Hi,
Currently the dbus-daemon is not returning anything when asked about its
own security context (using GetConnectionSELinuxSecurityContext or
GetConnectionCredentials methods). This cause some issues[0] with
systemd now that it's enforcing the policy for user sessions again.
I already made a patch that has been merged[1][2] upstream in the
GetConnectionSELinuxSecurityContext case and it now returns the SELinux
context of the dbus-daemon process itself.
For the GetConnectionCredentials case, upstream wanted a generic way of
getting the security label and went the way of using SO_PEERSEC on a
socket connected to itself.
But for some reasons it's always returning unlabeled_t. Note that the
same value is returned by the getpeercon() function as well.
I've made a small test case (see attached file) and tested it on both
debian and RHEL7.
Is this somehow expected? Is this a bug?
Cheers,
Laurent Bigonville
[0]https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864221
[1]https://bugs.freedesktop.org/show_bug.cgi?id=101315
[2] https://phabricator.freedesktop.org/rDBUSdcf02f80656d
#include <sys/types.h>
#include <sys/socket.h>
#include <unistd.h>
#include <stdio.h>
#include <selinux/selinux.h>
int main(void) {
int socks[2];
char buf[1024] = "";
int len = sizeof(buf);
char *context = NULL;
if (getcon_raw(&context) < 0)
perror("getcon_raw");
printf("getcon: %s\n", context);
freecon(context);
if (socketpair (AF_UNIX, SOCK_STREAM, 0, socks) < 0)
perror("socketpair");
if (getsockopt (socks[0], SOL_SOCKET, SO_PEERSEC, &buf, &len) < 0)
perror("getsockopt 1");
printf("socket 1: %s\n", buf);
len = sizeof(buf);
if (getsockopt (socks[1], SOL_SOCKET, SO_PEERSEC, &buf, &len) < 0)
perror("getsockopt 2");
printf("socket 2: %s\n", buf);
if (getpeercon_raw(socks[0], &context) < 0)
perror("getpeercon_raw 1");
printf("getpeercon 1: %s\n", context);
freecon(context);
if (getpeercon_raw(socks[1], &context) < 0)
perror("getpeercon_raw 2");
printf("getpeercon 2: %s\n", context);
freecon(context);
close(socks[0]);
close(socks[1]);
return 0;
}
