On Mon, Dec 26, 2016 at 11:33 AM, Russell Coker <[email protected]> wrote:
> On Saturday, 17 December 2016 12:15:45 AM AEDT Nicolas Iooss wrote: > > On Fri, Dec 16, 2016 at 1:33 PM, Russell Coker <[email protected]> > wrote: > > > http://selinux.tycho.nsa.narkive.com/cZUV3wmW/selinux- > set-callback-problem > > > > > > The above URL has the archive of the last time I raised an issue like > > > this. > > > Thanks to Nicolas Iooss for pointing out the solution. > > > > > > type=USER_AVC msg=audit(1481891298.695:687055): pid=1 uid=0 > > > auid=4294967295 > > > ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { > > > status } > > > for auid=n/a uid=0 gid=0 cmdline="/lib/systemd/systemd-machined" > > > scontext=system_u:system_r:systemd_machined_t:SystemLow > > > tcontext=system_u:system_r:init_t:s0 tclass=system > > > exe="/lib/systemd/systemd" > > > sauid=0 hostname=? addr=? terminal=?' > > > > > > Now in Debian/Unstable we have a similar issue with systemd 232-7 > giving > > > audit.log entries like the above. > > > > [...] > > > > dbus-send --system --print-reply --dest=org.freedesktop.DBus > > /org/freedesktop/DBus > > org.freedesktop.DBus.GetConnectionSELinuxSecurityContext > > 'string:org.freedesktop.machine1' > > Below is the output, looks like your analysis is correct. > > method return time=1482748196.242707 sender=org.freedesktop.DBus -> > destination=:1.1301 serial=3 reply_serial=2 > array of bytes "system_u:system_r:systemd_machined_t:SystemLow" > > > DBus specification is quite strange about the method: "Returns the > security > > context used by SELinux, in an unspecified format. If you know what this > > means, please contribute documentation via the D-Bus bug tracking > system." > > Strange, something for someone here to look into I guess. > > > [7]. It seems GetConnectionCredentials should be preferred. In order to > see > > whether modifying systemd code would be enough to fix this, or whether it > > is a bug in the D-Bus interfaces, what does this command return on your > > system? > > > > dbus-send --system --print-reply --dest=org.freedesktop.DBus > > /org/freedesktop/DBus org.freedesktop.DBus.GetConnectionCredentials > > 'string:org.freedesktop.machine1' > > Here's the result, does it indicate that D-Bus or systemd should be > changed? > > method return time=1482748196.247091 sender=org.freedesktop.DBus -> > destination=:1.1302 serial=3 reply_serial=2 > array [ > dict entry( > string "ProcessID" > variant uint32 1123 > ) > dict entry( > string "UnixUserID" > variant uint32 0 > ) > dict entry( > string "LinuxSecurityLabel" > variant array of bytes > "system_u:system_r:systemd_machined_t:s0" + \0 > ) > ] > > Thanks for your help. I hope to get this fixed before the next release of > Debian is frozen... With the output you gave I searched in D-Bus source how the LinuxSecurityLabel was computed here. I discovered a lot of files in dbus/ directory which seem to duplicate things from bus/ I have described in my previous email. In dbus/dbus-sysdeps-unix.c there is a function which calls "getsockopt (client_fd, SOL_SOCKET, SO_PEERSEC, ...)" in order to get this "system_u:system_r:systemd_machined_t:s0" (add_linux_security_label_to_credentials, https://cgit.freedesktop.org/dbus/dbus/tree/dbus/dbus-sysdeps-unix.c?h=dbus-1.10#n1760). This function queries the same kernel API as libselinux's getpeercon_raw(), but without using libselinux (which is normal as it can also returns Smack or AppArmor labels). This is why the context is not translated. The documentation of GetConnectionCredentials->LinuxSecurityLabel is way better than the one of GetConnectionSELinuxSecurityContext in D-Bus specification ( https://cgit.freedesktop.org/dbus/dbus/tree/doc/dbus-specification.xml?h=dbus-1.10#n6030) so if I were to decide, I would rather migrate systemd's bus_get_name_creds_dbus1() to GetConnectionCredentials (in https://github.com/systemd/systemd/blob/v232/src/libsystemd/sd-bus/bus-control.c#L865). However this implies some non-trivial systemd code modifications and I do not know how systemd developers are willing to modify this part of their code. An other option consists in making D-Bus use getpeercon_raw() in GetConnectionSELinuxSecurityContext (and documenting this in the D-Bus spec). I do not know what subtle side-effects such a change would have on a system (a quick search of users of this interface on searchcode.com gave some Android-related projects). Cheers, Nicolas
_______________________________________________ Selinux mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
