On Wed, 2015-07-08 at 20:58 +0200, David Herrmann wrote:
> Hi
>
> On Wed, Jul 8, 2015 at 8:39 PM, Eric Paris <eparis@xxxxxxxxxx> wrote:
> > On Wed, 2015-07-08 at 13:02 -0400, Josh Boyer wrote:
> > > On Wed, Jul 8, 2015 at 12:50 PM, Kevin Fenzi <kevin@xxxxxxxxx>
> > > wrote:
> > > > On Wed, 8 Jul 2015 10:32:53 -0400
> > > > Josh Boyer <jwboyer@xxxxxxxxxxxxxxxxx> wrote:
> > > >
> > > > > I just pushed this to git and started a build. It will be in
> > > > > rawhide
> > > > > tomorrow with the 4.2.0-0.rc1.git2.1 kernel. (I was waiting
> > > > > for
> > > > > rc1
> > > > > before adding it.)
> > > > >
> > > > > I did test both with and without kdbus=1 and both worked at
> > > > > least
> > > > > from
> > > > > a boot standpoint. The initramfs on an install lacks the
> > > > > kdbus
> > > > > module, so it needs to be rebuilt if one wishes to use kdbus.
> > > >
> > > > Seems to work here with the following issues/bugs/whatever:
> > > >
> > > > - cpu usage is really high, seems to mostly be firewalld doing
> > > > something that generates audit messages and those spewing to
> > > > the
> > > > journal. This drives the load on my laptop up to 5-6 or so
> > > > and
> > > > cpu
> > > > fans spinning.
> > >
> > > I noticed this as well.
>
> I assume this happens only with kdbus=1 (and is unrelated to other
> 4.2-rc1 changes)? Any details on this are highly welcome.
>
> > > > - selinux isn't happy with things:
> > > > Jul 08 10:32:08 voldemort.scrye.com audit[1086]: AVC avc:
> > > > denied
> > > > { connectto } for pid=1086 comm="sedispatch"
> > > > path="/run/dbus/system_bus_socket"
> > > > scontext=system_u:system_r:audisp_t:s0
> > > > tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket
> > > > permissive=0
> > > >
> > > > Where should we report bugs for this work?
>
> (kdbus related bugs should be reported against systemd for now. If
> it's a kernel oops, you might wanna prefer LKML and put us on CC).
>
> > > Hm, tough call. Perhaps against systemd unless it's a kernel
> > > oops?
> > > I
> > > would think systemd might need to set SELinux to permissive if
> > > it's
> > > booting in kdbus mode until kdbus works with SELinux upstream.
> >
> > File a bug with selinux-policy. Current policy allows:
> >
> > allow audisp_t system_dbusd_t : unix_stream_socket connectto ;
> >
> > But the thing on the other side of /run/dbus/system_bus_socket is
> > no
> > longer system_dbus_t it is init_t...
> >
> > Is that actually pid=1 on the other side, or something else that we
> > should just get labeled correctly in policy?
>
> This is the system bus socket of dbus-daemon. If kdbus is enabled,
> it's not used by any systemd binary (they use kdbus directly). The
> only exception is systemd-bus-proxyd which provides this socket
> (replaces dbus-daemon) for backwards compatibility (proxy between
> dbus1 and kdbus). This socket, though, is created by pid1 via a
> .socket unit and bus-proxyd is socket activated.
>
> As I cannot parse this selinux error, I hope someone with selinux
> background can shed some light on this.
I thought I did explain what the AVC meant. In any case, looks like
/usr/bin/dbus-daemon is labeled system_u:object_r:dbusd_exec_t:s0
So can someone try:
chcon system_u:object_r:dbusd_exec_t:s0 /path/to/systemd-bus-proxyd
you'll then need to get systemd-bus-proxyd to re-exec. (either by root
or kill and have systemd restart, i dunno)
That will hopefully take care of this avc, at least...
_______________________________________________
kernel mailing list
kernel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/kernel
