would seem -54 is good enough.

Comment 11 Miroslav Grepl 2013-06-24 19:39:31 UTC

-55.fc19 has consolekit fix.

Comment 12 Fedora Update System 2013-06-26 20:18:40 UTC

selinux-policy-3.12.1-57.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-57.fc19

Comment 13 Fedora Update System 2013-06-27 15:49:10 UTC

Package selinux-policy-3.12.1-57.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-57.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-11846/selinux-policy-3.12.1-57.fc19
then log in and leave karma (feedback).

Comment 14 Leszek Matok 2013-06-28 22:02:49 UTC

I think ConsoleKit should get actual dependency on this version of selinux-policy.

I've upgraded mate-power-manager from updates-testing for bug 972881, it pulled in ConsoleKit, but it introduced like 2 minutes delay before plymouth died and lightdm started, with systemd waiting for ConsoleKit startup to time out.

Good thing I found this bug. Installing above update helps.

Comment 15 Adam Williamson 2013-06-28 22:21:33 UTC

No, we really don't get into that kind of versioned dependency game. We just expect people to update regularly. In the normal course of events this update would have gone out to all users long ago; that's only not the case at present because of the release freeze.

Comment 16 Leszek Matok 2013-06-28 22:38:07 UTC

Right, my problem only stemmed from using updates-testing selectively (applying only what I thought I needed). If both updates go to stable at the same time, it won't bite anyone. Thanks again :)

Comment 17 Fedora Update System 2013-07-04 00:55:03 UTC

selinux-policy-3.12.1-57.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 18 James 2013-07-04 05:55:52 UTC

979637 and 972881 are still broken for me.

Comment 19 Wolfgang Ulbrich 2013-07-06 01:03:57 UTC

not for me, witout giving more infos what everyone expected from yours :)

Note You need to log in before you can comment on or make changes to this bug.