Bug 12430 - selinux denial aborts
Summary: selinux denial aborts
Status: RESOLVED FIXED
Alias: None
Product: dbus
Classification: Unclassified
Component: core (show other bugs)
Version: unspecified
Hardware: Other All
: medium normal
Assignee: Havoc Pennington
QA Contact: John (J5) Palmieri
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2007-09-14 15:06 UTC by Matthias Clasen
Modified: 2008-01-15 11:23 UTC (History)
0 users

See Also:
i915 platform:
i915 features:

Attachments
dbus-1.1.2-no-abort.patch (487 bytes, patch)
2007-09-14 15:07 UTC, Matthias Clasen 		Details | Splinter Review
View All

Description Matthias Clasen 2007-09-14 15:06:45 UTC 
Here is a patch that Bill Nottingham recently put into the Fedora dbus package to stop the daemon from aborting on selinux denials.
Comment 1 Matthias Clasen 2007-09-14 15:07:32 UTC 
Created attachment 11578 [details] [review]
dbus-1.1.2-no-abort.patch
Comment 2 Havoc Pennington 2007-09-14 15:10:52 UTC 
See discussion on the list, there is a second abort in the same place that this potentially doesn't fix.
Comment 3 John (J5) Palmieri 2008-01-15 11:23:15 UTC 
committed with reworked patch which only sets the error if no error has be set:

diff --git a/bus/bus.c b/bus/bus.c
index 99e4856..864e48b 100644
--- a/bus/bus.c
+++ b/bus/bus.c
@@ -1180,27 +1180,23 @@ bus_context_check_security_policy (BusContext     *context,
 				    dbus_message_get_error_name (message),
 				    dest ? dest : DBUS_SERVICE_DBUS, error))
         {
+          if (error != NULL && !dbus_error_is_set (error))
+            {
+              dbus_set_error (error, DBUS_ERROR_ACCESS_DENIED,
+                              "An SELinux policy prevents this sender "
+                              "from sending this message to this recipient "
+                              "(rejected message had interface \"%s\" "
+                              "member \"%s\" error name \"%s\" destination \"%s\")",
+                              dbus_message_get_interface (message) ?
+                              dbus_message_get_interface (message) : "(unset)",
+                              dbus_message_get_member (message) ?
+                              dbus_message_get_member (message) : "(unset)",
+                              dbus_message_get_error_name (message) ?
+                              dbus_message_get_error_name (message) : "(unset)",
+                              dest ? dest : DBUS_SERVICE_DBUS);
+              _dbus_verbose ("SELinux security check denying send to service\n");
+            }
 
-	  if (dbus_error_is_set (error) &&
-	      dbus_error_has_name (error, DBUS_ERROR_NO_MEMORY))
-	    {
-	      return FALSE;
-	    }
-	  
-
-          dbus_set_error (error, DBUS_ERROR_ACCESS_DENIED,
-                          "An SELinux policy prevents this sender "
-                          "from sending this message to this recipient "
-                          "(rejected message had interface \"%s\" "
-                          "member \"%s\" error name \"%s\" destination \"%s\")",
-                          dbus_message_get_interface (message) ?
-                          dbus_message_get_interface (message) : "(unset)",
-                          dbus_message_get_member (message) ?
-                          dbus_message_get_member (message) : "(unset)",
-                          dbus_message_get_error_name (message) ?
-                          dbus_message_get_error_name (message) : "(unset)",
-                          dest ? dest : DBUS_SERVICE_DBUS);
-          _dbus_verbose ("SELinux security check denying send to service\n");
           return FALSE;
         }

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.