Summary: | dbus enforces SELinux even if SELinux itself is in permissive mode | ||
---|---|---|---|
Product: | dbus | Reporter: | Laurent Bigonville <bigon> |
Component: | core | Assignee: | Havoc Pennington <hp> |
Status: | RESOLVED NOTOURBUG | QA Contact: | |
Severity: | normal | ||
Priority: | medium | ||
Version: | 1.5 | ||
Hardware: | Other | ||
OS: | All | ||
Whiteboard: | |||
i915 platform: | i915 features: |
Description
Laurent Bigonville
2013-10-26 15:04:09 UTC
Just to be clear, I'm running debian unstable and I tried with both dbus 1.6.16-1 and 1.7.6-2 Hi, After some discussion on #selinux, it seems that the problem is in libselinux (avc_has_perm() function) instead of dbus. Fedora has a patch[0] for this that looks trivial at first glance, but I'm waiting for some more feedback from selinux upstream. I'll close this bug then Sorry for the noise [0] http://pkgs.fedoraproject.org/cgit/libselinux.git/tree/libselinux-rhat.patch#n704 Hello, Alright, I'm reopening this bug as I have some more information here. It seems that the avc_has_perm() behavior is different between Fedora and the upstream release of libselinux, in Fedora avc_has_perm() will returns 0 in case of a denial if the machine is in permissive mode, this is not the case wit upstream version. Looking at the discussion, upstream doesn't want Fedora patch to be merged in the code base. This means that d-bus should itself test if SELinux is in permissive mode or not. Closing again (sorry) FTR, this has been fixed in libselinux with the following commit: commit 8b114a3bf25b7b818910cca77528de80cdb953f8 Author: Stephen Smalley <sds@tycho.nsa.gov> Date: Mon Oct 28 16:52:50 2013 -0400 Fix avc_has_perm() returns -1 even when SELinux is in permissive mode. If we get an EINVAL from security_compute_av* (indicates an invalid source or target security context, likely due to a policy reload that removed one or the other) and we are in permissive mode, then handle it like any other permission denial, i.e. log but do not deny it. Reported-by: Laurent Bigonville <bigon@debian.org> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> |
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.