Bug 70894

Summary: dbus enforces SELinux even if SELinux itself is in permissive mode
Product: dbus Reporter: Laurent Bigonville <bigon>
Component: coreAssignee: Havoc Pennington <hp>
Severity: normal    
Priority: medium    
Version: 1.5   
Hardware: Other   
OS: All   
i915 platform: i915 features:

Description Laurent Bigonville 2013-10-26 15:04:09 UTC

With SELinux enabled on my machine and set in permissive mode, it seems that dbus is rejecting some of the messages:

Error getting authority: Error initializing authority: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: An SELinux policy prevents this sender from sending this message to this recipient, 0 matched rules; type="method_call", sender="(null)" (inactive) interface="org.freedesktop.DBus" member="Hello" error name="(unset)" requested_reply="0" destination="org.freedesktop.DBus" (bus)

I'm seeing this error when trying to authenticate using policykit. This has the result that policykit denying me the permission:

Oct 26 16:43:45 soldur polkitd(authority=local): Operator of unix-session:/org/freedesktop/ConsoleKit/Session2 FAILED to authenticate to gain authorization for action org.gnome.controlcenter.datetime.configure for unix-process:4683:114540 [gnome-control-center --overview] (owned by unix-user:bigon)

Downstream bug:
Comment 1 Laurent Bigonville 2013-10-26 15:32:21 UTC
Just to be clear, I'm running debian unstable and I tried with both dbus 1.6.16-1 and 1.7.6-2
Comment 2 Laurent Bigonville 2013-10-26 21:21:27 UTC

After some discussion on #selinux, it seems that the problem is in
libselinux (avc_has_perm() function) instead of dbus.

Fedora has a patch[0] for this that looks trivial at first glance, but
I'm waiting for some more feedback from selinux upstream.

I'll close this bug then

Sorry for the noise

[0] http://pkgs.fedoraproject.org/cgit/libselinux.git/tree/libselinux-rhat.patch#n704
Comment 3 Laurent Bigonville 2013-10-28 13:22:42 UTC

Alright, I'm reopening this bug as I have some more information here.

It seems that the avc_has_perm() behavior is different between Fedora and the upstream release of libselinux, in Fedora avc_has_perm() will returns 0 in case of a denial if the machine is in permissive mode, this is not the case wit upstream version.

Looking at the discussion, upstream doesn't want Fedora patch to be merged in the code base. This means that d-bus should itself test if SELinux is in permissive mode or not.
Comment 4 Laurent Bigonville 2013-10-30 15:06:04 UTC
Closing again (sorry)

FTR, this has been fixed in libselinux with the following commit:

commit 8b114a3bf25b7b818910cca77528de80cdb953f8
Author: Stephen Smalley <sds@tycho.nsa.gov>
Date:   Mon Oct 28 16:52:50 2013 -0400

    Fix avc_has_perm() returns -1 even when SELinux is in permissive mode.
    If we get an EINVAL from security_compute_av* (indicates an invalid
    source or target security context, likely due to a policy reload that
    removed one or the other) and we are in permissive mode, then handle it
    like any other permission denial, i.e. log but do not deny it.
    Reported-by: Laurent Bigonville <bigon@debian.org>
    Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.