On Mon, Dec 26, 2016 at 11:33 AM, Russell Coker <russell@xxxxxxxxxxxx> wrote:
Below is the output, looks like your analysis is correct.On Saturday, 17 December 2016 12:15:45 AM AEDT Nicolas Iooss wrote:
> On Fri, Dec 16, 2016 at 1:33 PM, Russell Coker <russell@xxxxxxxxxxxx> wrote:
> > http://selinux.tycho.nsa.narkive.com/cZUV3wmW/selinux- set-callback-problem
> >
> > The above URL has the archive of the last time I raised an issue like
> > this.
> > Thanks to Nicolas Iooss for pointing out the solution.
> >
> > type=USER_AVC msg=audit(1481891298.695:687055): pid=1 uid=0
> > auid=4294967295
> > ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied {
> > status }
> > for auid=n/a uid=0 gid=0 cmdline="/lib/systemd/systemd-machined"
> > scontext=system_u:system_r:systemd_machined_t:SystemLow
> > tcontext=system_u:system_r:init_t:s0 tclass=system
> > exe="/lib/systemd/systemd"
> > sauid=0 hostname=? addr=? terminal=?'
> >
> > Now in Debian/Unstable we have a similar issue with systemd 232-7 giving
> > audit.log entries like the above.
>
> [...]
>
> dbus-send --system --print-reply --dest=org.freedesktop.DBus
> /org/freedesktop/DBus
> org.freedesktop.DBus.GetConnectionSELinuxSecurityCo ntext
> 'string:org.freedesktop.machine1'
method return time=1482748196.242707 sender=org.freedesktop.DBus ->
destination=:1.1301 serial=3 reply_serial=2
array of bytes "system_u:system_r:systemd_machined_t:SystemLow"
> DBus specification is quite strange about the method: "Returns the security
> context used by SELinux, in an unspecified format. If you know what this
> means, please contribute documentation via the D-Bus bug tracking system."
Strange, something for someone here to look into I guess.
> [7]. It seems GetConnectionCredentials should be preferred. In order to see
> whether modifying systemd code would be enough to fix this, or whether it
> is a bug in the D-Bus interfaces, what does this command return on your
> system?
>
> dbus-send --system --print-reply --dest=org.freedesktop.DBus
> /org/freedesktop/DBus org.freedesktop.DBus.GetConnectionCredentials Here's the result, does it indicate that D-Bus or systemd should be changed?
> 'string:org.freedesktop.machine1'
method return time=1482748196.247091 sender=org.freedesktop.DBus ->
destination=:1.1302 serial=3 reply_serial=2
array [
dict entry(
string "ProcessID"
variant uint32 1123
)
dict entry(
string "UnixUserID"
variant uint32 0
)
dict entry(
string "LinuxSecurityLabel"
variant array of bytes
"system_u:system_r:systemd_machined_t:s0" + \0
)
]
Thanks for your help. I hope to get this fixed before the next release of
Debian is frozen...
With the output you gave I searched in D-Bus source how the LinuxSecurityLabel was computed here. I discovered a lot of files in dbus/ directory which seem to duplicate things from bus/ I have described in my previous email. In dbus/dbus-sysdeps-unix.c there is a function which calls "getsockopt (client_fd, SOL_SOCKET, SO_PEERSEC, ...)" in order to get this "system_u:system_r:systemd_machined_t:s0" (add_linux_security_label_to_credentials, https://cgit.freedesktop.org/dbus/dbus/tree/dbus/dbus-sysdeps-unix.c?h=dbus-1.10#n1760). This function queries the same kernel API as libselinux's getpeercon_raw(), but without using libselinux (which is normal as it can also returns Smack or AppArmor labels). This is why the context is not translated.
The documentation of GetConnectionCredentials->LinuxSecurityLabel is way better than the one of GetConnectionSELinuxSecurityContext in D-Bus specification (https://cgit.freedesktop.org/dbus/dbus/tree/doc/dbus-specification.xml?h=dbus-1.10#n6030) so if I were to decide, I would rather migrate systemd's bus_get_name_creds_dbus1() to GetConnectionCredentials (in https://github.com/systemd/systemd/blob/v232/src/libsystemd/sd-bus/bus-control.c#L865). However this implies some non-trivial systemd code modifications and I do not know how systemd developers are willing to modify this part of their code.
An other option consists in making D-Bus use getpeercon_raw() in GetConnectionSELinuxSecurityContext (and documenting this in the D-Bus spec). I do not know what subtle side-effects such a change would have on a system (a quick search of users of this interface on searchcode.com gave some Android-related projects).
Cheers,
Nicolas
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
