Re: F10 - pulseaudio not running

Rex Dieter wrote:
ConsoleKit uses acl's to set premissions for console devices (like audio).
At least, it's *supposed* to.


and Kevin Kofler wrote:
... except your local console user, which gets the permissions using the
POSIX ACL feature.
... The '+' here means some ACLs are set. Try:
getfacl /dev/snd/*

PulseAudio is only SUID root to allow it to use real-time priority for users
in the pulsert group or with real-time priority allowed through PolicyKit.
It does not use the root privileges to access sound devices, it accesses
them as your regular user.


I can see that on my functioning desktops that before login, gdm has
been granted read-write access, via ACLs, to the sound device files in
/dev/snd/. After GDM login my user is granted read-write instead.

On my broken desktop there are no ACLs granting extra permissions. I
have now restored the original permissions on the /dev/snd/* files and
added my user read-write access via ACLs. Still pulseaudio does not
start.

I also noticed that on my broken desktop, console-kit-daemon is not
running. So far I have only found that console-kit-daemon may have
been started with /etc/rc.d/init.d/ConsoleKit circa Fedora 8. That
consoleKit service script been removed in Fedora 10 and I don't yet
know how console-kit-daemon is meant to be started.

Is console-kit-daemon running even relevant to GDM adding ACLs for the
console user to access devices? Probably. Is this relevant to why
pulseaudio fails to start? Don't know as even when standard file
permissions, rather than ACLs, allowed access to /dev/snd/* pulseaudio
died on startup.

From my functional home desktop ...
[mike@rockover ~]$ getfacl -p /dev/snd/controlC0
# file: /dev/snd/controlC0
# owner: root
# group: root
user::rw-
user:mike:rw-
group::rw-
mask::rw-
other::---
(Same results of additional user mike ACL for all devices in /dev/snd/).
[mike@rockover ~]$ ck-list-sessions
Session4:
unix-user = '500'
realname = 'Mike Fleetwood,,,,'
seat = 'Seat1'
session-type = ''
active = TRUE
x11-display = ':0'
x11-display-device = '/dev/tty1'
display-device = ''
remote-host-name = ''
is-local = TRUE
on-since = '2009-04-08T19:06:01.429138Z'
login-session-id = '702'
[mike@rockover ~]$ ps -ef | fgrep console-kit-daemon
root 2477 1 0 Apr08 ? 00:00:00 /usr/sbin/console-kit-daemon
mike 23954 19225 0 12:05 pts/0 00:00:00 fgrep console-kit-daemon

From my broken work desktop ...
[mfleetwo@mfleetwo3 ~]$ su -
Password:
[root@mfleetwo3 ~]# chmod o= /dev/snd/*
[root@mfleetwo3 ~]# setfacl -m u:mfleetwo:rw /dev/snd/*
[root@mfleetwo3 ~]# ls -l /dev/snd/*
crw-rw----+ 1 root root 116, 7 2009-04-22 13:13 /dev/snd/controlC0
crw-rw----+ 1 root root 116, 6 2009-04-22 13:13 /dev/snd/hwC0D0
crw-rw----+ 1 root root 116, 5 2009-05-06 12:15 /dev/snd/pcmC0D0c
crw-rw----+ 1 root root 116, 4 2009-05-06 12:15 /dev/snd/pcmC0D0p
crw-rw----+ 1 root root 116, 3 2009-04-22 13:13 /dev/snd/seq
crw-rw----+ 1 root root 116, 2 2009-04-22 13:13 /dev/snd/timer
[root@mfleetwo3 ~]# getfacl -p /dev/snd/controlC0
# file: /dev/snd/controlC0
# owner: root
# group: root
user::rw-
user:mfleetwo:rw-
group::rw-
mask::rw-
other::---
[root@mfleetwo3 ~]# exit
logout
[mfleetwo@mfleetwo3 ~]$ pulseaudio --start --log-target=syslog
I: caps.c: Limited capabilities successfully to CAP_SYS_NICE.
I: caps.c: Dropping root privileges.
I: caps.c: Limited capabilities successfully to CAP_SYS_NICE.
[WARN 9224] polkit-session.c:144:polkit_session_set_uid(): session != NULL
Not built with -rdynamic so unable to print a backtrace
[mfleetwo@mfleetwo3 ~]$ echo $?
1
[mfleetwo@mfleetwo3 ~]$ ps -ef | fgrep pulseaudio
[mfleetwo@mfleetwo3 ~]$ ck-list-sessions

** (ck-list-sessions:9244): WARNING **: Failed to get list of seats:
Cannot launch daemon, file not found or permissions invalid
[mfleetwo@mfleetwo3 ~]$ ps -ef | fgrep console-kit-daemon


Thanks,
Mike

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Relevant Pages

  • Re: privacy on Unix-servers
    ... the root user can see everything on the machine. ... There are some Unices featuring ACLs. ... of their Solaris known as "Trusted Solaris" ... data from being snooped by root is to encrypt it. ...
    (comp.security.unix)
  • Re: ACLs
    ... you can separate specific roles to different accounts. ... Because you can have a root account which can bind Apache to a port <1024, and even if it is compromised it cannot "shutdown the system," or "deny access to this computer from the network," thus the attacker will be able to cause minimal damage. ... Admittedly it requires a policy to be built and loaded from userspace, but your "ACLs" would require some ACL utilities to apply those from userspace. ... In any case SELinux is an extremely powerful model; you can define your arbitrary RBAC+TE state machine and constraints, then the kernel applies it to your system; as simple as that. ...
    (Linux-Kernel)
  • Re: ACLs and the root user
    ... >]to modify the ACLs. ... root is there to fix the system. ... the security administrator would be involved in setting system ... can't change the system security policy or certain ACLs. ...
    (comp.security.unix)
  • Re: chmod, chown and user, group
    ... > remove permissions, ... ACLs might be good for that, ... > AFS could, in theory, be used for the root filesystem. ...
    (comp.os.linux.development.apps)
  • Re: SELinux preventing D-Bus starting ConsoleKit etc - Was: F10 - pulseaudio not running
    ... On my broken desktop there are no ACLs granting extra permissions. ... I also noticed that on my broken desktop, console-kit-daemon is not ... Even after performing a full relabelling of the SELinux security ...
    (Fedora)