| Summary: | Denials when SELinux is permissive and dbus has invalid domain. | ||
|---|---|---|---|
| Product: | dbus | Reporter: | Marshall Miller <mmiller> |
| Component: | core | Assignee: | Havoc Pennington <hp> |
| Status: | RESOLVED FIXED | QA Contact: | John (J5) Palmieri <johnp> |
| Severity: | normal | ||
| Priority: | medium | CC: | calebcase, walters |
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux (All) | ||
| Whiteboard: | |||
| i915 platform: | i915 features: | ||
| Attachments: | verify enforcing mode before denying access | ||
|
Description
Marshall Miller
2009-04-06 12:03:22 UTC
Hmmm. Shouldn't this be in libselinux in some form? Are similar patches being made for X and other userspace programs? To elaborate on my concern a bit, I think what we really want here is that the policy does not break, rather than expand the meaning of "enforcing" to also include coping with invalid state. For the first situation you mentioned it's an instance of the very common case of the base OS configuration not matching the SELinux policy. There are an infinite number of these kinds of situations. The right way to fix them is to work harder to avoid getting in them in the first place, using e.g. regression tests. As for single user mode, I'd say this is a case where you'd want identical behavior from the kernel AVC and all libselinux-based userspace programs as well, not a dbus-specific patch. c.f. thread here http://marc.info/?l=selinux&m=123979801918475&w=2 Stephen says this should be changed in libselinux or kernel if anywhere, so closing here. (In reply to comment #3) > c.f. thread here http://marc.info/?l=selinux&m=123979801918475&w=2 > > Stephen says this should be changed in libselinux or kernel if anywhere, so > closing here. > The thread recommends that DBUS at least report the correct error in the logs based on the errno. It would have made debugging the problem we found significantly easier if this was applied. Patch from Eamon Walsh: FWIW, the following patch to D-Bus should help: bfo21072 - Log SELinux denials better by checking errno for the cause Note that this does not fully address the bug report since EINVAL can still be returned in permissive mode. However the log messages will now reflect the proper cause of the denial. Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov> diff --git a/bus/selinux.c b/bus/selinux.c index c0f6f4d..46a18a9 100644 --- a/bus/selinux.c +++ b/bus/selinux.c @@ -433,8 +433,18 @@ bus_selinux_check (BusSELinuxID *sender_sid, SELINUX_SID_FROM_BUS (bus_sid), target_class, requested, &aeref, auxdata) < 0) { - _dbus_verbose ("SELinux denying due to security policy.\n"); - return FALSE; + switch (errno) + { + case EACCES: + _dbus_verbose ("SELinux denying due to security policy.\n"); + return FALSE; + case EINVAL: + _dbus_verbose ("SELinux denying due to invalid security context.\n"); + return FALSE; + default: + _dbus_verbose ("SELinux denying due to: %s\n", _dbus_strerror (errno)); + return FALSE; + } } else return TRUE; Applied. |
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.