Launchpad has imported 6 comments from the remote bug at http://bugs.freedesktop.org/show_bug.cgi?id=21072.
If you reply to an imported comment from within Launchpad, your comment will be sent to the remote bug automatically. Read more about Launchpad's inter-bugtracker facilities at https://help.launchpad.net/InterBugTracking. ------------------------------------------------------------------------ On 2009-04-06T12:03:22+00:00 Marshall Miller wrote: Created an attachment (id=24612) verify enforcing mode before denying access If SELinux is in permissive mode and dbus is running in an invalid domain, avc_has_perm will return -1 and dbus will deny access. It is fairly difficult to get dbus into an invalid domain, but it can happen. If refpolicy trunk is installed on a system that uses upstart, such as Ubuntu, and the init_upstart boolean is set to off, the problem is very apparent because there is no keyboard of mouse response once the system reaches the GDM login screen. Dbus can also get into an invalid domain on RHEL 5 by booting into single user mode, starting dbus by hand, and then continuing the boot process. Attached is a patch that makes sure the system is in enforcing before denying access. NOTE: The system must be in permissive to get an invalid domain. AVC denials will not appear in the log, however security messages about the invalid context will. Reply at: https://bugs.launchpad.net/dbus/+bug/356570/comments/0 ------------------------------------------------------------------------ On 2009-04-07T07:55:38+00:00 Colin Walters wrote: Hmmm. Shouldn't this be in libselinux in some form? Are similar patches being made for X and other userspace programs? Reply at: https://bugs.launchpad.net/dbus/+bug/356570/comments/3 ------------------------------------------------------------------------ On 2009-04-07T08:06:00+00:00 Colin Walters wrote: To elaborate on my concern a bit, I think what we really want here is that the policy does not break, rather than expand the meaning of "enforcing" to also include coping with invalid state. For the first situation you mentioned it's an instance of the very common case of the base OS configuration not matching the SELinux policy. There are an infinite number of these kinds of situations. The right way to fix them is to work harder to avoid getting in them in the first place, using e.g. regression tests. As for single user mode, I'd say this is a case where you'd want identical behavior from the kernel AVC and all libselinux-based userspace programs as well, not a dbus-specific patch. Reply at: https://bugs.launchpad.net/dbus/+bug/356570/comments/4 ------------------------------------------------------------------------ On 2009-04-21T10:22:53+00:00 Colin Walters wrote: c.f. thread here http://marc.info/?l=selinux&m=123979801918475&w=2 Stephen says this should be changed in libselinux or kernel if anywhere, so closing here. Reply at: https://bugs.launchpad.net/dbus/+bug/356570/comments/5 ------------------------------------------------------------------------ On 2009-04-22T08:15:20+00:00 Caleb Case wrote: (In reply to comment #3) > c.f. thread here http://marc.info/?l=selinux&m=123979801918475&w=2 > > Stephen says this should be changed in libselinux or kernel if anywhere, so > closing here. > The thread recommends that DBUS at least report the correct error in the logs based on the errno. It would have made debugging the problem we found significantly easier if this was applied. Patch from Eamon Walsh: FWIW, the following patch to D-Bus should help: bfo21072 - Log SELinux denials better by checking errno for the cause Note that this does not fully address the bug report since EINVAL can still be returned in permissive mode. However the log messages will now reflect the proper cause of the denial. Signed-off-by: Eamon Walsh <[email protected]> diff --git a/bus/selinux.c b/bus/selinux.c index c0f6f4d..46a18a9 100644 --- a/bus/selinux.c +++ b/bus/selinux.c @@ -433,8 +433,18 @@ bus_selinux_check (BusSELinuxID *sender_sid, SELINUX_SID_FROM_BUS (bus_sid), target_class, requested, &aeref, auxdata) < 0) { - _dbus_verbose ("SELinux denying due to security policy.\n"); - return FALSE; + switch (errno) + { + case EACCES: + _dbus_verbose ("SELinux denying due to security policy.\n"); + return FALSE; + case EINVAL: + _dbus_verbose ("SELinux denying due to invalid security context.\n"); + return FALSE; + default: + _dbus_verbose ("SELinux denying due to: %s\n", _dbus_strerror (errno)); + return FALSE; + } } else return TRUE; Reply at: https://bugs.launchpad.net/dbus/+bug/356570/comments/6 ------------------------------------------------------------------------ On 2009-04-22T08:19:46+00:00 Colin Walters wrote: Applied. Reply at: https://bugs.launchpad.net/dbus/+bug/356570/comments/7 ** Changed in: dbus Importance: Unknown => Medium -- Denials when SELinux is permissive and dbus has invalid domain. https://bugs.launchpad.net/bugs/356570 You received this bug notification because you are a member of Registry Administrators, which is the registrant for D-Bus. _______________________________________________ Mailing list: https://launchpad.net/~registry Post to : [email protected] Unsubscribe : https://launchpad.net/~registry More help : https://help.launchpad.net/ListHelp
