[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: SELinux preventing D-Bus starting ConsoleKit etc - Was: F10 - pulseaudio not running



On 05/20/2009 04:23 AM, Mike Fleetwood wrote:
I wrote:
I can see that on my functioning desktops that before login, gdm has
been granted read-write access, via ACLs, to the sound device files in
/dev/snd/.  After GDM login my user is granted read-write instead.

On my broken desktop there are no ACLs granting extra permissions.  I
have now restored the original permissions on the /dev/snd/* files and
added my user read-write access via ACLs.  Still pulseaudio does not
start.

I also noticed that on my broken desktop, console-kit-daemon is not
running.  So far I have only found that console-kit-daemon may have
been started with /etc/rc.d/init.d/ConsoleKit circa Fedora 8.  That
consoleKit service script been removed in Fedora 10 and I don't yet
know how console-kit-daemon is meant to be started.

Is console-kit-daemon running even relevant to GDM adding ACLs for the
console user to access devices?  Probably.  Is this relevant to why
pulseaudio fails to start?  Don't know as even when standard file
permissions, rather than ACLs, allowed access to /dev/snd/* pulseaudio
died on startup.

 From my functional home desktop ...
[mike rockover ~]$ getfacl -p /dev/snd/controlC0
# file: /dev/snd/controlC0
# owner: root
# group: root
user::rw-
user:mike:rw-
group::rw-
mask::rw-
other::---
(Same results of additional user mike ACL for all devices in /dev/snd/).
[mike rockover ~]$ ck-list-sessions
Session4:
        unix-user = '500'
        realname = 'Mike Fleetwood,,,,'
        seat = 'Seat1'
        session-type = ''
        active = TRUE
        x11-display = ':0'
        x11-display-device = '/dev/tty1'
        display-device = ''
        remote-host-name = ''
        is-local = TRUE
        on-since = '2009-04-08T19:06:01.429138Z'
        login-session-id = '702'
[mike rockover ~]$ ps -ef | fgrep console-kit-daemon
root      2477     1  0 Apr08 ?        00:00:00 /usr/sbin/console-kit-daemon
mike     23954 19225  0 12:05 pts/0    00:00:00 fgrep console-kit-daemon

 From my broken work desktop ...
[mfleetwo mfleetwo3 ~]$ su -
Password:
[root mfleetwo3 ~]# chmod o= /dev/snd/*
[root mfleetwo3 ~]# setfacl -m u:mfleetwo:rw /dev/snd/*
[root mfleetwo3 ~]# ls -l /dev/snd/*
crw-rw----+ 1 root root 116, 7 2009-04-22 13:13 /dev/snd/controlC0
crw-rw----+ 1 root root 116, 6 2009-04-22 13:13 /dev/snd/hwC0D0
crw-rw----+ 1 root root 116, 5 2009-05-06 12:15 /dev/snd/pcmC0D0c
crw-rw----+ 1 root root 116, 4 2009-05-06 12:15 /dev/snd/pcmC0D0p
crw-rw----+ 1 root root 116, 3 2009-04-22 13:13 /dev/snd/seq
crw-rw----+ 1 root root 116, 2 2009-04-22 13:13 /dev/snd/timer
[root mfleetwo3 ~]# getfacl -p /dev/snd/controlC0
# file: /dev/snd/controlC0
# owner: root
# group: root
user::rw-
user:mfleetwo:rw-
group::rw-
mask::rw-
other::---
[root mfleetwo3 ~]# exit
logout
[mfleetwo mfleetwo3 ~]$ pulseaudio --start --log-target=syslog
I: caps.c: Limited capabilities successfully to CAP_SYS_NICE.
I: caps.c: Dropping root privileges.
I: caps.c: Limited capabilities successfully to CAP_SYS_NICE.
[WARN  9224] polkit-session.c:144:polkit_session_set_uid(): session != NULL
  Not built with -rdynamic so unable to print a backtrace
[mfleetwo mfleetwo3 ~]$ echo $?
1
[mfleetwo mfleetwo3 ~]$ ps -ef | fgrep pulseaudio
[mfleetwo mfleetwo3 ~]$ ck-list-sessions

** (ck-list-sessions:9244): WARNING **: Failed to get list of seats:
Cannot launch daemon, file not found or permissions invalid
[mfleetwo mfleetwo3 ~]$ ps -ef | fgrep console-kit-daemon

I have identified that my issues are caused by SELinux.  I have
rebooted with enforcing=0 to switch SELinux into permissive mode and
ConsoleKit and Pulseaudio start correctly and audacious plays music.
Even after performing a full relabelling of the SELinux security
context of all files by touching /.autorelabel and rebooting, SELinux
in enforcing is preventing D-Bus starting ConsoleKit and Pulseaudio
starting.  Investigation into SELinux continuing.

E.g. SELinux in enforcing mode:
[root mfleetwo3 ~]# id -Z
unconfined_u:unconfined_r:unconfined_t:SystemLow-SystemHigh
[root mfleetwo3 ~]# service messagebus status
env: /etc/init.d/messagebus: Permission denied

and SELinux in permissive mode:
[root mfleetwo3 ~]# service messagebus status
dbus-daemon (pid 2736 2055) is running...

Thanks,
Mike

Are you fully yum update on selinux policy?


yum -y upgrade selinux-policy-targeted



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]