SELinux preventing D-Bus starting ConsoleKit etc - Was: F10 - pulseaudio not running

Daniel J Walsh dwalsh at redhat.com
Wed May 20 12:54:47 UTC 2009 

On 05/20/2009 04:23 AM, Mike Fleetwood wrote:
> I wrote:
>> I can see that on my functioning desktops that before login, gdm has
>> been granted read-write access, via ACLs, to the sound device files in
>> /dev/snd/.  After GDM login my user is granted read-write instead.
>>
>> On my broken desktop there are no ACLs granting extra permissions.  I
>> have now restored the original permissions on the /dev/snd/* files and
>> added my user read-write access via ACLs.  Still pulseaudio does not
>> start.
>>
>> I also noticed that on my broken desktop, console-kit-daemon is not
>> running.  So far I have only found that console-kit-daemon may have
>> been started with /etc/rc.d/init.d/ConsoleKit circa Fedora 8.  That
>> consoleKit service script been removed in Fedora 10 and I don't yet
>> know how console-kit-daemon is meant to be started.
>>
>> Is console-kit-daemon running even relevant to GDM adding ACLs for the
>> console user to access devices?  Probably.  Is this relevant to why
>> pulseaudio fails to start?  Don't know as even when standard file
>> permissions, rather than ACLs, allowed access to /dev/snd/* pulseaudio
>> died on startup.
>>
>>  From my functional home desktop ...
>> [mike at rockover ~]$ getfacl -p /dev/snd/controlC0
>> # file: /dev/snd/controlC0
>> # owner: root
>> # group: root
>> user::rw-
>> user:mike:rw-
>> group::rw-
>> mask::rw-
>> other::---
>> (Same results of additional user mike ACL for all devices in /dev/snd/).
>> [mike at rockover ~]$ ck-list-sessions
>> Session4:
>>         unix-user = '500'
>>         realname = 'Mike Fleetwood,,,,'
>>         seat = 'Seat1'
>>         session-type = ''
>>         active = TRUE
>>         x11-display = ':0'
>>         x11-display-device = '/dev/tty1'
>>         display-device = ''
>>         remote-host-name = ''
>>         is-local = TRUE
>>         on-since = '2009-04-08T19:06:01.429138Z'
>>         login-session-id = '702'
>> [mike at rockover ~]$ ps -ef | fgrep console-kit-daemon
>> root      2477     1  0 Apr08 ?        00:00:00 /usr/sbin/console-kit-daemon
>> mike     23954 19225  0 12:05 pts/0    00:00:00 fgrep console-kit-daemon
>>
>>  From my broken work desktop ...
>> [mfleetwo at mfleetwo3 ~]$ su -
>> Password:
>> [root at mfleetwo3 ~]# chmod o= /dev/snd/*
>> [root at mfleetwo3 ~]# setfacl -m u:mfleetwo:rw /dev/snd/*
>> [root at mfleetwo3 ~]# ls -l /dev/snd/*
>> crw-rw----+ 1 root root 116, 7 2009-04-22 13:13 /dev/snd/controlC0
>> crw-rw----+ 1 root root 116, 6 2009-04-22 13:13 /dev/snd/hwC0D0
>> crw-rw----+ 1 root root 116, 5 2009-05-06 12:15 /dev/snd/pcmC0D0c
>> crw-rw----+ 1 root root 116, 4 2009-05-06 12:15 /dev/snd/pcmC0D0p
>> crw-rw----+ 1 root root 116, 3 2009-04-22 13:13 /dev/snd/seq
>> crw-rw----+ 1 root root 116, 2 2009-04-22 13:13 /dev/snd/timer
>> [root at mfleetwo3 ~]# getfacl -p /dev/snd/controlC0
>> # file: /dev/snd/controlC0
>> # owner: root
>> # group: root
>> user::rw-
>> user:mfleetwo:rw-
>> group::rw-
>> mask::rw-
>> other::---
>> [root at mfleetwo3 ~]# exit
>> logout
>> [mfleetwo at mfleetwo3 ~]$ pulseaudio --start --log-target=syslog
>> I: caps.c: Limited capabilities successfully to CAP_SYS_NICE.
>> I: caps.c: Dropping root privileges.
>> I: caps.c: Limited capabilities successfully to CAP_SYS_NICE.
>> [WARN  9224] polkit-session.c:144:polkit_session_set_uid(): session != NULL
>>   Not built with -rdynamic so unable to print a backtrace
>> [mfleetwo at mfleetwo3 ~]$ echo $?
>> 1
>> [mfleetwo at mfleetwo3 ~]$ ps -ef | fgrep pulseaudio
>> [mfleetwo at mfleetwo3 ~]$ ck-list-sessions
>>
>> ** (ck-list-sessions:9244): WARNING **: Failed to get list of seats:
>> Cannot launch daemon, file not found or permissions invalid
>> [mfleetwo at mfleetwo3 ~]$ ps -ef | fgrep console-kit-daemon
>
> I have identified that my issues are caused by SELinux.  I have
> rebooted with enforcing=0 to switch SELinux into permissive mode and
> ConsoleKit and Pulseaudio start correctly and audacious plays music.
> Even after performing a full relabelling of the SELinux security
> context of all files by touching /.autorelabel and rebooting, SELinux
> in enforcing is preventing D-Bus starting ConsoleKit and Pulseaudio
> starting.  Investigation into SELinux continuing.
>
> E.g. SELinux in enforcing mode:
> [root at mfleetwo3 ~]# id -Z
> unconfined_u:unconfined_r:unconfined_t:SystemLow-SystemHigh
> [root at mfleetwo3 ~]# service messagebus status
> env: /etc/init.d/messagebus: Permission denied
>
> and SELinux in permissive mode:
> [root at mfleetwo3 ~]# service messagebus status
> dbus-daemon (pid 2736 2055) is running...
>
> Thanks,
> Mike
>
Are you fully yum update on selinux policy?


yum -y upgrade selinux-policy-targeted

More information about the fedora-list mailing list