70894 – dbus enforces SELinux even if SELinux itself is in permissive mode

Bug 70894 - dbus enforces SELinux even if SELinux itself is in permissive mode

Summary: dbus enforces SELinux even if SELinux itself is in permissive mode

Status:	RESOLVED NOTOURBUG

Alias:	None

Product:	dbus
Classification:	Unclassified
Component:	core (show other bugs)
Version:	1.5
Hardware:	Other All

Importance:	medium normal
Assignee:	Havoc Pennington
QA Contact:

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2013-10-26 15:04 UTC by Laurent Bigonville
Modified:	2013-10-30 15:06 UTC (History)
CC List:	0 users

See Also:
i915 platform:
i915 features:

Attachments

Description Laurent Bigonville 2013-10-26 15:04:09 UTC

Hi,

With SELinux enabled on my machine and set in permissive mode, it seems that dbus is rejecting some of the messages:

Error getting authority: Error initializing authority: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: An SELinux policy prevents this sender from sending this message to this recipient, 0 matched rules; type="method_call", sender="(null)" (inactive) interface="org.freedesktop.DBus" member="Hello" error name="(unset)" requested_reply="0" destination="org.freedesktop.DBus" (bus)

I'm seeing this error when trying to authenticate using policykit. This has the result that policykit denying me the permission:

Oct 26 16:43:45 soldur polkitd(authority=local): Operator of unix-session:/org/freedesktop/ConsoleKit/Session2 FAILED to authenticate to gain authorization for action org.gnome.controlcenter.datetime.configure for unix-process:4683:114540 [gnome-control-center --overview] (owned by unix-user:bigon)

Downstream bug:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=727766

Comment 1 Laurent Bigonville 2013-10-26 15:32:21 UTC

Just to be clear, I'm running debian unstable and I tried with both dbus 1.6.16-1 and 1.7.6-2

Comment 2 Laurent Bigonville 2013-10-26 21:21:27 UTC

Hi,

After some discussion on #selinux, it seems that the problem is in
libselinux (avc_has_perm() function) instead of dbus.

Fedora has a patch[0] for this that looks trivial at first glance, but
I'm waiting for some more feedback from selinux upstream.

I'll close this bug then

Sorry for the noise

[0] http://pkgs.fedoraproject.org/cgit/libselinux.git/tree/libselinux-rhat.patch#n704

Comment 3 Laurent Bigonville 2013-10-28 13:22:42 UTC

Hello,

Alright, I'm reopening this bug as I have some more information here.

It seems that the avc_has_perm() behavior is different between Fedora and the upstream release of libselinux, in Fedora avc_has_perm() will returns 0 in case of a denial if the machine is in permissive mode, this is not the case wit upstream version.

Looking at the discussion, upstream doesn't want Fedora patch to be merged in the code base. This means that d-bus should itself test if SELinux is in permissive mode or not.

Comment 4 Laurent Bigonville 2013-10-30 15:06:04 UTC

Closing again (sorry)

FTR, this has been fixed in libselinux with the following commit:

commit 8b114a3bf25b7b818910cca77528de80cdb953f8
Author: Stephen Smalley <sds@tycho.nsa.gov>
Date:   Mon Oct 28 16:52:50 2013 -0400

    Fix avc_has_perm() returns -1 even when SELinux is in permissive mode.
    
    If we get an EINVAL from security_compute_av* (indicates an invalid
    source or target security context, likely due to a policy reload that
    removed one or the other) and we are in permissive mode, then handle it
    like any other permission denial, i.e. log but do not deny it.
    
    Reported-by: Laurent Bigonville <bigon@debian.org>
    Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.