preventing console-kit-dae (consolekit_t) "read" to (polkit_var_lib_t) on restart

Andrew Farris lordmorgul at gmail.com
Wed Apr 2 07:14:55 UTC 2008 

This occurs on Rawhide when trying to 'Restart' from Gnome System
menu.  My user does have policykit authorization to restart the system
(others logged in or not) and to shutdown the system, but neither
work.  At the moment I have to logout, then switch to VT1 and reboot.
GDM cannot restart either.

SELinux is preventing console-kit-dae (consolekit_t) "read" to
./org.freedesktop.hal.device-access.sound.override (polkit_var_lib_t).

Source Context                system_u:system_r:consolekit_t:s0-s0:c0.c1023
Target Context                unconfined_u:object_r:polkit_var_lib_t:s0
Target Objects                ./org.freedesktop.hal.device-access.sound.override
                              [ file ]
Source                        console-kit-dae
Source Path                   /usr/sbin/console-kit-daemon
Port                          <Unknown>
Host                          cirithungol
Source RPM Packages           ConsoleKit-0.2.10-1.fc9
Target RPM Packages
Policy RPM                    selinux-policy-3.3.1-26.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     cirithungol
Platform                      Linux cirithungol 2.6.25-0.172.rc7.git4.fc9.i686
                              #1 SMP Fri Mar 28 21:46:59 EDT 2008 i686 i686
Alert Count                   1
First Seen                    Wed 02 Apr 2008 12:00:41 AM PDT
Last Seen                     Wed 02 Apr 2008 12:00:41 AM PDT
Local ID                      bade6013-09c9-4ca8-afba-3632172a3fc9
Line Numbers

Raw Audit Messages

host=cirithungol type=AVC msg=audit(1207119641.661:3387): avc:  denied
 { read } for  pid=2192 comm="console-kit-dae"
name="org.freedesktop.hal.device-access.sound.override" dev=dm-0
ino=727047 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:polkit_var_lib_t:s0 tclass=file

host=cirithungol type=SYSCALL msg=audit(1207119641.661:3387):
arch=40000003 syscall=5 success=no exit=-13 a0=98d1918 a1=8000 a2=0
a3=8000 items=0 ppid=1 pid=2192 auid=4294967295 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="console-kit-dae" exe="/usr/sbin/console-kit-daemon"
subj=system_u:system_r:consolekit_t:s0-s0:c0.c1023 key=(null)

--
Andrew Farris <lordmorgul at gmail.com> www.lordmorgul.net
 gpg 0x8300BF29 fingerprint 071D FFE0 4CBC 13FC 7DEB 5BD5 5F89 8E1B 8300 BF29
 revoked key 0xC99B1DF3 no longer used
No one now has, and no one will ever again get, the big picture. - Daniel Geer

More information about the fedora-selinux-list mailing list