Re: Another getcon() vs getcon_raw() issue in systemd

[Laurent Bigonville]

Le 30/12/16 à 18:43, Stephen Smalley a écrit :
Fedora no longer runs mcstransd by default, so that may also be 
relevant.  Dbusd should likely provide the raw context to clients so 
that they are free to use either the raw or translated interfaces 
without difficulty.

Hi,

FTR, I've open https://bugs.freedesktop.org/show_bug.cgi?id=99234

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: Another getcon() vs getcon_raw() issue in systemd

[Stephen Smalley]

On Dec 30, 2016 8:08 AM, "Russell Coker"  wrote:

On Monday, 26 December 2016 7:10:19 PM AEDT Nicolas Iooss wrote:
> With the output you gave I searched in D-Bus source how the
> LinuxSecurityLabel was computed here. I discovered a lot of files in dbus/
> directory which seem to duplicate things from bus/ I have described in my
> previous email. In dbus/dbus-sysdeps-unix.c there is a function which
calls
> "getsockopt (client_fd, SOL_SOCKET, SO_PEERSEC, ...)" in order to get this
> "system_u:system_r:systemd_machined_t:s0"
> (add_linux_security_label_to_credentials,
> https://cgit.freedesktop.org/dbus/dbus/tree/dbus/dbus-
sysdeps-unix.c?h=dbus-> 1.10#n1760). This function queries the same kernel
API as libselinux's
> getpeercon_raw(), but without using libselinux (which is normal as it can
> also returns Smack or AppArmor labels). This is why the context is not
> translated.
>
> The documentation of GetConnectionCredentials->LinuxSecurityLabel is way
> better than the one of GetConnectionSELinuxSecurityContext in D-Bus
> specification (
> https://cgit.freedesktop.org/dbus/dbus/tree/doc/dbus-
specification.xml?h=dbu
> s-1.10#n6030) so if I were to decide, I would rather migrate systemd's
> bus_get_name_creds_dbus1() to GetConnectionCredentials (in
> https://github.com/systemd/systemd/blob/v232/src/
libsystemd/sd-bus/bus-contr
> ol.c#L865). However this implies some non-trivial systemd code
modifications
> and I do not know how systemd developers are willing to modify this part
of
> their code.
> An other option consists in making D-Bus use getpeercon_raw() in
> GetConnectionSELinuxSecurityContext (and documenting this in the D-Bus
> spec). I do not know what subtle side-effects such a change would have on
a
> system (a quick search of users of this interface on searchcode.com gave
> some Android-related projects).

Thanks for your suggestions.  I ran a VM of Fedora 24 with my policy to test
this.  Fedora 24 ran well with that and gave no such errors.  Fedora has
dbus
1.11.8 (development) and systemd 229 while Debian/Unstable has dbus 1.10.14
(stable) and systemd 332.

A did a diff on the Fedora 24 dbus source and the Debian dbus source and
didn't find anything that seemed to be related.  So I presume that it's more
related to systemd - which doesn't necessarily imply that changing systemd
is
the correct way to fix it.

I'll try rawhide now.


Fedora no longer runs mcstransd by default, so that may also be relevant.
Dbusd should likely provide the raw context to clients so that they are
free to use either the raw or translated interfaces without difficulty.


--
My Main Blog http://etbe.coker.com.au/
My Documents Bloghttp://doc.coker.com.au/

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to
selinux-requ...@tycho.nsa.gov.
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: Another getcon() vs getcon_raw() issue in systemd

[Russell Coker]

On Monday, 26 December 2016 7:10:19 PM AEDT Nicolas Iooss wrote:
> With the output you gave I searched in D-Bus source how the
> LinuxSecurityLabel was computed here. I discovered a lot of files in dbus/
> directory which seem to duplicate things from bus/ I have described in my
> previous email. In dbus/dbus-sysdeps-unix.c there is a function which calls
> "getsockopt (client_fd, SOL_SOCKET, SO_PEERSEC, ...)" in order to get this
> "system_u:system_r:systemd_machined_t:s0"
> (add_linux_security_label_to_credentials,
> https://cgit.freedesktop.org/dbus/dbus/tree/dbus/dbus-sysdeps-unix.c?h=dbus-> 
> 1.10#n1760). This function queries the same kernel API as libselinux's
> getpeercon_raw(), but without using libselinux (which is normal as it can
> also returns Smack or AppArmor labels). This is why the context is not
> translated.
> 
> The documentation of GetConnectionCredentials->LinuxSecurityLabel is way
> better than the one of GetConnectionSELinuxSecurityContext in D-Bus
> specification (
> https://cgit.freedesktop.org/dbus/dbus/tree/doc/dbus-specification.xml?h=dbu
> s-1.10#n6030) so if I were to decide, I would rather migrate systemd's
> bus_get_name_creds_dbus1() to GetConnectionCredentials (in
> https://github.com/systemd/systemd/blob/v232/src/libsystemd/sd-bus/bus-contr
> ol.c#L865). However this implies some non-trivial systemd code modifications
> and I do not know how systemd developers are willing to modify this part of
> their code.
> An other option consists in making D-Bus use getpeercon_raw() in
> GetConnectionSELinuxSecurityContext (and documenting this in the D-Bus
> spec). I do not know what subtle side-effects such a change would have on a
> system (a quick search of users of this interface on searchcode.com gave
> some Android-related projects).

Thanks for your suggestions.  I ran a VM of Fedora 24 with my policy to test 
this.  Fedora 24 ran well with that and gave no such errors.  Fedora has dbus 
1.11.8 (development) and systemd 229 while Debian/Unstable has dbus 1.10.14 
(stable) and systemd 332.

A did a diff on the Fedora 24 dbus source and the Debian dbus source and 
didn't find anything that seemed to be related.  So I presume that it's more 
related to systemd - which doesn't necessarily imply that changing systemd is 
the correct way to fix it.

I'll try rawhide now.

-- 
My Main Blog http://etbe.coker.com.au/
My Documents Bloghttp://doc.coker.com.au/

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.