Re: dbus daemon

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 01/30/2010 12:38 PM, Steve Blackwell wrote:
> I have been getting alot of AVCs that are related to dbus. A quick check
> shows that I have 2 dbus daemons running.
> 
> $ ps aux | grep dbus
> dbus      1615  0.0  0.1  14160  1880 ?        Ssl  11:53   0:01
> dbus-daemon --system 
> 
> gdm       2385  0.0  0.0   3312   580 ? S    11:54
> 0:00 /usr/bin/dbus-launch --exit-with-session 
> 
> steve
> 2650  0.0  0.0   3312   576 ?        S    11:58   0:00 dbus-launch
> --sh-syntax --exit-with-session 
> 
> steve     2652  0.1  0.1  13528 1484 ?        Ssl  11:58
> 0:01 /bin/dbus-daemon --fork --print-pid 7 --print-address 9 --session 
> 
> steve     3154  0.0  0.0   4192   708 pts/0    S+   12:16   0:00 grep
> dbus
> 
> The one that is owned by dbus has a system_u:system_r:system_dbusd_t
> context.
> 
> The one that is owned by me has a unconfined_u:unconfined_r:unconfined_t
> context.
> 
> First question: should I really have 2 dbus-daemons?
> 
> One AVC says that the dbus daemon owned by dbus can't search
> unconfined_t. It was trying to search /proc/2963 which was the
> gpk-update-viewer which was running unconfined. (I'm running SELinux in
> permissive mode)
> 
> $ ps -efZ | grep 2964
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 steve 2963 1  3
> 12:05 ? 00:00:07 gpk-update-viewer
> 
> Second question: does dbus have any reason to look at gpk-update
> viewer? 
> 
> Clearly, it needs to record the fact that the system was updated but
> why does it need to check the update viewer for that?
> 
> Last question: how do I fix this? I don't have any modified or
> additional SELinux policies so I would have thought this would work
> "out-of-the-box".
> 
> Here is the raw audit message:
> 
> node=steve.blackwell type=AVC msg=audit(1264871141.507:132): avc:
> denied { search } for pid=1615 comm="dbus-daemon" name="2963" dev=proc
> ino=17982 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tclass=dir 
> 
> $ sestatus
> SELinux status:                 enabled
> SELinuxfs mount:                /selinux
> Current mode:                   permissive
> Mode from config file:          permissive
> Policy version:                 24
> Policy from config file:        targeted
> 
> $ rpm -qa | grep selinux
> libselinux-2.0.80-1.fc11.i586
> selinux-policy-targeted-3.6.12-93.fc11.noarch
> libselinux-utils-2.0.80-1.fc11.i586
> libselinux-devel-2.0.80-1.fc11.i586
> libselinux-python-2.0.80-1.fc11.i586
> selinux-policy-3.6.12-93.fc11.noarch
> 
> Thanks,
> Steve
> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux
> 
> 
This is allowed in the Rawhide and F12 policies.

Dbus is trying to read the /proc/PID/cmdline of the process that is communicating with it.  (I believe).

It is a bug in F11 policy that it is not allowed.
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux