Hi
On Wed, Jul 8, 2015 at 8:39 PM, Eric Paris <eparis@xxxxxxxxxx> wrote:
> On Wed, 2015-07-08 at 13:02 -0400, Josh Boyer wrote:
>> On Wed, Jul 8, 2015 at 12:50 PM, Kevin Fenzi <kevin@xxxxxxxxx> wrote:
>> > On Wed, 8 Jul 2015 10:32:53 -0400
>> > Josh Boyer <jwboyer@xxxxxxxxxxxxxxxxx> wrote:
>> >
>> > > I just pushed this to git and started a build. It will be in
>> > > rawhide
>> > > tomorrow with the 4.2.0-0.rc1.git2.1 kernel. (I was waiting for
>> > > rc1
>> > > before adding it.)
>> > >
>> > > I did test both with and without kdbus=1 and both worked at least
>> > > from
>> > > a boot standpoint. The initramfs on an install lacks the kdbus
>> > > module, so it needs to be rebuilt if one wishes to use kdbus.
>> >
>> > Seems to work here with the following issues/bugs/whatever:
>> >
>> > - cpu usage is really high, seems to mostly be firewalld doing
>> > something that generates audit messages and those spewing to the
>> > journal. This drives the load on my laptop up to 5-6 or so and
>> > cpu
>> > fans spinning.
>>
>> I noticed this as well.
I assume this happens only with kdbus=1 (and is unrelated to other
4.2-rc1 changes)? Any details on this are highly welcome.
>> > - selinux isn't happy with things:
>> > Jul 08 10:32:08 voldemort.scrye.com audit[1086]: AVC avc: denied
>> > { connectto } for pid=1086 comm="sedispatch"
>> > path="/run/dbus/system_bus_socket"
>> > scontext=system_u:system_r:audisp_t:s0
>> > tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket
>> > permissive=0
>> >
>> > Where should we report bugs for this work?
(kdbus related bugs should be reported against systemd for now. If
it's a kernel oops, you might wanna prefer LKML and put us on CC).
>> Hm, tough call. Perhaps against systemd unless it's a kernel oops?
>> I
>> would think systemd might need to set SELinux to permissive if it's
>> booting in kdbus mode until kdbus works with SELinux upstream.
>
> File a bug with selinux-policy. Current policy allows:
>
> allow audisp_t system_dbusd_t : unix_stream_socket connectto ;
>
> But the thing on the other side of /run/dbus/system_bus_socket is no
> longer system_dbus_t it is init_t...
>
> Is that actually pid=1 on the other side, or something else that we
> should just get labeled correctly in policy?
This is the system bus socket of dbus-daemon. If kdbus is enabled,
it's not used by any systemd binary (they use kdbus directly). The
only exception is systemd-bus-proxyd which provides this socket
(replaces dbus-daemon) for backwards compatibility (proxy between
dbus1 and kdbus). This socket, though, is created by pid1 via a
.socket unit and bus-proxyd is socket activated.
As I cannot parse this selinux error, I hope someone with selinux
background can shed some light on this.
Thanks
David
_______________________________________________
kernel mailing list
kernel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/kernel
