Comment 4 for bug 1103022

In fact udev-acl appears to be doing it.

When logging into a simple ubuntu desktop with qemu-system not installed, I log in and find /dev/kvm is root:root rwm------ with a group::--- acl installed. I verify the acl by doing 'chmod g+rw /dev/kvm' followed by ls -l /dev/kvm and getfacl /dev/kvm showng that /dev/kvm is now rwxrw---- but the group::--- acl is still there.

Next I moved /usr/lib/ConsoleKit/run-seat.d/udev-acl.ck to /root/ and rebooted, and ssh'd in. Now /dev/kvm had no acls and was

serge@ubuntu:~$ ls -l /dev/kvm
crw-rw---- 1 root root 10, 232 Jan 29 01:04 /dev/kvm
serge@ubuntu:~$ getfacl /dev/kvm
getfacl: Removing leading '/' from absolute path names
# file: dev/kvm
# owner: root
# group: root
user::rw-
group::rw-
other::---

(I next undid this by doing 'chmod g-rw /dev/kvm')

Next I manually ran:

/lib/udev/udev-acl -a change --device=/dev/kvm

after this, I got:

root@ubuntu:~# getfacl /dev/kvm
getfacl: Removing leading '/' from absolute path names
# file: dev/kvm
# owner: root
# group: root
user::rw-
user:lightdm:rw-
group::---
mask::rw-
other::---

root@ubuntu:~# chmod g+rw /dev/kvm
root@ubuntu:~# getfacl /dev/kvm
getfacl: Removing leading '/' from absolute path names
# file: dev/kvm
# owner: root
# group: root
user::rw-
user:lightdm:rw-
group::---
mask::rw-
other::---

showing that running udev-acl.ck is what is causing the group acl to be
created, even though it's not obvious, looking at the udev-acl.c code,
how it would do so.