From 830acf4eba561c1a6a403cd2fb4775a71d86576d Mon Sep 17 00:00:00 2001
From: Laurent Bigonville <bigon@bigon.be>
Date: Mon, 15 Sep 2014 11:03:25 +0200
Subject: [PATCH 1/2] Initialize audit subsystem even for the session bus

If SELinux is enabled on the system, dbus will check the permissions but
no audit trails will be generated in case of denial as the audit
subsystem is not initialized. Same should apply for apparmor.

A unprivileged user should be able to open the audit socket
(audit_open()) but should not have the permissions to log an audit
trail. The CAP_AUDIT_WRITE file capability should be set on the
dbus-daemon executable in order to allow the session bus to log an AVC
denial.

https://bugs.freedesktop.org/show_bug.cgi?id=83856
---
 bus/bus.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/bus/bus.c b/bus/bus.c
index 1aa893b..10ba9dc 100644
--- a/bus/bus.c
+++ b/bus/bus.c
@@ -971,6 +971,7 @@ bus_context_new (const DBusString *config_file,
 	  _DBUS_ASSERT_ERROR_IS_SET (error);
 	  goto failed;
 	}
+    }
 
 #ifdef HAVE_SELINUX
       /* FIXME - why not just put this in full_init() below? */
@@ -979,7 +980,6 @@ bus_context_new (const DBusString *config_file,
 #ifdef HAVE_APPARMOR
       bus_apparmor_audit_init ();
 #endif
-    }
 
   dbus_server_free_data_slot (&server_data_slot);
 
-- 
2.1.4