SELinux preventing D-Bus starting ConsoleKit etc - Was: F10 - pulseaudio not running

Mike Fleetwood mike.fleetwood at googlemail.com
Wed May 20 08:23:16 UTC 2009 

I wrote:
> I can see that on my functioning desktops that before login, gdm has
> been granted read-write access, via ACLs, to the sound device files in
> /dev/snd/.  After GDM login my user is granted read-write instead.
>
> On my broken desktop there are no ACLs granting extra permissions.  I
> have now restored the original permissions on the /dev/snd/* files and
> added my user read-write access via ACLs.  Still pulseaudio does not
> start.
>
> I also noticed that on my broken desktop, console-kit-daemon is not
> running.  So far I have only found that console-kit-daemon may have
> been started with /etc/rc.d/init.d/ConsoleKit circa Fedora 8.  That
> consoleKit service script been removed in Fedora 10 and I don't yet
> know how console-kit-daemon is meant to be started.
>
> Is console-kit-daemon running even relevant to GDM adding ACLs for the
> console user to access devices?  Probably.  Is this relevant to why
> pulseaudio fails to start?  Don't know as even when standard file
> permissions, rather than ACLs, allowed access to /dev/snd/* pulseaudio
> died on startup.
>
> From my functional home desktop ...
> [mike at rockover ~]$ getfacl -p /dev/snd/controlC0
> # file: /dev/snd/controlC0
> # owner: root
> # group: root
> user::rw-
> user:mike:rw-
> group::rw-
> mask::rw-
> other::---
> (Same results of additional user mike ACL for all devices in /dev/snd/).
> [mike at rockover ~]$ ck-list-sessions
> Session4:
>        unix-user = '500'
>        realname = 'Mike Fleetwood,,,,'
>        seat = 'Seat1'
>        session-type = ''
>        active = TRUE
>        x11-display = ':0'
>        x11-display-device = '/dev/tty1'
>        display-device = ''
>        remote-host-name = ''
>        is-local = TRUE
>        on-since = '2009-04-08T19:06:01.429138Z'
>        login-session-id = '702'
> [mike at rockover ~]$ ps -ef | fgrep console-kit-daemon
> root      2477     1  0 Apr08 ?        00:00:00 /usr/sbin/console-kit-daemon
> mike     23954 19225  0 12:05 pts/0    00:00:00 fgrep console-kit-daemon
>
> From my broken work desktop ...
> [mfleetwo at mfleetwo3 ~]$ su -
> Password:
> [root at mfleetwo3 ~]# chmod o= /dev/snd/*
> [root at mfleetwo3 ~]# setfacl -m u:mfleetwo:rw /dev/snd/*
> [root at mfleetwo3 ~]# ls -l /dev/snd/*
> crw-rw----+ 1 root root 116, 7 2009-04-22 13:13 /dev/snd/controlC0
> crw-rw----+ 1 root root 116, 6 2009-04-22 13:13 /dev/snd/hwC0D0
> crw-rw----+ 1 root root 116, 5 2009-05-06 12:15 /dev/snd/pcmC0D0c
> crw-rw----+ 1 root root 116, 4 2009-05-06 12:15 /dev/snd/pcmC0D0p
> crw-rw----+ 1 root root 116, 3 2009-04-22 13:13 /dev/snd/seq
> crw-rw----+ 1 root root 116, 2 2009-04-22 13:13 /dev/snd/timer
> [root at mfleetwo3 ~]# getfacl -p /dev/snd/controlC0
> # file: /dev/snd/controlC0
> # owner: root
> # group: root
> user::rw-
> user:mfleetwo:rw-
> group::rw-
> mask::rw-
> other::---
> [root at mfleetwo3 ~]# exit
> logout
> [mfleetwo at mfleetwo3 ~]$ pulseaudio --start --log-target=syslog
> I: caps.c: Limited capabilities successfully to CAP_SYS_NICE.
> I: caps.c: Dropping root privileges.
> I: caps.c: Limited capabilities successfully to CAP_SYS_NICE.
> [WARN  9224] polkit-session.c:144:polkit_session_set_uid(): session != NULL
>  Not built with -rdynamic so unable to print a backtrace
> [mfleetwo at mfleetwo3 ~]$ echo $?
> 1
> [mfleetwo at mfleetwo3 ~]$ ps -ef | fgrep pulseaudio
> [mfleetwo at mfleetwo3 ~]$ ck-list-sessions
>
> ** (ck-list-sessions:9244): WARNING **: Failed to get list of seats:
> Cannot launch daemon, file not found or permissions invalid
> [mfleetwo at mfleetwo3 ~]$ ps -ef | fgrep console-kit-daemon

I have identified that my issues are caused by SELinux.  I have
rebooted with enforcing=0 to switch SELinux into permissive mode and
ConsoleKit and Pulseaudio start correctly and audacious plays music.
Even after performing a full relabelling of the SELinux security
context of all files by touching /.autorelabel and rebooting, SELinux
in enforcing is preventing D-Bus starting ConsoleKit and Pulseaudio
starting.  Investigation into SELinux continuing.

E.g. SELinux in enforcing mode:
[root at mfleetwo3 ~]# id -Z
unconfined_u:unconfined_r:unconfined_t:SystemLow-SystemHigh
[root at mfleetwo3 ~]# service messagebus status
env: /etc/init.d/messagebus: Permission denied

and SELinux in permissive mode:
[root at mfleetwo3 ~]# service messagebus status
dbus-daemon (pid 2736 2055) is running...

Thanks,
Mike

More information about the fedora-list mailing list