From f9ab52ef863d14e05682e3784c8385aaf745c19b Mon Sep 17 00:00:00 2001 From: Laurent Bigonville Date: Tue, 17 Nov 2015 21:47:05 +0100 Subject: [PATCH] Initialize SELinux and Apparmor after capabilities are set avc_init() in the SELinux code path is creating a new thread, we need to set to capabilities before it gets created so it has the permission to send audit messages. It also make more sense to open the audit netlink before the different logging callbacks are set. --- bus/bus.c | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/bus/bus.c b/bus/bus.c index 128ae3c..0402993 100644 --- a/bus/bus.c +++ b/bus/bus.c @@ -931,6 +931,20 @@ bus_context_new (const DBusString *config_file, !_dbus_pipe_is_stdout_or_stderr (print_pid_pipe)) _dbus_pipe_close (print_pid_pipe, NULL); + /* Here we change our credentials if required, + * as soon as we've set up our sockets and pidfile + */ + if (context->user != NULL) + { + if (!_dbus_change_to_daemon_user (context->user, error)) + { + _DBUS_ASSERT_ERROR_IS_SET (error); + goto failed; + } + } + + bus_audit_init (context); + if (!bus_selinux_full_init ()) { bus_context_log (context, DBUS_SYSTEM_LOG_FATAL, "SELinux enabled but D-Bus initialization failed; check system log\n"); @@ -962,20 +976,6 @@ bus_context_new (const DBusString *config_file, parser = NULL; } - /* Here we change our credentials if required, - * as soon as we've set up our sockets and pidfile - */ - if (context->user != NULL) - { - if (!_dbus_change_to_daemon_user (context->user, error)) - { - _DBUS_ASSERT_ERROR_IS_SET (error); - goto failed; - } - } - - bus_audit_init (context); - dbus_server_free_data_slot (&server_data_slot); return context; -- 2.6.2